Mixer withdrawal → protocol interaction

Evidence summary #

V2+V3 combined: Bybit hack Feb-Mar 2025 — Lazarus Group routed ~$39M through Uniswap pools as a public DEX venue during laundering (Allium confirmed). This is adversarial venue use, NOT protocol exploitation or admin-surface interaction. Outside 30-day assessment window (>12 months elapsed). No current mixer-to-Uniswap precursor pattern identified in 30-day window. Yellow: immutable AMM cannot block mixer-funded swappers; signal permanently applicable as venue but not fireable against admin surface.

Detail #

Signal threshold: wallet withdrew from TC/Railgun within 30 days AND interacts with core contracts >$100K AND >=2 attribution sources. V2 and V3 core contracts are immutable — the 'interaction with core contracts' that would be alarming is governance/admin-surface interaction, not a standard swap. Lazarus's Bybit-laundering swaps were standard DEX swaps through the public AMM. 30-day window: Feb-Mar 2025 is >12 months before assessment date 2026-05-12. Would fire: No. V2-specific: V2 has no governance surface; any mixer-funded wallet interaction with V2 Factory is structurally limited to createPair() — no privileged admin action possible. V3-specific: GovernorBravoDelegator voting uses checkpoint balances, not current balances; flash-loan governance attack is impossible by design even if Lazarus were to try.

Sources #

Methodology #

Detect whether a wallet that recently withdrew from Tornado Cash, Railgun, or similar mixer has interacted with this protocol.

See the full factor methodology and distribution across all protocols →