★ Deployer linked within 3 hops to DPRK/Lazarus

Uniswap (v2 + v3)'s assessment for RD-F-125 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[CRITICAL — GREEN] 1-hop from V3 deployer is Coinbase 33 (US-regulated, OFAC-compliant entity). No OFAC SDN hits on deployer or any 1-hop counterparty. No Chainalysis-labeled DPRK/Lazarus address in visible transaction graph. DPRK adversarial laundering through Uniswap V3 pools (Bybit hack 2025) is permissionless third-party DEX usage — does not constitute 3-hop deployer proximity. No rubric-level F-trigger. No escalation required.

Detail #

Combined v2+v3 assessment. Per the combined-slug deployer-scoping rule, F125 uses the V3 deployer. Cluster-proximity analysis: (1) 1-hop from deployer = Coinbase 33 (US-regulated CEX, OFAC-compliant, KYC-required). Coinbase 33 is definitively not DPRK-affiliated. (2) 2-hop = Coinbase 33's counterparties include the general Ethereum user population and institutional users; no DPRK-labeled address has been publicly attributed to Coinbase 33's direct counterparty set per Chainalysis published reports. (3) 3-hop analysis: not enumerable without paid Chainalysis API access; basis for green is OSINT-negative plus the structural evidence that 1-hop is a US-regulated compliant entity. The Bybit 2025 hack ($1.5B, DPRK Lazarus Group): IC3 PSA250226 documents North Korea routing stolen Bybit funds through Uniswap V3 pools as DEX laundering infrastructure. This is adversarial third-party permissionless use of a public protocol — exactly analogous to DPRK using Ethereum transfers or other DeFi protocols during laundering. It does NOT constitute a link from the Uniswap Labs developer wallets to DPRK. TRM Labs Bybit analysis (https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit) describes the DEX usage explicitly as adversarial use of public infrastructure. The V2 deployer (historical) is out of scope per combined-slug rule.

Sources #

URL
OFAC SDN List SearchOFAC SDN list — no Uniswap Labs addresses listedretrieved 2026-05-12
URL
IC3 — North Korea Responsible for $1.5B Bybit HackIC3/FBI PSA250226 Bybit attribution — DPRK adversarial use of DEXs (not Uniswap dev identity)retrieved 2026-05-12
Etherscan
Uniswap V3: Old Deployer | EtherscanEtherscan funding trail — 0x6c9fc64a to Coinbase 33 (1-hop, clean)retrieved 2026-05-12
URL
The Bybit Hack: Following North Korea's Largest Exploit — TRM LabsTRM Labs — Bybit hack laundering trail (DEX usage, no Uniswap dev proximity)retrieved 2026-05-12

Methodology #

Determine whether the deployer address has an on-chain path of ≤3 hops to a Chainalysis/OFAC DPRK-labeled cluster address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol uniswap factor RD-F-125 score green collected_at 2026-05-12 10:36:11