Known-threat-actor cluster has touched protocol

Venus Protocol's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Lazarus Group (DPRK-attributed) wallets directly held positions in Venus Core Pool during September 2025 phishing attack. Attacker wallet (partial 0xa21...23A7f) was force-liquidated within 12h by emergency governance vote; $13.5M recovered. SlowMist attribution: Lazarus-class social engineering (fake Zoom + malware). Signal WOULD have fired at attack initiation. As of 2026-04-28 no active Lazarus wallet interaction with Venus core contracts detected — positions fully liquidated. Scored yellow (not red) because the incident is resolved and positions liquidated; historical DPRK touch is documented but current threat cleared. The Lazarus wallet is a confirmed entry in any curated threat-actor cluster.

Sources #

URL
Unchained — Venus Recovers $13.5M From Lazarus-Linked Phishing Attackhttps://unchainedcrypto.com/venus-recovers-13-5-million-from-lazarus-linked-phishing-attack/retrieved 2026-04-28
URL
SlowMist — In-Depth Analysis of $13M Venus User Hack (social engineering)https://slowmist.medium.com/slowmist-in-depth-analysis-of-the-13-million-venus-user-hack-13f35287a743retrieved 2026-04-28
URL
Venus Attacker Launders $5.32M in ETH via Tornado Cash — Phemexhttps://phemex.com/news/article/venus-attacker-launders-532m-in-eth-via-tornado-cash-75109retrieved 2026-04-28

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol venus factor RD-F-158 score yellow collected_at 2026-04-28 18:30:49