★ Deployer linked within 3 hops to DPRK/Lazarus
Yearn Finance's assessment for RD-F-125 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
GREEN (critical). Operative deployer chain (0x78d4BDEB to Deployer 20 to 0x623d4A04) terminates in Etherscan-labeled Yearn operational wallets with no OFAC SDN or DPRK/Lazarus cluster designation found. ychad multisig signers are publicly named DeFi figures (Mariano Conti, Lefteris Karapetsas, Michael Egorov, etc.) with no DPRK proximity reported. The Coordinape/Keller DPRK incident: Keller was an external contributor to Coordinape (payroll tool), not a signer or deployer; banteg publicly confirmed no core codebase access; no on-chain routing of Keller wages to Yearn deployer/treasury chain documented. The 4 historical exploits (Cat 5) are external attacker events and do not constitute deployer-level DPRK proximity per U4. No DPRK-confirmed connection exists. No escalation required.
Sources #
- URLHow North Korea Infiltrated the Crypto IndustryCoinDesk DPRK investigation (Yahoo Finance) — banteg direct quote: Keller restricted to Coordinape, no core codebase access; no Yearn deployer connectionretrieved 2026-05-16
- 0x78d4BDEBc0B4140f01BAB63085F94A5a7A1294f2 — EtherscanV3 deployer (0x78d4BDEB...) and Deployer 20 (0xb865aaf1...) — no DPRK/Lazarus label, clean Yearn operational chainretrieved 2026-05-16
- Yearn Multisig | Yearn DocsYearn multisig signers — publicly named DeFi figures, no DPRK association reportedretrieved 2026-05-16
Methodology #
Determine whether the deployer address has an on-chain path of ≤3 hops to a Chainalysis/OFAC DPRK-labeled cluster address.
See the full factor methodology and distribution across all protocols →