Threat Playbook · Red & Blue · Paired Analysis

Adversary Vectors & Defensive Controls

Surfaced exposures evaluated as adversary opportunities (left) and the defensive controls that close them (right). Vectors and controls are paired where one directly addresses the other. Baseline controls apply across multiple vectors.

Red Vectors

Blue Controls

Paired

Baseline

Red · Adversary Vectors

4 vectors · ranked by severity

1 Critical High Confidence

DPRK Lazarus Group — Continued DeFi Bridge and DEX Exploitation

The Lazarus Group / TraderTraitor cluster is almost certainly continuing systematic targeting of DeFi protocols, cross-chain bridges, and DEX infrastructure. The $2.6B 2025-2026 haul demonstrates a capability shift from exchange-level attacks (Bybit) to protocol-layer attacks (Drift, KelpDAO) via 6-month patient social engineering — a pattern that is time-consuming to operate but nearly impossible to defend against through technical controls alone. Highest-risk near-term targets: DeFi protocols with TVL above $100M and bridge infrastructure connecting major chains (ETH, SOL, Arbitrum, Base). The Arbitrum freeze of $71M from KelpDAO shows reactive on-chain blocking is possible but insufficient — DPRK moved $175M before the freeze was implemented.

2 High High Confidence

TCO USDT Laundering — Unregulated OTC Desk and P2P Network Exploitation

Transnational criminal organizations very likely are accelerating use of Tether USDT for drug proceeds conversion via unregulated P2P OTC desks that predate GENIUS Act compliance mandates. The OFAC designation of 6 Ethereum wallets (May 20 2026) for Sinaloa crypto-drug laundering confirms the operational infrastructure exists; the ICIJ Coin Laundry $1.4B+ documentation shows it is historically established. The primary risk vector is OTC desk facilitation in jurisdictions without AML enforcement — Mexico, UAE, and Southeast Asian crypto markets.

3 High Moderate Confidence

GRU Proxy Network Reconstitution — Post-Roussev European Recruitment

The GRU likely is actively reconstituting its European proxy network following the May 2025 Roussev convictions, with Jan Marsalek (confirmed GRU handler, PBS Frontline Oct 2025) still operating freely from Moscow. The Roussev model — recruiting financially vulnerable European nationals and tasking them with surveillance and harassment — requires minimal GRU footprint and is resilient to individual arrests. The conviction of six Bulgarians disrupts but does not eliminate a model that Marsalek is confirmed still managing.

4 Moderate Moderate Confidence

Rotenberg Network — Continued Wartime Domestic Russian Sector Capture

Arkady Rotenberg's network likely will continue exploiting wartime sanctions-isolation context to capture additional Russian state assets and market positions. The Tatspirtprom acquisition (Jan 2026) follows the Stroygazmontazh/pipeline model: sanction-enabled Western exit → Russian competitor vacuum → state-facilitated Rotenberg acquisition. Additional targets likely include infrastructure companies that lost Western partners, consumer goods distributors displaced by import sanctions, and privatization targets managed through Rosimushchestvo.

Blue · Defensive Controls

7 controls · paired and baseline

1 Paired

DeFi Protocol — Real-Time DPRK Blockchain Address Screening

DeFi protocols above $100M TVL should integrate OFAC-designated blockchain analytics (TRM Labs, Chainalysis, Elliptic) to block transactions from DPRK-attributed wallet clusters in real time. Reactive on-chain blocking (as demonstrated by Arbitrum on KelpDAO) is insufficient — proactive address-screening at transaction initiation is the correct posture. Cross-protocol coordination on DPRK wallet blacklists would close the arbitrage created by individual protocol blocking.

2 Paired

DeFi Employee Security — Anti-TraderTraitor Social Engineering Protocol

DeFi protocols should implement security awareness training specifically targeting the TraderTraitor model: fake recruiter personas on LinkedIn offering inflated compensation, off-platform communication (Telegram, Discord), and requests for technical access under development pretexts. The 6-month Drift Protocol infiltration used standard recruitment vectors; human controls (recruitment verification, out-of-band confirmation for privileged access grants, hardware security key requirements) are the primary defense.

3 Paired

GENIUS Act Accelerated Implementation — OTC Desk and P2P Exchange Coverage

FinCEN and OFAC should extend GENIUS Act AML/CFT requirements beyond stablecoin issuers to cover OTC desks and P2P exchanges facilitating USDT transactions above reporting thresholds. The current proposed rule targets issuers but not the transaction-facilitation layer where cartel laundering primarily occurs. Bilateral cooperation with UAE, Mexican, and Southeast Asian financial regulators to extend AML requirements to offshore USDT OTC desks would materially constrain the Sinaloa laundering vector.

4 Paired

EU-Wide GRU Proxy Mapping — Marsalek-Linked Financial Networks

EU member state intelligence agencies should conduct coordinated mapping of financial networks linked to Jan Marsalek's pre-2020 contacts in Austria, Germany, and the UK, focusing on individuals who maintained financial relationships with Marsalek post-flight. The Roussev network was recruited through pre-existing financial vulnerability; Marsalek's access to Wirecard's global client and banking networks provides a structural map of potential recruitment targets. Coordinated FININT sharing through Europol is the appropriate mechanism.

5 Paired

KleptoCapture Continuity — Political Insulation of Career DOJ Prosecutions

Congressional oversight of DOJ case disposition decisions — specifically requiring public reporting of declination decisions in sanctioned-Russian and cartel-adjacent cases — would create accountability for geopolitically selective case-dropping. This control addresses the institutional vulnerability identified in KJ_001 and the premortem failure mode FM1 (enforcement normalization). The Kostin trial hold (KJ_007) is the primary watch indicator for whether this control is necessary.

6 Paired

Secondary Sanctions Expansion — Offshore OTC Desks Facilitating FTO Cartel Transactions

OFAC should issue guidance clarifying that offshore OTC desks and unregulated exchanges facilitating Tether or crypto transactions for FTO-designated cartel networks (Sinaloa, CJNG, Gulf, TdA) are subject to secondary sanctions risk. The existing FTO+SDGT dual designation creates legal authority; the OFAC May 2026 Ethereum wallet designations provide predicate facts. This would extend enforcement beyond US-nexus institutions to the offshore facilitation layer currently outside direct US jurisdiction.

7 Paired

Venezuela Transition Intelligence — Chavista Hardliner Monitoring

US policymakers should maintain persistent monitoring of Chavista hardliner faction strength within the Venezuelan military and Bolivarian Circle networks during the Rodriguez transition period. The primary risk to the US influence window (KJ_006) is internal Venezuelan reversal. Early warning indicators: Rodriguez's control of military promotions, PDVSA management changes, and public statements by Diosdado Cabello and other hardliner figures.