{ "schema_version": "2", "oak_version": "0.1.0-draft", "generated_at": "2026-05-19T12:32:37+00:00", "tactics": [ { "id": "OAK-T1", "name": "Token Genesis", "phase": "Pre-launch / Launch", "adjacent_tactics": [], "techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T1.006", "OAK-T1.007" ], "source_file": "/home/runner/work/oak/oak/tactics/T1-token-genesis.md" }, { "id": "OAK-T10", "name": "Bridge and Cross-Chain", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T10.006", "OAK-T10.007", "OAK-T10.008" ], "source_file": "/home/runner/work/oak/oak/tactics/T10-bridge-and-cross-chain.md" }, { "id": "OAK-T11", "name": "Custody and Signing Infrastructure", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T11.004", "OAK-T11.005", "OAK-T11.005.001", "OAK-T11.005.002", "OAK-T11.005.003", "OAK-T11.006", "OAK-T11.006.001", "OAK-T11.006.002", "OAK-T11.007", "OAK-T11.007.001", "OAK-T11.007.002", "OAK-T11.007.003", "OAK-T11.008", "OAK-T11.009", "OAK-T11.010", "OAK-T11.011", "OAK-T11.012", "OAK-T11.013" ], "source_file": "/home/runner/work/oak/oak/tactics/T11-custody-and-signing-infrastructure.md" }, { "id": "OAK-T12", "name": "NFT-Specific Patterns", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T12.001", "OAK-T12.002", "OAK-T12.003", "OAK-T12.004", "OAK-T12.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T12-nft-specific-patterns.md" }, { "id": "OAK-T13", "name": "Account Abstraction Attacks", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T13.001", "OAK-T13.001.001", "OAK-T13.001.002", "OAK-T13.001.003", "OAK-T13.001.004", "OAK-T13.002", "OAK-T13.003", "OAK-T13.004" ], "source_file": "/home/runner/work/oak/oak/tactics/T13-account-abstraction-attacks.md" }, { "id": "OAK-T14", "name": "Validator / Staking / Restaking Attacks", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T14.001", "OAK-T14.002", "OAK-T14.003", "OAK-T14.003.001", "OAK-T14.004", "OAK-T14.005", "OAK-T14.006" ], "source_file": "/home/runner/work/oak/oak/tactics/T14-validator-staking-restaking-attacks.md" }, { "id": "OAK-T15", "name": "Off-chain Entry-Vector / Pre-Positioning", "phase": "Pre-positioning", "adjacent_tactics": [], "techniques": [ "OAK-T15.001", "OAK-T15.002", "OAK-T15.003", "OAK-T15.004", "OAK-T15.005", "OAK-T15.006" ], "source_file": "/home/runner/work/oak/oak/tactics/T15-off-chain-entry-vector.md" }, { "id": "OAK-T16", "name": "Governance / Voting Manipulation", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T16.001", "OAK-T16.002", "OAK-T16.003", "OAK-T16.004", "OAK-T16.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T16-governance-voting-manipulation.md" }, { "id": "OAK-T17", "name": "Market Manipulation", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T17.001", "OAK-T17.002", "OAK-T17.003", "OAK-T17.004", "OAK-T17.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T17-market-manipulation.md" }, { "id": "OAK-T2", "name": "Liquidity Establishment", "phase": "Pre-launch / Launch", "adjacent_tactics": [], "techniques": [ "OAK-T2.001", "OAK-T2.002", "OAK-T2.003", "OAK-T2.004", "OAK-T2.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T2-liquidity-establishment.md" }, { "id": "OAK-T3", "name": "Holder Capture", "phase": "Pre-launch / Launch", "adjacent_tactics": [], "techniques": [ "OAK-T3.001", "OAK-T3.002", "OAK-T3.003", "OAK-T3.004", "OAK-T3.005", "OAK-T3.006" ], "source_file": "/home/runner/work/oak/oak/tactics/T3-holder-capture.md" }, { "id": "OAK-T4", "name": "Access Acquisition", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.003", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006", "OAK-T4.007", "OAK-T4.008", "OAK-T4.009", "OAK-T4.010", "OAK-T4.011" ], "source_file": "/home/runner/work/oak/oak/tactics/T4-access-acquisition.md" }, { "id": "OAK-T5", "name": "Value Extraction", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T5.001", "OAK-T5.002", "OAK-T5.003", "OAK-T5.004", "OAK-T5.005", "OAK-T5.006", "OAK-T5.007", "OAK-T5.008" ], "source_file": "/home/runner/work/oak/oak/tactics/T5-value-extraction.md" }, { "id": "OAK-T6", "name": "Defense Evasion", "phase": "Cross-cutting", "adjacent_tactics": [], "techniques": [ "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T6.005", "OAK-T6.006", "OAK-T6.007", "OAK-T6.008" ], "source_file": "/home/runner/work/oak/oak/tactics/T6-defense-evasion.md" }, { "id": "OAK-T7", "name": "Laundering", "phase": "Post-extraction", "adjacent_tactics": [], "techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T7.004", "OAK-T7.005", "OAK-T7.006", "OAK-T7.007", "OAK-T7.008", "OAK-T7.009", "OAK-T7.010" ], "source_file": "/home/runner/work/oak/oak/tactics/T7-laundering.md" }, { "id": "OAK-T8", "name": "Operator Continuity / Attribution Signals", "phase": "Post-extraction", "adjacent_tactics": [], "techniques": [ "OAK-T8.001", "OAK-T8.002", "OAK-T8.003", "OAK-T8.004", "OAK-T8.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T8-operational-reuse.md" }, { "id": "OAK-T9", "name": "Smart-Contract Exploit", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T9.006", "OAK-T9.006.001", "OAK-T9.006.002", "OAK-T9.006.003", "OAK-T9.006.004", "OAK-T9.006.005", "OAK-T9.007", "OAK-T9.008", "OAK-T9.009", "OAK-T9.010", "OAK-T9.011", "OAK-T9.012", "OAK-T9.013", "OAK-T9.014" ], "source_file": "/home/runner/work/oak/oak/tactics/T9-smart-contract-exploit.md" } ], "techniques": [ { "id": "OAK-T1.001", "name": "Modifiable Tax Function", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2018 (academic), widespread by 2020", "aliases": [ "honeypot tax", "trap tax", "anti-sell tax", "tax trap" ], "citations": [ "chainalysis2025rug", "cointelegraphanubismixer2022", "decryptanubis2021", "quillauditsbackdoor", "slowmist2024report", "torres2019", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.001-modifiable-tax-function.md" }, { "id": "OAK-T1.002", "name": "Token-2022 Permanent Delegate Authority", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "observed", "chains": [ "Solana" ], "first_documented": "2024 (industry advisories); industrial-scale abuse from late 2024 onward", "aliases": [ "permanent delegate token", "PD authority", "burn-on-buy scam" ], "citations": [ "neodyme2024token2022", "solana2024permdelegate" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.002-token-2022-permanent-delegate.md" }, { "id": "OAK-T1.003", "name": "Renounced-But-Not-Really (Proxy-Upgrade Backdoor)", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "systematic 2022 onward; Shido 2024 as a canonical large-scale named case", "aliases": [ "fake renounce", "proxy backdoor", "ghost owner", "transferOwnership-not-really" ], "citations": [ "chainalysis2025rug", "nomicproxybackdoor", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.003-renounced-but-not-really.md" }, { "id": "OAK-T1.004", "name": "Blacklist / Pausable Transfer Weaponization", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "widespread from approximately 2020 onward", "aliases": [ "blacklist scam", "pausable token", "anti-sell pausable", "selective-block transfer", "freeze-on-buy" ], "citations": [ "chainalysis2025rug", "ofac2022tornado", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.004-blacklist-pausable-weaponization.md" }, { "id": "OAK-T1.005", "name": "Hidden Fee-on-Transfer", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)", "Solana (SPL via Token-2022 transfer-fee extension; secondary)" ], "first_documented": "widespread from approximately 2020 onward", "aliases": [ "sell tax", "anti-bot tax", "asymmetric fee", "router-only fee", "honeypot-lite", "conditional fee-on-transfer" ], "citations": [ "chainalysis2025rug", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.005-hidden-fee-on-transfer.md" }, { "id": "OAK-T1.006", "name": "Honeypot-by-Design", "parent_tactics": [ "OAK-T1" ], "maturity": "emerging", "chains": [ "EVM (BNB Chain dominant by deployment count; Base, Ethereum); cross-chain" ], "first_documented": "academic foundational reference 2019 (`[torres2019]`); industrial-scale cohort observable from 2023 onward; canonical 2024-Q4 cross-chain prevalence", "aliases": [ "honeypot token", "buy-only token", "cannot-sell token", "sell-blocking smart contract", "asymmetric-fee honeypot" ], "citations": [ "certikhoneypotproliferation", "chainalysis2025rug", "cryptorankhoneypotbase2025", "dipprofithoneypot2024", "goplusq42024honeypot", "hackenhoneypotscam", "mediumsnibbb2023", "slowmist2024report", "torres2019" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.006-honeypot-by-design.md" }, { "id": "OAK-T1.007", "name": "Token-2022 Transfer-Hook Abuse", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "emerging", "chains": [ "Solana (SPL Token-2022); cross-standard analogues on EVM (ERC-777 `tokensReceived`, ERC-1363 transfer-and-call, ERC-4626 vault hooks) covered separately at OAK-T9.005" ], "first_documented": "Halborn pre-production audit of Token-2022 (November 2022); class-level developer-side documentation 2023–2025; April 2025 ZK-ElGamal proof zero-day disclosure-and-patch cycle. Per-incident externally-attributed-exploit anchor remains empty at v0.1 freeze.", "aliases": [ "transfer-hook callback abuse", "Token-2022 hook reentrancy", "SPL transfer-hook attack" ], "citations": [ "ackeesolanahandbook", "chainstacktransferhook", "coindesksolanatoken2022zk2025", "cryptonomistsolanatoken2022zk2025", "cryptoslatesolanatoken2022zk2025", "dailycoinsolanatoken2022zk2025", "devtosolanahooks2025", "halbornsolanatokenception2022", "neodyme2024token2022", "quicknodetransferhook", "rareskillstoken2022", "solanatransferhookguide" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.007-token-2022-transfer-hook-abuse.md" }, { "id": "OAK-T10.001", "name": "Validator / Signer Key Compromise", "parent_tactics": [ "OAK-T10" ], "maturity": "stable", "chains": [ "EVM", "cross-chain" ], "first_documented": "2022 (Ronin canonical case)", "aliases": [ "validator key theft", "multisig compromise", "MPC key loss" ], "citations": [ "chainalysis2024dprk", "ellipticronin2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.001-validator-signer-key-compromise.md" }, { "id": "OAK-T10.002", "name": "Message-Verification Bypass", "parent_tactics": [ "OAK-T10" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "2022 (Wormhole, Nomad canonical cases)", "aliases": [ "bridge proof bypass", "message-validation flaw", "VAA forgery\" (Wormhole-specific)" ], "citations": [ "mandiantnomad2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.002-message-verification-bypass.md" }, { "id": "OAK-T10.003", "name": "Cross-Chain Replay", "parent_tactics": [ "OAK-T10" ], "maturity": "observed", "chains": [ "EVM", "cross-chain" ], "first_documented": "2022 (concept characterised in academic literature; recurring across smaller incidents)", "aliases": [ "bridge replay attack", "chain-ID replay", "message-replay across chains" ], "citations": [ "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.003-cross-chain-replay.md" }, { "id": "OAK-T10.004", "name": "Optimistic-Bridge Fraud-Proof Gap", "parent_tactics": [ "OAK-T10" ], "maturity": "observed", "chains": [ "EVM", "cross-chain (any optimistic-message-verification or optimistic-rollup-bridged architecture)" ], "first_documented": "2022 (concept characterised in Connext / Nomad architecture write-ups; recurring as architecture-review finding)", "aliases": [ "watcher-liveness failure", "challenge-window inadequacy", "fraud-proof system gap", "1-of-N honest-verifier assumption failure" ], "citations": [ "bhuptanioptbridges2022", "halbornnomadoptimistic2022", "hollowvictory2025", "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.004-optimistic-bridge-fraud-proof-gap.md" }, { "id": "OAK-T10.005", "name": "Light-Client Verification Bypass", "parent_tactics": [ "OAK-T10" ], "maturity": "observed", "chains": [ "EVM", "Cosmos / IBC", "Bitcoin SPV consumers", "cross-chain (any bridge whose security reduces to a cryptographic light-client or proof-verification primitive)" ], "first_documented": "2022 (Verichains \"Dragonberry\" disclosure of an ICS-23 Merkle-proof soundness bug affecting IBC light-client verification across Cosmos-SDK chains; class characterised earlier in zk-bridge academic literature)", "aliases": [ "circuit soundness bug", "trusted-setup compromise", "proof-system bypass", "light-client verifier bug", "zk-bridge soundness failure" ], "citations": [ "owaspscstop10", "soksnarkvulns2024", "verichainsdragonberry2022", "xie2022zkbridge", "zhou2023sok", "zkbugtracker" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.005-light-client-verification-bypass.md" }, { "id": "OAK-T10.006", "name": "Cross-Chain Governance Relay Attack", "parent_tactics": [ "OAK-T10" ], "maturity": "emerging", "chains": [ "Cross-chain (any protocol stack where governance actions are relayed across chains via a message bridge — LayerZero, Wormhole, Chainlink CCIP, Hyperlane, Axelar); target chains typically EVM or EVM-compatible" ], "first_documented": "2023–2024 (class characterised in bridge-security literature; specific governance-bridge bypass incidents from 2024 onward)", "aliases": [ "governance-bridge attack", "cross-chain governance hijack", "message-relay governance bypass", "governance-message forgery", "cross-chain proposal injection" ], "citations": [ "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.006-cross-chain-governance-relay-attack.md" }, { "id": "OAK-T10.007", "name": "Bridge Validator Economic-Incentive Misalignment", "parent_tactics": [ "OAK-T10" ], "maturity": "emerging", "chains": [ "Cross-chain (any bridge whose security model relies on a validator set bonded by economic stake — Ronin/Sky Mavis, Wormhole (pre-Guardian-set expansion), Axie Infinity bridge, Polygon PoS bridge, Ronin DPoS, any PoS-style validator bridge where the validator's stake is independent of the bridge's TVL)" ], "first_documented": "2022 (the Ronin bridge incident crystallised the class at operational scale, though the economic-misalignment framing predates it); the academic characterisation of validator-stake-vs-TVL misalignment as a structural bridge vulnerability class matured 2022–2024", "aliases": [ "validator-stake TVL gap", "bridge validator bribe attack", "economic-security deficit", "stake-to-TVL ratio attack", "validator-profitability attack" ], "citations": [ "ronin2022postmortem", "wormhole2022postmortem", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.007-bridge-validator-economic-incentive-misalignment.md" }, { "id": "OAK-T10.008", "name": "Bridge Observer Signature Scope Truncation", "parent_tactics": [ "OAK-T10" ], "maturity": "emerging", "chains": [ "Cross-chain (any bridge or cross-chain protocol where a relayer/observer network signs observations of external chain events and the signed payload does not cover all semantically-meaningful wrapper fields — THORChain Bifrost, Chainlink CCIP, LayerZero, Wormhole, Axelar, any MPC-based bridge with observer-consensus architecture)" ], "first_documented": "2026-05-15 (THORChain Router exploit — Bifrost `GetSignablePayload()` truncation: inner `Tx` signed, `ObservedTx` wrapper direction flag unsigned, proposer flipped inbound→outbound to forge migration observation)", "aliases": [ "observer signature scope attack", "unsigned wrapper field forgery", "Bifrost direction-bit attack", "relayer payload truncation", "incomplete payload signing" ], "citations": [ "thorchain2026postmortem" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.008-bridge-observer-signature-scope-truncation.md" }, { "id": "OAK-T11.001", "name": "Third-Party Signing-Vendor UI / Signing-Flow Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "systematic 2022 onward; canonical large-scale case Bybit / Safe{Wallet} 2025-02", "aliases": [ "signing-vendor UI compromise", "Safe{Wallet}-class supply-chain compromise", "UI-payload substitution at sign time" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.001-third-party-signing-vendor-compromise.md" }, { "id": "OAK-T11.002", "name": "Wallet-Software Distribution Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "stable", "chains": [ "multi-chain (any chain the affected wallet supports)" ], "first_documented": "systematic 2023 onward; canonical case Atomic Wallet June 2023", "aliases": [ "wallet supply-chain attack", "trojanised wallet update", "self-custodial wallet compromise" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.002-wallet-software-distribution-compromise.md" }, { "id": "OAK-T11.003", "name": "In-Use Multisig Smart-Contract Manipulation", "parent_tactics": [ "OAK-T11", "OAK-T9" ], "maturity": "observed", "chains": [ "EVM" ], "first_documented": "2024 (WazirX canonical case)", "aliases": [ "multisig hijack", "in-flight multisig modification" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.003-multisig-contract-manipulation.md" }, { "id": "OAK-T11.004", "name": "Insufficient-Entropy Key Generation", "parent_tactics": [ "OAK-T11" ], "maturity": "stable", "chains": [ "chain-agnostic (any ECDSA / EdDSA-curve chain whose end-user keys are produced by an off-chain generator); canonical anchors on Ethereum" ], "first_documented": "2022-09 (Profanity vanity-address generator public disclosure by 1inch); the structural class is older (Bitcoin \"RNG bug\" cohorts predate the canonical Ethereum case but are not the v0.1 anchor)", "aliases": [ "weak-RNG key generation", "vanity-address entropy collapse", "Profanity-class private-key recovery", "32-bit-seed key recovery" ], "citations": [ "cointelegraphprofanitycohort2022", "halbornprofanitytool2022", "halbornwintermute2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.004-insufficient-entropy-key-generation.md" }, { "id": "OAK-T11.005", "name": "Operator-side Fake-Platform Fraud", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (deposit substrate is BTC / ETH / stablecoins on-chain; the fraud \"platform\" is off-chain operator-controlled UI/database)" ], "first_documented": "2014 (OneCoin) at the modern threshold; pre-pig-butchering-era (2014–2018) MLM-Ponzi cohort plus 2018-onward multi-asset-wallet Ponzi plus 2020-onward fake-CEX / pig-butchering cohort", "aliases": [ "fake-CEX", "pig-butchering platform", "fake custodian", "investment-fraud platform", "MLM fake-cryptocurrency Ponzi", "rug platform" ], "citations": [ "bbc2019cryptoqueenpodcast", "behindmlmonecoin", "chainalysis2025rug", "coindesk2026onecoinvictims", "doj2017ignatovaindictment", "doj2022greenwoodguiltyplea", "doj2023greenwoodsentencing", "fbi2022ignatovamostwanted", "state2024ignatovareward" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.005-operator-side-fake-platform-fraud.md" }, { "id": "OAK-T11.005.001", "name": "Fake-CEX / Pig-Butchering Platform", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic (deposit substrate is BTC / ETH / stablecoins on-chain; the fraud \"platform\" is off-chain operator-controlled UI/database)" ], "first_documented": "2018–2020 (pig-butchering model emergence); 2023 JPEX Hong Kong case as the highest-profile public enforcement action", "aliases": [ "pig-butchering platform", "fake-CEX", "romance-scam investment platform", "Sha Zhu Pan", "BeurAx-class platform", "unlicensed-offshore-exchange fraud" ], "citations": [ "chainalysis2025rug", "fbiic32024", "fincentra2023pigbutchering" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.005.001-fake-cex-pig-butchering-platform.md" }, { "id": "OAK-T11.005.002", "name": "Fake-Custodian / Fake-Asset-Manager Fraud", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "observed", "chains": [ "chain-agnostic (deposit substrate is BTC / ETH / stablecoins on-chain; the fraud \"platform\" is off-chain operator-controlled UI/database)" ], "first_documented": "2011 (Bitcoin Savings & Trust as the earliest structurally characterised case); 2018–2019 (PlusToken as the largest-value multi-asset wallet Ponzi); 2020-onward (HyperVerse / CryptoFX / Forsage / CoinDeal as the modern enforcement-record cohort)", "aliases": [ "fake custodian", "fake asset manager", "MLM crypto Ponzi", "AI-trading Ponzi", "fake yield fund", "fake wealth-management platform", "multi-asset wallet Ponzi" ], "citations": [ "dojhyperverse2024", "seccoindeal2023", "seccryptofx2024", "secforsage2022", "secvshavers2013" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.005.002-fake-custodian-fake-asset-manager-fraud.md" }, { "id": "OAK-T11.005.003", "name": "Compound-Operated Investment-Fraud Platforms", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic; deposit substrate is BTC / ETH / stablecoins (USDT on Tron dominant); industrial-scale victim-acquisition infrastructure predominantly in Southeast Asia" ], "first_documented": "2020 (emergence of industrial-scale scam compounds); 2024 OFAC Ly Yong Phat / O-Smach Resort designation; 2025 DOJ Chen Zhi / Prince Group $15B Bitcoin forfeiture", "aliases": [ "Southeast Asia scam compound", "forced-labour investment fraud", "industrial pig-butchering", "compound-operated fraud", "Cambodia/Myanmar scam compound" ], "citations": [ "dojjune2025philippinescompound", "dojoctober2025chenzhi", "fincenoctober2025huione", "ofacseptember2024lyyongphat" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.005.003-compound-operated-investment-fraud-platforms.md" }, { "id": "OAK-T11.006", "name": "Cold-storage Seed-phrase Exfiltration at Rest", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-extraction is the BIP39 seed phrase / private key material itself; downstream extraction occurs across whichever chains the affected wallet holds)" ], "first_documented": "2022-04 (iCloud-backup MetaMask / Iacovone case) for the implicit-cloud-custody sub-pattern; 2022-12 (LastPass encrypted-vault exfiltration) for the user-initiated plaintext-storage sub-pattern; cohort window remains open at v0.1 reporting horizon", "aliases": [ "seed-phrase at rest exfiltration", "password-manager seed-storage compromise", "iCloud-backup wallet drain", "third-party-storage seed-phrase compromise" ], "citations": [ "bleepinglastpass2025", "cointelegraphlarsen2024", "hackernewslastpass2025", "infosecuritylastpass2023", "krebslastpass2023", "krebslastpass2025", "lastpassbreachdisclosure2022", "theblocklastpass2023", "trmlabslastpass2025", "zachxbtlastpass2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.006-cold-storage-seed-phrase-exfiltration-at-rest.md" }, { "id": "OAK-T11.006.001", "name": "User-Initiated Plaintext-Equivalent Seed Storage", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic (BIP39 seed phrase / private key material stored in third-party service; downstream extraction across all chains the affected wallet holds)" ], "first_documented": "2022-12 (LastPass encrypted-vault exfiltration → 2023–2025 multi-year crypto-drain cohort)", "aliases": [ "password-manager seed storage compromise", "LastPass-class seed-phrase exfiltration", "plaintext-equivalent seed storage" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.006.001-user-initiated-plaintext-seed-storage.md" }, { "id": "OAK-T11.006.002", "name": "Implicit Cloud-Custody via Default-On Cloud-Backup", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic (wallet vault auto-backed-up to iCloud / Google Drive / OneDrive; downstream extraction across all chains the wallet supports)" ], "first_documented": "2022-04-15 (iCloud-backup MetaMask / Dominic Iacovone case, ~$650K)", "aliases": [ "iCloud-backup wallet drain", "cloud-backup seed exfiltration", "default-on backup compromise", "iOS-backup wallet compromise" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.006.002-implicit-cloud-custody-default-backup.md" }, { "id": "OAK-T11.007", "name": "Hardware-wallet Supply-chain / Physical-access Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-extraction is the BIP39 seed phrase / hardware-wallet-controlled private-key material; downstream extraction occurs across whichever chains the affected wallet supports)" ], "first_documented": "2017 (early Ledger Nano S inserts cohort) at the cohort-shape layer; 2020-01-31 (Trezor One / Model T RDP-downgrade Kraken disclosure) for the physical-access capability anchor; 2025 counterfeit Ledger Nano S Plus cohort for the deployed-attack anchor; 2023–2026 fake-firmware-update / recovery-app phishing cohort for the active-phishing sub-pattern", "aliases": [ "counterfeit hardware wallet", "fake Ledger / fake Trezor", "pre-seeded recovery card", "hardware-wallet phishing", "physical-access seed extraction" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.007-hardware-wallet-supply-chain-physical-access-compromise.md" }, { "id": "OAK-T11.007.001", "name": "Counterfeit-Hardware Substitution", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic (counterfeit device substitutes the legitimate hardware wallet; downstream extraction across all chains the affected wallet supports)" ], "first_documented": "2017 (early Ledger Nano S inserts cohort) at the cohort-shape layer; 2025 counterfeit Ledger Nano S Plus cohort for the deployed-attack anchor", "aliases": [ "counterfeit hardware wallet", "fake Ledger / fake Trezor", "pre-seeded recovery card", "hardware-wallet supply-chain substitution" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.007.001-counterfeit-hardware-substitution.md" }, { "id": "OAK-T11.007.002", "name": "Physical-Access Hardware-Side Seed Extraction", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic (physical-access attack against the hardware wallet's microcontroller; downstream extraction across all chains the wallet supports)" ], "first_documented": "2020-01-31 (Trezor One / Model T RDP-downgrade voltage-glitch attack, Kraken Security Labs disclosure)", "aliases": [ "voltage-glitch seed extraction", "side-channel hardware wallet attack", "RDP-downgrade attack", "chip-tampering seed extraction" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.007.002-physical-access-hardware-seed-extraction.md" }, { "id": "OAK-T11.007.003", "name": "Brand-Trust-Leveraged Active Phishing for Seed-Phrase Exfiltration", "parent_tactics": [ "OAK-T11", "OAK-T1" ], "maturity": "emerging", "chains": [ "chain-agnostic (phishing campaigns target hardware-wallet users across all chains their devices support)" ], "first_documented": "2020 (Ledger customer-data-breach-leveraged phishing onset); 2023 Kaspersky spring cohort (85,000+ scam emails in a single quarter); 2023 trojanised companion-app cohort", "aliases": [ "fake firmware update phishing", "hardware-wallet recovery phishing", "brand-impersonation seed solicitation", "Ledger-data-breach-leveraged phishing" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.007.003-brand-trust-active-phishing-seed-exfiltration.md" }, { "id": "OAK-T11.008", "name": "Embedded-Wallet Identity-Provider Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket / Magic Labs canonical at v0.1; cross-chain analogues across Privy / Web3Auth / Dynamic deployments on Ethereum, Base, Arbitrum, Solana, others)" ], "first_documented": "2024-09 (Polymarket Magic-Labs takeover); cohort scale-out 2024–2026 across Polymarket-class platforms whose user onboarding runs through third-party email-auth / OAuth / MPC-social-login providers", "aliases": [ "Magic Labs takeover", "Privy / Web3Auth / Dynamic compromise", "embedded-wallet auth-provider compromise", "email-magic-link wallet hijack", "social-login wallet drain" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.008-embedded-wallet-identity-provider-compromise.md" }, { "id": "OAK-T11.009", "name": "Trader-Tooling Supply-Chain Compromise targeting `.env` Private Keys", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-extraction is the developer-environment plaintext key file; downstream extraction occurs across whichever chains the bot operates on — Polygon, Solana, Ethereum, Base, Arbitrum, BNB Chain are all in scope across the cohort)" ], "first_documented": "2025-12 / 2026-01 (Polymarket trader-tooling supply-chain compromise via npm `polymarket-clob` and `dev-protocol` GitHub-org hijack); the broader cohort context spans 2024–2026 with overlapping infrastructure to DPRK-attributed BeaverTail / InvisibleFerret npm campaigns", "aliases": [ "trader-bot npm supply-chain", "developer-environment .env exfiltration", "GitHub-org-hijack trojan-bot distribution", "wallet.json infostealer via package registry" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.009-trader-tooling-supply-chain-env-key-compromise.md" }, { "id": "OAK-T11.010", "name": "Off-chain Counterparty-Risk Insolvency", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (deposit substrate is BTC / ETH / stablecoins on-chain; the failure mode is off-chain operator credit decision → counterparty default → customer-asset shortfall)" ], "first_documented": "2020-11-07 (Cred Inc. Chapter 11, D. Del. Case No. 20-12836)", "aliases": [ "counterparty-risk insolvency", "yield-without-due-diligence failure", "custodial-lending default cascade", "CeFi yield-platform collapse", "re-lending concentration risk" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.010-off-chain-counterparty-risk-insolvency.md" }, { "id": "OAK-T11.011", "name": "Multi-chain Key-store Co-location", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the anti-pattern is an operator-side architectural decision, not a chain-specific vulnerability)" ], "first_documented": "2023-11-10 (Poloniex hot-wallet drain — simultaneous multi-chain extraction across ETH, TRX, BTTC, and others)", "aliases": [ "multi-chain key co-location", "shared signing-infrastructure compromise", "cross-chain hot-wallet co-location", "single-point-of-compromise multi-chain extraction" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.011-multi-chain-key-store-co-location.md" }, { "id": "OAK-T11.012", "name": "Server-side Raw Private-Key Storage (Custodial Trading-Bot Anti-pattern)", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the anti-pattern is an operator-side architectural decision, not a chain-specific vulnerability)" ], "first_documented": "2024-09 (DEXX trading-bot platform cohort; the pattern predates DEXX but DEXX is the first cleanly-documented OAK worked example)", "aliases": [ "custodial-private-key-storage anti-pattern", "server-side raw-key storage", "trading-bot key-storage compromise", "raw-private-key-holding platform" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.012-server-side-raw-private-key-storage.md" }, { "id": "OAK-T11.013", "name": "Legacy-Version Maintenance Attack Surface", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "EVM (primary); structurally generalisable to any chain where protocol operators maintain multiple deployed versions" ], "first_documented": "2023-02 (Yearn V1 — structurally related but with a configuration-rot dimension); 2025-07 (GMX V1 — cleaner instance of the pure legacy-version-maintenance decision class)", "aliases": [ "deprecated-version attack surface", "legacy-version residual vulnerability", "multi-version rollout security gap", "deprecation-without-decommission" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.013-legacy-version-maintenance-attack-surface.md" }, { "id": "OAK-T12.001", "name": "NFT Wash-Trade Volume Inflation", "parent_tactics": [ "OAK-T12" ], "maturity": "observed", "chains": [ "EVM (primary; Ethereum / Polygon)", "Solana (Magic Eden, Tensor)" ], "first_documented": "2021–2022 (Chainalysis NFT retrospective; LooksRare incentive-wash episode)", "aliases": [ "NFT volume wash", "collection-rank inflation", "floor-price wash", "marketplace-incentive wash" ], "citations": [ "chainalysis2022nft", "chainalysis2025rug", "victor2021washtrade" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.001-nft-wash-trade-volume-inflation.md" }, { "id": "OAK-T12.002", "name": "Fake-Mint / Counterfeit Collection", "parent_tactics": [ "OAK-T12" ], "maturity": "stable", "chains": [ "EVM (primary; Ethereum / Polygon)", "Solana (Magic Eden cohort)" ], "first_documented": "2021 (early counterfeit cohort on OpenSea); industrial-scale through 2022 Discord-compromise wave", "aliases": [ "fake mint", "counterfeit collection", "copymint", "spoofed collection", "impersonation drop" ], "citations": [ "baycdiscord2022", "certikpremint2022", "chainalysis2022nft", "chainalysisnftcounterfeit2022", "fortunebaycjune2022", "magicedeny00ts2023", "openseamoderation2022", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.002-fake-mint-counterfeit-collection.md" }, { "id": "OAK-T12.003", "name": "Royalty Bypass / Marketplace Manipulation", "parent_tactics": [ "OAK-T12" ], "maturity": "observed", "chains": [ "EVM (primary; Ethereum / Polygon / other ERC-721-bearing chains)" ], "first_documented": "2022 (Blur launch and the LooksRare / X2Y2 royalty-optional shift); structural problem ongoing", "aliases": [ "royalty stripping", "royalty-optional trading", "marketplace royalty disregard" ], "citations": [ "blurzeroroyalty2022", "chainalysis2022nft", "eip2981", "openseaoperatorfilter2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.003-royalty-bypass-marketplace-manipulation.md" }, { "id": "OAK-T12.004", "name": "Timelock-Free Protocol Upgrade Execution", "parent_tactics": [ "OAK-T12" ], "maturity": "emerging", "chains": [ "EVM (primary); any chain with proxy-upgrade patterns and governance-controlled upgrade authority" ], "first_documented": "2020–2021 (proxy-upgrade pattern proliferation; timelock-bypass incidents characterized in audit literature)", "aliases": [ "instant upgrade attack", "timelockless governance", "governance-timelock bypass", "immediate proxy upgrade", "unguarded upgrade authority" ], "citations": [ "compoundtimelock2020", "eip1967", "openzeppelintimelock2021", "trailofbits2021governance" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.004-timelock-free-protocol-upgrade-execution.md" }, { "id": "OAK-T12.005", "name": "Flash-Loan Governance Vote Manipulation", "parent_tactics": [ "OAK-T12" ], "maturity": "emerging", "chains": [ "EVM (primary); any chain with flash-loan-enabled DEXs and on-chain governance token voting without a minimum-holding-period requirement" ], "first_documented": "2022 (Fortress Protocol, Beanstalk Farms, Elephant Money — all within a six-week window in April–May 2022)", "aliases": [ "flash-loan governance attack", "flash-loan vote capture", "single-block governance takeover", "flash-loan proposal passage", "uncollateralized governance-weight acquisition" ], "citations": [ "beanstalk2022postmortem", "compoundgovernance2020", "immunefibeanstalk2022", "openzeppelingovernor2021", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.005-flash-loan-governance-vote-manipulation.md" }, { "id": "OAK-T13.001", "name": "Paymaster Compromise", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction (zkSync Era, Starknet) where the paymaster role is analogous; conceptually portable to any chain whose execution model separates gas-sponsorship validation from execution" ], "first_documented": "2023 (Alchemy / OpenZeppelin disclosure of the UserOperation packing inconsistency in EntryPoint v0.6 affecting `VerifyingPaymaster`); class characterised continuously through 2024–2026 in audit-firm advisories on deployed paymasters", "aliases": [ "paymaster drain", "sponsorship policy bypass", "postOp griefing", "paymaster DoS", "validatePaymasterUserOp bypass", "gasless-transaction abuse" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "ozaa4337audit", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001-paymaster-compromise.md" }, { "id": "OAK-T13.001.001", "name": "Paymaster Accounting Drain", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction (zkSync Era, Starknet) where the paymaster role is analogous" ], "first_documented": "2025 (OSEC paymaster security review enumerates the `postOp` revert / gas-token-mechanic surfaces explicitly); class characterised continuously through audit-firm advisories on deployed paymasters", "aliases": [ "paymaster drain", "postOp revert drain", "gas-token-mechanic accounting drain", "validation-time-debit not unwound" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "ozaa4337audit", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.001-paymaster-accounting-drain.md" }, { "id": "OAK-T13.001.002", "name": "Paymaster Policy Bypass", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction; Solana (analogous fee-payer / Token-2022 paymaster surfaces — Kora advisory)" ], "first_documented": "2023 (Alchemy / OpenZeppelin disclosure of the UserOperation-packing inconsistency in EntryPoint v0.6 affecting `VerifyingPaymaster`); Solana / Token-2022 analogue documented 2025 (Kora paymaster advisory)", "aliases": [ "sponsorship policy bypass", "validatePaymasterUserOp bypass", "off-chain-signer / on-chain-hash parity violation", "fail-open instruction parser" ], "citations": [ "alchemyuoppack2023", "aviggiano4337checklist", "dailycvekora2025", "erc4337spec", "ozaa4337audit", "quantstampalchemypm", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.002-paymaster-policy-bypass.md" }, { "id": "OAK-T13.001.003", "name": "Paymaster Reentrancy", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction" ], "first_documented": "2023 (ERC-4337 reference-implementation guidance warns explicitly against external calls before sponsorship-accounting finalisation); class continues to surface in audit-firm advisories on deployed paymasters", "aliases": [ "validatePaymasterUserOp reentrancy", "postOp reentrancy", "paymaster validation-surface reentrancy", "paymaster-specific T9.005" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "owaspscstop10", "ozaa4337audit", "tobsixmistakes2026", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.003-paymaster-reentrancy.md" }, { "id": "OAK-T13.001.004", "name": "Paymaster Griefing", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction" ], "first_documented": "2023 (EntryPoint v0.7 added the unused-gas-penalty mechanism specifically to address paymaster-DoS surface); 2026 (EntryPoint v0.9 closed the temporary-revert griefing vector)", "aliases": [ "paymaster DoS", "paymaster balance griefing", "postOp griefing", "unused-gas-penalty abuse", "bundler-reputation griefing" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "ozaa4337audit", "projecteleven2026v09", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.004-paymaster-griefing.md" }, { "id": "OAK-T13.002", "name": "Bundler MEV", "parent_tactics": [ "OAK-T13" ], "maturity": "emerging", "chains": [ "EVM (any chain with deployed ERC-4337 EntryPoint, including Ethereum mainnet, Polygon, Arbitrum, Optimism, Base, BNB Chain)" ], "first_documented": "2023 (concurrent with EntryPoint v0.6 mainnet deployment and the first vendor-side analyses of the alt-mempool)", "aliases": [ "UserOp MEV", "AA sandwich", "4337 front-run" ], "citations": [ "blockpi2023bundlermempool", "daian2019flashboys", "eigenphi2023aamev", "eigenphijared2023", "erc4337eip", "etherspot2023bundlermev", "fastlane2024erc4337mev", "gmu2024aaempirical" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.002-bundler-mev.md" }, { "id": "OAK-T13.003", "name": "Session-Key Hijacking", "parent_tactics": [ "OAK-T13" ], "maturity": "emerging", "chains": [ "EVM (ERC-4337 / ERC-7579 smart accounts); Solana analogues out of scope at v0.1" ], "first_documented": "vendor advisories 2023 onward; class-level discussion in `[zhou2023sok]`; cohort of public incident write-ups remains thin at v0.1 freeze", "aliases": [ "session-key compromise", "delegated-signer hijack", "smart-session abuse", "scoped-key drainer" ], "citations": [ "openfortssa2026", "owaspscstop10", "smartsessions2024", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.003-session-key-hijacking.md" }, { "id": "OAK-T13.004", "name": "EIP-7702 Delegation Abuse", "parent_tactics": [ "OAK-T13" ], "maturity": "emerging", "chains": [ "EVM (Ethereum mainnet primary; cross-chain replay surface across all EIP-7702-activated chains)" ], "first_documented": "Pectra hard-fork activation 2025-05-07; cohort onset within first weeks; canonical Wintermute \"CrimeEnjoyor\" tag 2025-06-02", "aliases": [ "EIP-7702 phishing", "set-code transaction abuse", "CrimeEnjoyor delegation", "persistent-execution-authority abuse", "delegator sweeper" ], "citations": [ "coindeskcrimeenjoyor2025", "cryptopolitan7702aug2025", "cryptotimes7702quant2026", "devohmygodcrimeenjoyor2025", "eip7702phishingarxiv", "eip7702spec", "goplus7702malicious2025", "hacken7702aa2025", "slowmist7702aug2025", "slowmistinferno7702may2025", "threesigma7702wallets2025", "wintermute7702crimeenjoyor2025" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.004-eip7702-delegation-abuse.md" }, { "id": "OAK-T14.001", "name": "Slashing-Condition Exploit", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum (Beacon Chain / consensus layer)", "Cosmos-SDK family (Cosmos Hub, Osmosis, Injective, Terra, etc.)", "Polkadot / Kusama (NPoS)", "Solana (lite slashing model)", "restaking layers (EigenLayer, Symbiotic, Karak)", "interchain-security consumer chains" ], "first_documented": "2020 (concept characterised at Beacon Chain genesis; first Ethereum slashings 2020-2021; ICS-style equivocation slashing extended in Cosmos 2023; mass-correlated incidents on Ethereum mainnet through 2024-2025; Ethereum 2025-09 SSV-Network operator-procedural-error correlated-self-slashing event as the canonical operator-side sub-surface anchor)", "aliases": [ "slashing griefing", "forced equivocation", "slashing-as-MEV", "whistleblower-reward race", "consumer-chain equivocation slash", "slashable-message attack", "operator-procedural-error correlated self-slashing", "DVT-failover mass slashing" ], "citations": [ "a16zslashingecon", "coindeskssv2025", "cosmosasa2024005", "eigenlayerslashing2025", "eth2bookslashing", "neuder2021posattacks", "polkadotoffenses", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.001-slashing-condition-exploit.md" }, { "id": "OAK-T14.002", "name": "MEV-Boost Relay Attack", "parent_tactics": [ "OAK-T14" ], "maturity": "stable", "chains": [ "Ethereum (mainnet PoS; secondarily any EVM L1 running an MEV-Boost-compatible PBS sidecar — Holesky/Hoodi testnets, Gnosis Chain, etc.)" ], "first_documented": "2023 (April 3rd unbundling incident; concurrent vendor disclosures of equivocation-class timing issues)", "aliases": [ "relay unbundling", "MEV-Boost timing exploit", "block equivocation attack", "low-carb-crusader attack" ], "citations": [ "aestusverticalintegration2023", "blocksecmevboost2023", "bloxroutemevboost2023", "chainlightpbs2023", "daian2019flashboys", "dojmevbros2024", "eigenphijared2023", "flashbotsequivocation2023", "flashbotsmevboost2023", "mevwatch2024", "paradigmpbstime2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.002-mev-boost-relay-attack.md" }, { "id": "OAK-T14.003", "name": "Restaking Cascading Risk", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum L1 (canonical)", "EVM L2s with restaking-secured AVS", "Cosmos-style shared-security analogues" ], "first_documented": "2023 (concept characterised in Vitalik Buterin's \"Don't overload Ethereum's consensus\" essay; class formalised through 2024 in restaking risk-analysis literature; mainnet slashing enabled by EigenLayer 2025-04)", "aliases": [ "shared-security cascade", "AVS slashing-cascade", "LRT depeg cascade", "restaking systemic risk", "pooled-security contagion" ], "citations": [ "alexanderleveragedrestaking2024", "eigenlabsslashinglive2025", "gauntletrestaking2024", "steakhouselrt2024", "vitalikrestaking2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.003-restaking-cascading-risk.md" }, { "id": "OAK-T14.003.001", "name": "LST/LRT Depeg-Cascade as Constrained-Primitive Sub-class", "parent_tactics": [ "OAK-T14", "OAK-T1" ], "maturity": "emerging", "chains": [ "Ethereum L1 canonical (Lido stETH; Renzo ezETH); EVM L2s and L1s with LST / LRT collateral integration into lending markets" ], "first_documented": "2022-05/06 (Lido stETH cascade, pre-Shapella, chain-level redemption-absence sub-class); 2024-04 (Renzo ezETH cascade, operator-blocked redemption sub-class); 2025-07 (Lido stETH / Aave / Justin-Sun-driven cascade, withdrawal-queue-depth saturation sub-class)", "aliases": [ "stETH depeg cascade", "ezETH depeg cascade", "LRT depeg cascade", "constrained-redemption depeg", "looped-leverage liquidation cascade" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T14.003.001-lst-lrt-depeg-cascade-constrained-primitive.md" }, { "id": "OAK-T14.004", "name": "Liquid Restaking Token Pricing Manipulation", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum L1 (canonical); any chain with restaking-secured AVS and liquid-restaking-token derivatives" ], "first_documented": "2024 (concurrent with the EigenLayer mainnet launch, LRT protocol launches, and the first LRT depeg events; Renzo ezETH April 2024 depeg is the earliest operational anchor)", "aliases": [ "LRT depeg exploitation", "AVS yield manipulation", "EigenLayer withdrawal-queue gaming", "restaking-derivative price attack", "LRT oracle manipulation", "slashing-event arbitrage" ], "citations": [ "alexanderleveragedrestaking2024", "eigenlabsslashinglive2025", "gauntletrestaking2024", "steakhouselrt2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.004-liquid-restaking-token-pricing-manipulation.md" }, { "id": "OAK-T14.005", "name": "Builder Censorship MEV Extraction", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum L1 (canonical, via PBS/MEV-Boost); any chain with a proposer-builder separation (PBS) architecture where block builders can censor transactions at the block-construction layer" ], "first_documented": "2020–2021 (the Flashbots / MEV-Boost ecosystem formalised PBS and builder-censorship as a surface; the class is characterised in MEV research literature from inception)", "aliases": [ "builder censorship", "PBS censorship", "block-construction censorship", "MEV-Boost builder exclusion", "transaction-suppression MEV", "builder-level sandwich infrastructure" ], "citations": [ "daian2019flashboys", "wahrstatter2023censorship", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.005-builder-censorship-mev-extraction.md" }, { "id": "OAK-T14.006", "name": "Validator/Proposer Liveness-Fault Griefing", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum L1 (validator liveness faults and inactivity-leak penalties); Solana (validator downtime slash); Cosmos (jail-for-downtime); Polkadot (offline-slash); any Proof-of-Stake chain with liveness-fault penalties" ], "first_documented": "2020–2022 (Ethereum Beacon Chain liveness-fault penalties characterised in consensus research; validator-downtime griefing discussed in Ethereum R&D forums)", "aliases": [ "liveness-fault griefing", "validator downtime attack", "proposer-withholding griefing", "inactivity-leak exploitation" ], "citations": [ "daian2019flashboys", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.006-validator-proposer-liveness-fault-griefing.md" }, { "id": "OAK-T15.001", "name": "Social Engineering of Operator Personnel", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the social-engineering vector is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2019 onward (DragonEx WFC Proof \"trading-bot\" lure as the canonical pre-2020 anchor); the LinkedIn fake-job-offer / Telegram fake-recruiter / fake-investor / fake-trading-bot variants stabilised across 2020–2026 OAK-G01 operations", "aliases": [ "TraderTraitor entry vector", "LinkedIn fake-job-offer", "fake-recruiter lure", "DPRK fake-coding-test", "fake-investor pretext", "Penpie audit-report lure", "WFC Proof", "Contagious Interview / Wagemole" ], "citations": [ "chainalysis2024dprk", "ellipticronin2022", "mandiantradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T15.001-social-engineering-of-operator-personnel.md" }, { "id": "OAK-T15.002", "name": "Supply-Chain / Vendor-Pipeline Compromise", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the supply-chain compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2023 onward (Atomic Wallet, Ledger Connect Kit), with earlier antecedents in npm / package-registry compromise outside crypto", "aliases": [ "supply-chain attack", "build-pipeline injection", "npm package compromise", "CI/CD compromise", "post-install backdoor", "vendor-pipeline compromise" ], "citations": [ "chainalysis2024dprk", "mandiant3cx2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T15.002-supply-chain-vendor-pipeline-compromise.md" }, { "id": "OAK-T15.003", "name": "Operator-Endpoint Compromise (Developer Workstation / Signing Machine)", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the endpoint compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2017 onward (Bithumb employee-laptop with customer-data DB as the canonical pre-2020 anchor); the developer-workstation / signing-host sub-shape stabilised across the 2024-2025 OAK-G01 wave", "aliases": [ "developer workstation compromise", "signing-host compromise", "MITM on signing host", "INLETDRIFT-class macOS implant", "signing-machine takeover", "employee endpoint compromise" ], "citations": [ "chainalysis2024dprk", "mandiantradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T15.003-operator-endpoint-compromise.md" }, { "id": "OAK-T15.004", "name": "Operator-Side Credential Compromise (SSO / Cloud / Registrar / DNS / Package Registry)", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the credential compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2022 onward (Curve DNS hijack as a canonical anchor)", "aliases": [ "registrar credential compromise", "DNS hijack", "SSO compromise", "cloud-account takeover", "package-publisher credential compromise", "domain-control compromise" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T15.004-operator-credential-compromise.md" }, { "id": "OAK-T15.005", "name": "Operator-Communication-Channel Takeover (Discord / X / Telegram)", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the channel takeover is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2022 onward (the Bored Ape / Yuga / Ronin Discord wave is the foundational cohort)", "aliases": [ "Discord compromise", "X account compromise", "Telegram channel takeover", "operator-brand-channel compromise", "community-manager account compromise", "official-channel phishing" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T15.005-operator-communication-channel-takeover.md" }, { "id": "OAK-T15.006", "name": "Impersonation via Verified Social-Account Compromise", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the account compromise is off-chain; downstream on-chain extraction is per-incident)" ], "first_documented": "systematically 2022 onward (the Bored Ape / BAYC Discord wave, 2022-04, is the foundational NFT-community cohort; the Solana X-account compromise wave, 2025-02, is the canonical brand-X-account cohort); the class has been institutional attacker TTP since at least 2022", "aliases": [ "verified-account takeover", "X gold-checkmark compromise", "Discord admin account compromise", "Telegram channel admin takeover", "social-brand impersonation via compromise", "social-platform credential hijack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T15.006-impersonation-via-verified-social-account-compromise.md" }, { "id": "OAK-T16.001", "name": "Vote Takeover via Flash-Loan", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM (canonical anchors); cross-chain governance contracts inherit the surface where flash-loan liquidity exists in the same execution context as the voting-power-eligibility check" ], "first_documented": "2022 (Beanstalk April 2022 as the canonical anchor)", "aliases": [ "flash-loan governance attack", "same-block flash-borrow vote", "BIP attack", "voting-power flash-borrow", "governance flash-loan" ], "citations": [ "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.001-vote-takeover-via-flash-loan.md" }, { "id": "OAK-T16.002", "name": "Hostile-Vote Treasury Drain", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM", "Solana", "cross-chain (any DAO with on-chain governance over a treasury whose voting-token can be acquired or inflated by the attacker)" ], "first_documented": "2022 (Mango Markets October 2022 as the canonical anchor)", "aliases": [ "DAO settlement vote", "treasury self-pay vote", "post-exploit governance settlement", "hostile DAO vote", "negotiated extraction vote" ], "citations": [ "cftcmango2023", "compoundforumproposal289_2024", "compoundproposal289_2024", "goldenboyscompound2024", "tallygovernancecompound2024", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.002-hostile-vote-treasury-drain.md" }, { "id": "OAK-T16.003", "name": "Delegation-Cluster Vote Takeover", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM (canonical anchors at Compound, Balancer, SushiSwap); cross-chain governance contracts inherit the surface where delegation-graph mechanics exist" ], "first_documented": "2022-2024 (Humpy pattern-of-conduct at Balancer / SushiSwap as antecedents; Compound Proposal 289 July 2024 as the canonical anchor)", "aliases": [ "delegation pull attack", "delegate-takeover", "delegation cluster", "delegate-coordination governance attack", "cohort-coordinated vote", "Humpy-class governance accumulation" ], "citations": [ "blocksecgovernance2024", "compoundforumproposal289_2024", "compoundproposal289_2024", "goldenboyscompound2024", "tallygovernancecompound2024", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.003-delegation-cluster-vote-takeover.md" }, { "id": "OAK-T16.004", "name": "Snapshot / Off-chain Voting Exploitation", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "chain-agnostic (off-chain Snapshot.org-class voting platforms operate independently of any specific chain; signature schemes vary)" ], "first_documented": "Class anchored conceptually 2020-2022 (Snapshot.org production deployment 2020); no canonical extraction-scale anchor at v0.1", "aliases": [ "off-chain governance attack", "Snapshot Sybil", "off-chain vote without binding", "non-binding-vote exploitation", "signature-replay governance", "social-consensus governance attack" ], "citations": [ "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.004-snapshot-off-chain-voting-exploitation.md" }, { "id": "OAK-T16.005", "name": "Malicious Proposal Snowballing", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM (canonical anchors at Tornado Cash, Audius, Curio); cross-chain governance contracts inherit the surface where proposal payloads can contain `delegatecall` or storage-collision-mediated authority capture" ], "first_documented": "2022 (Audius July 2022 storage-collision case as the earliest canonical anchor); refined by Tornado Cash governance May 2023 self-modifying-contract case", "aliases": [ "hidden malicious proposal", "self-modifying proposal", "storage-collision governance attack", "delegatecall governance attack", "proposal-payload-as-attack-vector", "Tornado-class governance attack", "proposal text-vs-execution divergence" ], "citations": [ "blocksectornadogov2023", "peckshieldtornado2023", "slowmisttornadogov2023", "tornadocomm2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.005-malicious-proposal-snowballing.md" }, { "id": "OAK-T17.001", "name": "Cross-Venue Arbitrage-Driven Price-Discovery Distortion", "parent_tactics": [ "OAK-T17" ], "maturity": "observed", "chains": [ "chain-agnostic (cross-venue arbitrage is a continuous phenomenon across CEX / DEX venues on every chain with non-trivial trading activity; the load-bearing surface is the inter-venue spread, not the chain-level state)" ], "first_documented": "Class anchored conceptually 2017-2020 (CEX / DEX arbitrage as a continuous phenomenon throughout the period); no canonical extraction-scale OAK anchor at v0.4", "aliases": [ "cross-venue arbitrage manipulation", "spread-driven price-discovery distortion", "lagging-venue victim cohort", "cross-CEX/DEX arbitrage exploit" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.001-cross-venue-arbitrage-price-distortion.md" }, { "id": "OAK-T17.002", "name": "Liquidation-Cascade Engineering", "parent_tactics": [ "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Aave / Compound / Maker / Liquity / Morpho / Spark canonical); Solana (Solend / Marginfi / Kamino); cross-chain liquidation-engine designs broadly inherit the surface" ], "first_documented": "Class anchored 2020-2022 (early DeFi liquidation-engine designs); systematic cascade-engineering 2022+ (Terra / UST collapse May 2022, stETH-Aave cascade June 2022 as canonical anchors)", "aliases": [ "predatory liquidation", "cascade ignition", "liquidation harvesting", "thin-liquidity liquidation farming", "depeg-cascade harvest" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.002-liquidation-cascade-engineering.md" }, { "id": "OAK-T17.003", "name": "Spoofing / Cancel-Flood Order-Book Manipulation", "parent_tactics": [ "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM-L2 (dYdX / GMX V2 perps / Aevo); Hyperliquid HyperEVM; Solana (Drift, Phoenix, Mango v4); cross-chain order-book-DEX designs broadly inherit the surface" ], "first_documented": "Class anchored conceptually 2010-2015 (CFTC enforcement against Sarao 2015 in equity-futures CME context); crypto-DEX-specific class anchored 2022-2024 (operational deployment of order-book DEXes); no canonical extraction-scale OAK anchor at v0.4", "aliases": [ "spoofing", "cancel-flood", "layering", "phantom liquidity", "spoof-and-cancel", "DEX order-book manipulation", "perp spoofing" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.003-orderbook-spoofing-cancel-flood.md" }, { "id": "OAK-T17.004", "name": "TWAP / Time-Window Manipulation Against DAO Treasury / Vesting Math", "parent_tactics": [ "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Uniswap V2/V3 TWAP windows used as oracle reference; OpenZeppelin TimelockController / Compound Timelock-class windows; vesting-contract designs across OpenZeppelin VestingWallet / Sablier / Hedgey); cross-chain TWAP-consuming designs broadly inherit the surface" ], "first_documented": "Class anchored conceptually 2020-2022 (Uniswap V2 / V3 TWAP-as-oracle deployment); canonical extraction-scale OAK anchor not yet landed at v0.4", "aliases": [ "TWAP manipulation", "window timing attack", "vesting-window manipulation", "treasury-swap window manipulation", "time-weighted price manipulation", "settlement-window timing" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.004-twap-window-manipulation.md" }, { "id": "OAK-T17.005", "name": "TWAP Oracle Manipulation via Multi-Block MEV", "parent_tactics": [ "OAK-T17" ], "maturity": "observed", "chains": [ "EVM (primary); any chain with TWAP-based price oracles and public mempool" ], "first_documented": "2021–2022 (multi-block MEV characterized by Flashbots research; TWAP manipulation via multi-block bundles documented in academic and audit literature)", "aliases": [ "multi-block MEV oracle attack", "TWAP manipulation via proposer control", "stale-oracle manipulation via MEV", "multi-block oracle grinding", "sequence-length oracle attack" ], "citations": [ "daian2020flashboys", "eigenphi2023mev", "ethereumpbs2022", "flashbotsmultiblock2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.005-multi-block-mev-twap-oracle-manipulation.md" }, { "id": "OAK-T2.001", "name": "Single-Sided Liquidity Plant", "parent_tactics": [ "OAK-T2" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "empirical (no canonical academic citation)", "aliases": [ "thin LP", "shallow pool", "single-side seed", "asymmetric seed" ], "citations": [ "chainalysis2025rug", "cointelegraphanubismixer2022", "decryptanubis2021", "slowmist2024report", "solrpds", "tmrugpull2026", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.001-single-sided-liquidity-plant.md" }, { "id": "OAK-T2.002", "name": "Locked-Liquidity Spoof", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM", "BNB Chain", "Solana" ], "first_documented": "2021 (industry reports)", "aliases": [ "fake lock", "soft lock", "LP lock theatre", "partial lock", "lock receipt forgery" ], "citations": [ "chainalysis2025rug", "secsafemoon2023", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.002-locked-liquidity-spoof.md" }, { "id": "OAK-T2.003", "name": "Cross-Chain Locked-Liquidity Spoof", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM (Ethereum, BSC, Polygon, Arbitrum, Base)", "Solana", "cross-chain" ], "first_documented": "2022 (concept characterised in cohort-scale rug-pull retrospectives; recurring in multi-chain launch venues)", "aliases": [ "off-chain lock claim", "wrong-chain lock receipt", "split-chain LP lock", "lock-on-A pool-on-B" ], "citations": [ "chainalysis2025rug", "solrpds", "tmrugpull2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.003-cross-chain-locked-liquidity-spoof.md" }, { "id": "OAK-T2.004", "name": "Initial-Liquidity Backdoor", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM (Ethereum, BSC, Polygon, Arbitrum, Base)", "Solana" ], "first_documented": "empirical (industry-survey scale; characterised in rug-pull retrospectives and backdoor-code static-analysis research)", "aliases": [ "shadow LP mint", "router-mint backdoor", "creation-time LP backdoor", "privileged pool admin" ], "citations": [ "applsci2025backdoor", "chainalysis2025rug", "quillauditsbackdoor", "rphunter2025", "slowmist2024report", "solrpds", "tmrugpull2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.004-initial-liquidity-backdoor.md" }, { "id": "OAK-T2.005", "name": "Token Metadata Spoofing", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM (primary — ERC-20 name/symbol/decimals can differ from the canonical token the contract impersonates); Solana (secondary — SPL Token metadata URI manipulation); BSC (PancakeSwap token-impersonation wave 2021)" ], "first_documented": "2020-2021 (token-impersonation wave on Uniswap V2/V3; fake USDT/USDC/ETH tokens with manipulated name/symbol/decimals fields)", "aliases": [ "token symbol spoofing", "fake token metadata", "ERC-20 name impersonation", "counterfeit token branding", "metadata deception" ], "citations": [ "coingeckotokenlist", "metaplextokenmetadata", "oneinchtokenlist", "pancakeswap2021fake", "solanaspltokenmetadata", "uniswaptokenlist" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.005-token-metadata-spoofing.md" }, { "id": "OAK-T3.001", "name": "Sybil-Bundled Launch", "parent_tactics": [ "OAK-T3" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2024–2025 (industry observation; Liu et al. 2025 covers the related airdrop-sybil case with transferable methodology)", "aliases": [ "bundled buys", "atomic launch", "sniper bundle", "bundler-cluster launch" ], "citations": [ "dydx2024sybil", "jitobundlepolicies2024", "liu2025sybil", "pumpfunbundlerbubblemaps2024", "pumpfunlaunchruganalytics2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.001-sybil-bundled-launch.md" }, { "id": "OAK-T3.002", "name": "Wash-Trade Volume Inflation", "parent_tactics": [ "OAK-T3", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM", "Solana", "CEX (cross-venue)" ], "first_documented": "2019 (Bitwise SEC filing on CEX wash); 2021 (Victor & Weintraud, DEX academic cohort)", "aliases": [ "self-trading", "circular volume", "fake volume", "incentive-farming wash" ], "citations": [ "bitwise2019fakevolumes", "chainalysis2022nft", "chainalysis2025rug", "victor2021washtrade" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.002-wash-trade-volume-inflation.md" }, { "id": "OAK-T3.003", "name": "Coordinated Pump-and-Dump", "parent_tactics": [ "OAK-T3", "OAK-T5", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM", "Solana", "BSC", "CEX (cross-venue)" ], "first_documented": "2017–2018 (Telegram-group studies); 2021 (Bitwise CEX-cohort context); systematic 2024–2025", "aliases": [ "P&D", "coordinated pump", "group pump", "shill-coordinated dump" ], "citations": [ "bolz2024", "chainalysis2025rug", "karbalaii2025", "pumpfunbundlerbubblemaps2024", "pumpfunlaunchruganalytics2024", "secsafemoon2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.003-pump-and-dump-coordination.md" }, { "id": "OAK-T3.004", "name": "Influencer-Amplified Promotion-and-Dump", "parent_tactics": [ "OAK-T3", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Ethereum, Solana via Pump.fun, BNB Chain); cross-chain" ], "first_documented": "2021-06 (Save the Kids / $KIDS — FaZe Clan / Frazier Kay / RiceGum / Sommer Ray); 2021-12 (CryptoZoo — Logan Paul); cohort scale-out 2024–2026 with the Pump.fun celebrity-launch wave (DADDY / JENNER / MOTHER / DJT)", "aliases": [ "celebrity coin rug", "influencer pump and dump", "celebrity NFT rug", "external-to-crypto promoter dump", "YouTube / X / Twitch celebrity-coin promotion-and-dump" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T3.004-influencer-amplified-promotion-and-dump.md" }, { "id": "OAK-T3.005", "name": "Fake-Validator Staking-Frontend Phishing", "parent_tactics": [ "OAK-T3", "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM (Lido staking, Rocket Pool); Solana (Marinade, Jito staking); Cosmos (validator delegation scams)" ], "first_documented": "2021-2022 (Lido stETH staking-interface phishing campaigns; fake validator-delegation portals)", "aliases": [ "staking-frontend phishing", "fake validator portal", "liquid-staking phishing", "validator-impersonation phishing" ], "citations": [ "cosmosvalidatorphishing", "lidophishing2022", "marinadephishing2023", "phishingdomainreputation", "rocketpoolphishing2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.005-fake-validator-staking-frontend-phishing.md" }, { "id": "OAK-T3.006", "name": "Insider Multi-Vector Supply Extraction", "parent_tactics": [ "OAK-T3", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Ethereum, Solana via Pump.fun); cross-chain" ], "first_documented": "2026-05 (LABtrade — ZachXBT investigation)", "aliases": [ "multi-vector insider extraction", "coordinated insider supply dump", "insider multi-mechanism rug" ], "citations": [ "zachxbtlabtrade2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.006-insider-multi-vector-supply-extraction.md" }, { "id": "OAK-T4.001", "name": "Permit2 Signature-Based Authority Misuse", "parent_tactics": [ "OAK-T4" ], "maturity": "stable", "chains": [ "EVM" ], "first_documented": "2022–2023 (industry incident reports)", "aliases": [ "permit2 phishing", "signature-based asset transfer", "off-chain approval drainer" ], "citations": [ "checkpoint2023drainers", "scamsniffer2024lineage", "scamsniffer2024pink", "slowmist2024report", "zachxbtmonkey2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.001-permit2-authority-misuse.md" }, { "id": "OAK-T4.002", "name": "Compromised Front-End Permit Solicitation", "parent_tactics": [ "OAK-T4", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM" ], "first_documented": "2022 (Curve Finance DNS hijack)", "aliases": [ "frontend hijack permit", "DNS-takeover permit", "BGP-hijack frontend" ], "citations": [ "blocksec_coinstats2024", "coinstats20240622", "dexxstatements2024", "galxepostmortem2023", "peckshieldcoinstats2024", "peckshielddexx2024", "peckshieldgalxe2023", "rektcurve2022", "rektgalxe2023", "slowmist2024report", "slowmistcoinstats2024", "slowmistdexx2024", "zachxbtcoinstats2024", "zachxbtdexx2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.002-compromised-frontend-permit-solicitation.md" }, { "id": "OAK-T4.003", "name": "Address Poisoning", "parent_tactics": [ "OAK-T4", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)", "Solana", "Tron" ], "first_documented": "2022 (early reports); industrial-scale 2023 onward (Tsuchiya et al. 2025 USENIX Security cohort)", "aliases": [ "zero-value transfer scam", "lookalike-address phishing", "wallet-history poisoning" ], "citations": [ "chainalysis2024poisoning", "chainalysisnftcounterfeit2022", "tsuchiya2025poisoning" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.003-address-poisoning.md" }, { "id": "OAK-T4.004", "name": "Allowance / Approve-Pattern Drainer", "parent_tactics": [ "OAK-T4" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "widespread from approximately 2022; characterised in `[checkpoint2023drainers]`", "aliases": [ "approve drainer", "unlimited allowance phishing", "ERC-20 approve scam" ], "citations": [ "blocksec_coinstats2024", "checkpoint2023drainers", "coinstats20240622", "dexxstatements2024", "peckshieldcoinstats2024", "peckshielddexx2024", "scamsniffer2024lineage", "scamsniffer2024pink", "slowmist2024report", "slowmistcoinstats2024", "slowmistdexx2024", "theblock2022boredape", "zachxbtcoinstats2024", "zachxbtdexx2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.004-allowance-approve-drainer.md" }, { "id": "OAK-T4.005", "name": "`setApprovalForAll` NFT Drainer", "parent_tactics": [ "OAK-T4" ], "maturity": "stable", "chains": [ "EVM (primary; Ethereum / Polygon / BNB Chain)" ], "first_documented": "2021 (early Bored Ape phishing wave); industrial-scale 2022+", "aliases": [ "NFT phishing drainer", "approval-for-all phishing", "BAYC phishing" ], "citations": [ "baycdiscord2022", "checkpoint2023drainers", "fortunebaycjune2022", "openseamoderation2022", "openseaoperatorfilter2022", "peckshieldyugaotherside2022", "slowmist2024report", "slowmistyugaotherside2022", "theblock2022boredape", "theblockyugaotherside2022", "yugaotherside2022", "zachxbtyugaotherside2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.005-setapprovalforall-nft-drainer.md" }, { "id": "OAK-T4.006", "name": "WalletConnect Session Hijack", "parent_tactics": [ "OAK-T4" ], "maturity": "observed", "chains": [ "EVM (primary)", "Solana", "multi-chain (any chain WalletConnect supports)" ], "first_documented": "systematic 2023 onward; mobile-app-impersonation cases at scale 2024", "aliases": [ "WalletConnect phishing", "fake-dApp pairing", "QR-code wallet hijack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T4.006-walletconnect-session-hijack.md" }, { "id": "OAK-T4.007", "name": "Native-app Social Phishing on Engagement-Weighted Platforms", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket canonical at v0.1; cross-platform analogues across Friend.tech, Pump.fun, Farcaster, and any platform with engagement-weighted in-platform distribution)" ], "first_documented": "2025-10/11 (Polymarket comment-section phishing campaign exploiting comment-pinning mechanic)", "aliases": [ "comment-section phishing", "engagement-weighted phishing", "in-platform paid-pinning phishing", "native-app social phishing" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T4.007-native-app-social-phishing-engagement-weighted-platforms.md" }, { "id": "OAK-T4.008", "name": "Fake-DEX Clone-Frontend Phishing", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM dominant (Uniswap / PancakeSwap / Lido / Curve / Stargate / Orbiter / Radiant / Zapper / DefiLlama clone-frontends); Solana (Raydium clone-frontends); cross-chain" ], "first_documented": "2023-03 (MS Drainer kit cohort initial deployment); class-level industrial cohort observable across 2023–2026 with continuing distribution surface", "aliases": [ "fake DEX phishing", "clone-frontend phishing", "typosquat DEX UI", "paid-ad fake-DEX cohort", "Inferno-Drainer fake-frontend" ], "citations": [ "bleepingmsdrainer2023", "bleepingtelegrambots2024", "cointelegraphmsdrainer2023", "cryptonewsuniswap12m2025", "cyblecryptophishingapps2024", "gateuniswap2025", "hackreadgoogleplaypishing2024", "kasperskytelegram2025", "protosuniswap2025", "scamsniffermsdrainer2023", "techradarcryptoplaystore2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.008-fake-dex-clone-frontend-phishing.md" }, { "id": "OAK-T4.009", "name": "Pre-token Brand-Anticipation Phishing", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM (primary); Solana (secondary; EigenLayer / zkSync anticipation cohort has cross-chain analogues on Solana-based protocol token-anticipation campaigns)" ], "first_documented": "~2023-10 (zkSync airdrop-anticipation phishing cohort); class-level scaling accelerated through EigenLayer anticipation (early 2024) and Polymarket POLY anticipation (post-October-2025 CMO confirmation)", "aliases": [ "pre-token phishing", "airdrop-anticipation scam", "future-token typosquat", "brand-ambiguity phishing", "pre-launch anticipation drainer" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T4.009-pre-token-brand-anticipation-phishing.md" }, { "id": "OAK-T4.010", "name": "Fake Security-Tool / Browser-Extension Phishing", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM", "Solana (wallet-browser-extension surface is cross-chain; fake MetaMask, Rabby, Phantom, Trust Wallet extensions target the respective chain ecosystems); cross-chain" ], "first_documented": "2022–2023 (fake MetaMask extension campaigns; fake \"Ledger Live\" Chrome extensions)", "aliases": [ "fake browser extension", "counterfeit security tool", "fake wallet extension", "malicious browser extension phishing" ], "citations": [ "scamsniffermetamaskext2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.010-fake-security-tool-browser-extension-phishing.md" }, { "id": "OAK-T4.011", "name": "Push-Notification Infrastructure Compromise", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "cross-chain (iOS/Android push-notification infrastructure is chain-agnostic; the downstream wallet-compromise surface spans all chains the affected wallet application supports)" ], "first_documented": "2024-06 (CoinStats iOS push-notification infrastructure compromise)", "aliases": [ "push-notification hijack", "mobile-notification compromise", "wallet-app notification-channel attack" ], "citations": [ "blocksec_coinstats2024", "coinstats20240622", "peckshieldcoinstats2024", "slowmistcoinstats2024", "zachxbtcoinstats2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.011-push-notification-infrastructure-compromise.md" }, { "id": "OAK-T5.001", "name": "Hard LP Drain", "parent_tactics": [ "OAK-T5" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2020 (industry reports)", "aliases": [ "hard rug", "LP withdrawal event" ], "citations": [ "chainalysis2021scams", "chainalysis2025rug", "cointelegraphanubismixer2022", "decryptanubis2021", "slowmist2024report", "solrpds", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.001-hard-lp-drain.md" }, { "id": "OAK-T5.002", "name": "Slow LP Trickle Removal", "parent_tactics": [ "OAK-T5", "OAK-T6" ], "maturity": "emerging", "chains": [ "EVM", "Solana" ], "first_documented": "2024–2026 (TM-RugPull research, 2026; Tran et al. 2025 Fragmented Rug Pull)", "aliases": [ "slow rug", "trickle drain", "patient drain", "fragmented rug pull (FRP)" ], "citations": [ "frp2025", "fullycryptosoftrug", "secsafemoon2023", "tmrugpull2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.002-slow-lp-trickle-removal.md" }, { "id": "OAK-T5.003", "name": "Hidden-Mint Dilution", "parent_tactics": [ "OAK-T5" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2021 (Xia et al. canonical Uniswap scam-token cohort)", "aliases": [ "stealth mint", "hidden inflation", "post-launch mint" ], "citations": [ "badgerpostmortem2021", "chainalysisbadger2021", "halbornbadger2021", "neodyme2024token2022", "solana2024permdelegate", "tmrugpull2026", "xia2021mintdump" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.003-hidden-mint-dilution.md" }, { "id": "OAK-T5.004", "name": "Sandwich / MEV Extraction", "parent_tactics": [ "OAK-T5", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM" ], "first_documented": "2019 (Daian et al., \"Flash Boys 2.0\")", "aliases": [ "sandwich", "MEV sandwich", "front-run + back-run" ], "citations": [ "daian2019flashboys", "eigenphijared2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.004-sandwich-mev-extraction.md" }, { "id": "OAK-T5.005", "name": "Treasury-Management Exit", "parent_tactics": [ "OAK-T5", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2021 (Polywhale-class incidents); regulatory record 2023 (SafeMoon federal complaint)", "aliases": [ "soft rug via treasury", "treasury draw exit", "team-unlock dump", "salary-rug" ], "citations": [ "chainalysis2025rug", "fullycryptosoftrug", "secsafemoon2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.005-treasury-management-exit.md" }, { "id": "OAK-T5.006", "name": "Vesting Cliff Dump", "parent_tactics": [ "OAK-T5" ], "maturity": "emerging", "chains": [ "EVM", "Solana", "Cosmos", "BNB Chain (any chain hosting time-locked allocation contracts)" ], "first_documented": "2021–2024 (industry retrospectives at token-unlock-tracker level)", "aliases": [ "cliff dump", "unlock dump", "investor unlock sell-pressure" ], "citations": [ "chainalysis2025rug", "cryptorank2026unlock", "defillama2026unlocks", "tokenunlocks2026platform" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.006-vesting-cliff-dump.md" }, { "id": "OAK-T5.007", "name": "Third-party Brand-impersonation Custodial Soft-rug", "parent_tactics": [ "OAK-T5" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket-branded canonical case at v0.1; cross-platform analogues across any high-trust platform whose brand can be impersonated by off-platform services — Polymarket, Hyperliquid, dYdX, Pump.fun, GMX, prediction-market and trader-tooling ecosystems)" ], "first_documented": "2026-01 (Polycule trading bot — Polymarket-branded but unaffiliated, ~$230K, exit-via-\"hack\" announcement followed by communication blackout)", "aliases": [ "third-party brand-impersonation soft rug", "Polymarket-branded bot exit", "fake-affiliated trading-bot rug", "custodial soft-rug exit-as-hack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T5.007-third-party-brand-impersonation-custodial-soft-rug.md" }, { "id": "OAK-T5.008", "name": "Ransomware Extortion Payment", "parent_tactics": [ "OAK-T5" ], "maturity": "observed", "chains": [ "Bitcoin (primary)", "Ethereum", "Monero (limited on-chain observability)" ], "first_documented": "2013 (CryptoLocker — first Bitcoin-ransomware at scale); the ransomware-as-a-service (RaaS) operational model consolidated 2019–2021; large-loss enterprise ransomware payments became the dominant crypto-crime vector by dollar volume circa 2020", "aliases": [ "ransomware payment", "crypto extortion", "ransom payment on-chain", "RaaS payment collection" ], "citations": [ "chainalysis2025ransomware", "cisa2023ransomware", "colonialpipeline2021doj", "fbiic32023", "kaseya2021revil", "ofacransomware2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.008-ransomware-extortion-payment.md" }, { "id": "OAK-T6.001", "name": "Source-Verification Mismatch", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "widespread from approximately 2020 onward", "aliases": [ "verified-but-not-really", "fake source verification", "bytecode-source mismatch" ], "citations": [ "chainalysis2025rug" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.001-source-verification-mismatch.md" }, { "id": "OAK-T6.002", "name": "Fake Audit-Claim", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "chain-agnostic (the failure mode lives off-chain; the underlying Technique it modifies may be on any chain)" ], "first_documented": "widespread from approximately 2021 onward", "aliases": [ "audit fraud", "fake CertiK audit", "audit-affiliation impersonation" ], "citations": [ "certikfakeaudit", "dlnewsswaprum2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.002-fake-audit-claim.md" }, { "id": "OAK-T6.003", "name": "Audit-of-Different-Bytecode-Version", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "chain-agnostic (the failure mode is the audit-vs-deployed gap; the underlying Technique it modifies may be on any chain)" ], "first_documented": "widespread from approximately 2021 onward", "aliases": [ "audit-deployed mismatch", "post-audit redeploy", "audit-version drift", "audit of fork" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "dlnewsswaprum2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.003-audit-of-different-bytecode-version.md" }, { "id": "OAK-T6.004", "name": "Audit-Pending Marketing Claim", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "chain-agnostic (the failure mode lives off-chain at the marketing-claim layer; the underlying Technique it modifies may be on any chain)" ], "first_documented": "widespread from approximately 2021 onward", "aliases": [ "audit pending", "audit in progress", "audit forthcoming", "working with [firm]", "audit Q[X]" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.004-audit-pending-marketing-claim.md" }, { "id": "OAK-T6.005", "name": "Proxy-Upgrade Malicious Switching", "parent_tactics": [ "OAK-T6", "OAK-T1", "OAK-T9", "OAK-T10" ], "maturity": "emerging", "chains": [ "EVM (primary); cross-chain bridge variants (Polkadot ⇄ EVM canonical at v0.1)" ], "first_documented": "structural class anchored from approximately 2022; canonical contract-layer-message-forgery 2026-04 (Hyperbridge)", "aliases": [ "verified-then-malicious upgrade", "proxy implementation switching", "upgrade-as-attack-vector", "post-verification implementation substitution" ], "citations": [ "ambcryptohyperbridge2026", "audiuspostmortem2022", "autheobridgesecurity2026", "cmcacademyhyperbridge2026", "coindeskhyperbridge2026", "cointelegraphhyperbridge2026", "cryptobriefinghyperbridge2026", "cryptobriefinghyperbridgejump2026", "dlnewshyperbridge2026", "halbornaudius2022", "peckshieldaudius2022", "polkadotforumhyperbridge2026", "theblockaudius2022", "theblockhyperbridge2026", "thedefianthyperbridge2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.005-proxy-upgrade-malicious-switching.md" }, { "id": "OAK-T6.006", "name": "Counterfeit Token Impersonation", "parent_tactics": [ "OAK-T6", "OAK-T4", "OAK-T5" ], "maturity": "emerging", "chains": [ "EVM (primary); cross-chain bridge variants (Polkadot ⇄ EVM canonical at v0.1)" ], "first_documented": "dust-attack-lure / fake-LP cohort widespread from approximately 2022; canonical bridge-internal-mint sub-class 2026-04 (Hyperbridge)", "aliases": [ "fake-symbol-matching token", "bridge-token impersonation", "counterfeit-mint", "dust-attack lure", "fake LP-token" ], "citations": [ "ambcryptohyperbridge2026", "autheobridgesecurity2026", "chainalysis2025rug", "cmcacademyhyperbridge2026", "coindeskhyperbridge2026", "cointelegraphhyperbridge2026", "cryptobriefinghyperbridge2026", "cryptobriefinghyperbridgejump2026", "dlnewshyperbridge2026", "polkadotforumhyperbridge2026", "theblockhyperbridge2026", "thedefianthyperbridge2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.006-counterfeit-token-impersonation.md" }, { "id": "OAK-T6.007", "name": "Trust-substrate Shift / Vendor-side Promise Revocation", "parent_tactics": [ "OAK-T6" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-revocation is the vendor / regulator / infrastructure-policy claim; the realised effect is on user-side threat-model construction across whichever chains the affected product operates)" ], "first_documented": "2023-05-16 (Ledger Recover seed-recovery service announcement collapsing the \"seed never leaves the device\" trust-substrate claim that had informed Ledger users' threat-model construction since 2016)", "aliases": [ "vendor-policy promise revocation", "trust-substrate revocation event", "non-attack defender-credibility event", "vendor-policy-as-defense-evasion" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T6.007-trust-substrate-shift-vendor-promise-revocation.md" }, { "id": "OAK-T6.008", "name": "Verified-but-Malicious Frontend Routing", "parent_tactics": [ "OAK-T6" ], "maturity": "emerging", "chains": [ "EVM (primary); cross-chain DEX-router analogues (Solana Jupiter routing-manipulation, cross-chain bridge routing-path insertion) are pipeline anchor candidates at v0.x" ], "first_documented": "~2024 (SwapKit router impersonation cohort; class-level visibility accelerated through 2025 with Uniswap routing-manipulation incidents)", "aliases": [ "malicious routing frontend", "helper-contract injection", "router-impersonator phishing", "verified-contract routing attack", "intermediate-hop extraction" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T6.008-verified-but-malicious-frontend-routing.md" }, { "id": "OAK-T7.001", "name": "Mixer-Routed Hop", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Bitcoin", "cross-chain" ], "first_documented": "2017 (academic interest), enforcement attention 2022+", "aliases": [ "mixer hop", "obfuscation hop", "anonymity-set hop" ], "citations": [ "chainalysis2024laundering", "coindeskthorchainlazarus2025", "cointelegraphanubismixer2022", "ellipticronin2022", "fbiharmony2023", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.001-mixer-routed-hop.md" }, { "id": "OAK-T7.002", "name": "CEX Deposit-Address Layering", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Solana", "Bitcoin", "cross-chain" ], "first_documented": "systematic from 2020 onward; characterised at scale in `[chainalysis2024laundering]`", "aliases": [ "deposit layering", "diversified-deposit laundering", "structured CEX off-ramp" ], "citations": [ "chainalysis2024laundering", "chainalysis2025garantex", "doj2025garantex", "ellipticatomic2023", "ofac2022garantex", "treasury2025garantexnetwork", "trmlabs2025grinex" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.002-cex-deposit-layering.md" }, { "id": "OAK-T7.003", "name": "Cross-Chain Bridge Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Solana", "Bitcoin", "cross-chain" ], "first_documented": "systematic from approximately 2022 onward; emerged as the dominant Lazarus laundering rail post Tornado Cash sanctions", "aliases": [ "chain hopping", "bridge laundering", "THORChain laundering\" (the dominant rail)" ], "citations": [ "chainalysis2024laundering", "chainalysismultichain2023", "coindeskthorchainlazarus2025", "dlnewsmultichain2023", "ellipticharmony2022", "ellipticronin2022", "fbiharmony2023", "halbornharmony2022", "halbornmultichain2023", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.003-cross-chain-bridge-laundering.md" }, { "id": "OAK-T7.004", "name": "NFT Wash-Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "observed", "chains": [ "EVM (primary; Ethereum / Polygon)" ], "first_documented": "2021 (early NFT-marketplace surge); systematic 2022 onward", "aliases": [ "NFT money laundering", "self-financed NFT trade", "wash-laundering through art" ], "citations": [ "blurzeroroyalty2022", "chainalysis2022nft", "chainalysisnftcounterfeit2022", "theblock2022boredape", "victor2021washtrade" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.004-nft-wash-laundering.md" }, { "id": "OAK-T7.005", "name": "Privacy-Chain Hops", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Bitcoin", "cross-chain", "Monero", "Zcash" ], "first_documented": "systematic from approximately 2017 onward (Monero gained darknet-market dominance in 2016–2017); enforcement-relevant attention 2020+", "aliases": [ "privacy-coin hop", "XMR hop", "Monero off-ramp", "shielded-pool hop" ], "citations": [ "binancexmrdelist2024", "chainalysis2024dprk", "chainalysis2024laundering", "chainalysisprivacychain2024", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.005-privacy-chain-hops.md" }, { "id": "OAK-T7.006", "name": "DeFi Yield-Strategy Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain (within-chain laundering rail per chain)" ], "first_documented": "systematic from approximately 2021 onward (DeFi-summer-and-after) as DeFi liquidity-and-yield surface grew large enough to absorb laundering flows; cohort-scale industry attention 2023+", "aliases": [ "yield-farm laundering", "LP-cover laundering", "staking-derivative laundering", "yield-user-persona laundering" ], "citations": [ "chainalysis2024dprk", "chainalysis2024laundering", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.006-defi-yield-strategy-laundering.md" }, { "id": "OAK-T7.007", "name": "DEX Aggregator Routing Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "emerging", "chains": [ "EVM (primary); DEX aggregator deployments (1inch, 0x/Matcha, Paraswap, CowSwap, Odos, KyberSwap aggregator) are predominantly EVM-native; cross-chain aggregators (Li.Fi, Socket/Bungee, Across) compound the surface with T7.003 bridging" ], "first_documented": "The aggregator-as-laundering-rail pattern was operationalised systematically post-2022 Tornado Cash sanctions, as laundering operators sought non-mixer obfuscation primitives; cohort-scale documentation 2023+", "aliases": [ "aggregator-hop laundering", "split-route laundering", "multi-hop-routing obfuscation", "aggregator-churn laundering" ], "citations": [ "chainalysis2024dprk", "chainalysis2024laundering" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.007-dex-aggregator-routing-laundering.md" }, { "id": "OAK-T7.008", "name": "Stablecoin Issuer Freeze-Asymmetry Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "emerging", "chains": [ "EVM (USDC/USDT/DAI primary); cross-chain (issuer freeze capability varies by chain deployment); the technique is chain-agnostic wherever a freeze-capable stablecoin is deployed" ], "first_documented": "The freeze-policy asymmetry was operationalised as a laundering primitive systematically from 2022 onward (post-OFAC Tornado Cash sanctions, which demonstrated real-world freeze willingness divergence between Circle/USDC and Tether/USDT)", "aliases": [ "freeze-arbitrage laundering", "issuer-policy hopping", "stablecoin-freeze-asymmetry exploitation", "compliance-jurisdiction laundering" ], "citations": [ "chainalysis2024dprk", "chainalysis2024laundering", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.008-stablecoin-issuer-coordination-laundering.md" }, { "id": "OAK-T7.009", "name": "Sanctioned-Entity and Illicit-Purpose Financing", "parent_tactics": [ "OAK-T7", "OAK-T8" ], "maturity": "observed", "chains": [ "Bitcoin (primary for OFAC-designated addresses)", "Ethereum", "TRON (increasing share of illicit-purpose transaction volume post-2022)" ], "first_documented": "2013 (Silk Road-era designated-entity tracking); formalised 2018–2020 with OFAC crypto-designation framework and FATF Travel Rule", "aliases": [ "designated-entity financing", "sanctions-evasion crypto", "illicit-content monetisation", "terrorism-financing crypto", "KYT red-flag screening" ], "citations": [ "chainalysis2025illicit", "ellipticsanctions", "fatf2021virtualassets", "iwfcrypto", "ofacsdncrypto", "trmlabsillicit" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.009-sanctioned-entity-illicit-purpose-financing.md" }, { "id": "OAK-T7.010", "name": "Travel Rule Evasion", "parent_tactics": [ "OAK-T7" ], "maturity": "observed", "chains": [ "all (Travel Rule applies at the VASP layer, not the chain layer)" ], "first_documented": "2019 (FATF Recommendation 16 extended to virtual assets); systematic evasion documented 2020 onward", "aliases": [ "Travel Rule bypass", "sub-threshold structuring", "VASP-data-gap exploitation", "FATF Rec.16 evasion" ], "citations": [ "chainalysis2024laundering", "coindeskthorchainlazarus2025", "fatf2021virtualassets", "fatftravelrule2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.010-travel-rule-evasion.md" }, { "id": "OAK-T8.001", "name": "Common-Funder Cluster Reuse", "parent_tactics": [ "OAK-T8" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2021 (TRM SQUID cross-incident attribution); systematic 2024–2025", "aliases": [ "operator cluster", "funder reuse", "deployer fingerprint", "operator-graph reuse" ], "citations": [ "chainalysis2024dprk", "chainalysisdprktradertraitor", "liu2025sybil", "scamsniffer2024lineage", "scamsniffer2024pink", "slowmist2024report", "treasury2025garantexnetwork", "trmlabs2025grinex", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.001-cluster-reuse.md" }, { "id": "OAK-T8.002", "name": "Cross-Chain Operator Continuity", "parent_tactics": [ "OAK-T8" ], "maturity": "observed", "chains": [ "cross-chain" ], "first_documented": "systematic 2023 onward as multi-chain operator activity has scaled", "aliases": [ "multi-chain operator profile", "cross-chain attribution", "chain-hop operator" ], "citations": [ "chainalysis2024dprk", "chainalysis2024laundering", "chainalysis2025ransomware", "chainalysisbybitthorchain", "coindeskthorchainlazarus2025", "liu2025sybil", "scamsniffer2024lineage", "slowmist2024report", "trilateraldprkstatement2025" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.002-cross-chain-operator-continuity.md" }, { "id": "OAK-T8.003", "name": "On-Chain Transaction Graph De-Anonymization", "parent_tactics": [ "OAK-T8" ], "maturity": "observed", "chains": [ "chain-agnostic (Bitcoin UTXO graph, Ethereum account graph, Solana account graph)" ], "first_documented": "2013–2015 (Chainalysis, Elliptic, CipherTrace founding era; academic literature on Bitcoin transaction graph clustering)", "aliases": [ "blockchain transaction clustering", "UTXO taint analysis", "address attribution", "on-chain deanonymization", "exchange-deposit clustering", "Chainalysis-style graph analysis" ], "citations": [ "chainalysis2024dprk", "elliptic2024crosschain", "meiklejohn2013fistful", "ron2013quantitative", "trmlabs2024forensics" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.003-on-chain-transaction-graph-de-anonymization.md" }, { "id": "OAK-T8.004", "name": "Exchange Account Farming / Sybil Account Creation", "parent_tactics": [ "OAK-T8" ], "maturity": "observed", "chains": [ "chain-agnostic (exchange-side operational surface)" ], "first_documented": "2011–2013 (BTC-e era — account-farming infrastructure as systemic exchange-laundering rail); formalised as a distinct detection surface 2017–2025", "aliases": [ "exchange account farming", "Sybil exchange accounts", "synthetic-identity onboarding", "KYC factory", "account-rotation laundering", "verification-farm accounts" ], "citations": [ "chainalysis2022hydra", "chainalysis2024dprk", "coindesk2024dprkinfiltration", "dojbtce2017", "elliptic2024crosschain", "fbidprkitworker2022", "treasury2025garantexnetwork", "trmlabs2025grinex" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.004-exchange-account-farming-sybil-accounts.md" }, { "id": "OAK-T8.005", "name": "Operational Security Procedural Failure (Non-Technical OpSec)", "parent_tactics": [ "OAK-T8" ], "maturity": "stable", "chains": [ "chain-agnostic (off-chain attribution surface)" ], "first_documented": "2013 (Silk Road \"altoid\" forum-handle reuse — earliest documented case of off-chain opsec failure enabling darknet-marketplace operator attribution in the public record); academic literature on stylometric attribution predates blockchain applications", "aliases": [ "procedural opsec failure", "off-chain attribution bridge", "handle-reuse attribution", "opsec hygiene failure", "non-technical operational security failure", "stylometric fingerprinting", "attribution-enabling opsec failure" ], "citations": [ "bkahydra2022", "chainalysis2024dprk", "dojalphabay2023", "dojbitcoinfog2021", "dojwelcome2018", "ellipticronin2022", "fbiulbrichtcomplaint2013", "wiredalphabay2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.005-operational-security-procedural-failure.md" }, { "id": "OAK-T9.001", "name": "Oracle Price Manipulation", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2020 (early cases on Compound and bZx); systematic 2022+", "aliases": [ "oracle attack", "price-feed manipulation", "single-block oracle exploit" ], "citations": [ "blocksecbonq2023", "blocksecveefinance2021", "bonqpostmortem2023", "cftcmango2023", "chainalysis2025rug", "creamfinance2021postmortem", "halbornbonq2023", "halborncream2021oct", "halbornveefinance2021", "immunefikream2021", "muditgupta2021cream", "owaspscstop10", "peckshieldbonq2023", "rektveefinance2021", "slowmistveefinance2021", "tellorbonq2023", "veefinancepostmortem2021", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.001-oracle-price-manipulation.md" }, { "id": "OAK-T9.002", "name": "Flash-Loan-Enabled Exploit", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "2020 (early bZx cases)", "aliases": [ "flash-loan attack", "atomic-borrow exploit" ], "citations": [ "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.002-flash-loan-enabled-exploit.md" }, { "id": "OAK-T9.003", "name": "Governance Attack", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM", "cross-chain" ], "first_documented": "2022 (Beanstalk canonical case)", "aliases": [ "DAO governance exploit", "voting-power attack", "BIP attack", "malicious proposal" ], "citations": [ "blocksectornadogov2023", "compoundforumproposal289_2024", "compoundproposal289_2024", "goldenboyscompound2024", "owaspscstop10", "peckshieldtornado2023", "slowmisttornadogov2023", "tallygovernancecompound2024", "tornadocomm2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.003-governance-attack.md" }, { "id": "OAK-T9.004", "name": "Access-Control Misconfiguration", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "widespread; canonical modern cases 2022+", "aliases": [ "broken access control", "missing authorization check", "guardian-bypass", "logic-flaw extraction", "privilege-boundary violation" ], "citations": [ "blocksec2023euler", "blocksecsuikiloex2025", "chainalysiseuler2023", "chainalysismultichain2023", "chainalysispoly2021", "dlnewsmultichain2023", "elliptipeuler2023", "elliptipoly2021", "eulerlabs2023statement", "halborneuler2023", "halbornmultichain2023", "kiloexpostmortem2025", "kudelskipoly2021", "owaspscstop10", "peckshieldkiloex2025", "slowmistkiloex2025", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.004-access-control-misconfiguration.md" }, { "id": "OAK-T9.005", "name": "Reentrancy", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM (primary); EVM-compatible L2s; conceptually applicable to any chain whose execution model allows external calls before state finalisation" ], "first_documented": "2016 (The DAO); modern hook-based and cross-protocol variants 2020+", "aliases": [ "recursive call attack", "callback reentry", "cross-function reentrancy", "cross-protocol reentrancy", "read-only reentrancy", "ERC-777 hook reentrancy", "ERC-721/1155 receive-hook reentrancy" ], "citations": [ "daoreentrancy2016retrospective", "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.005-reentrancy.md" }, { "id": "OAK-T9.006", "name": "Subjective-Oracle Resolution Manipulation", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket / Ethereum-resident UMA DVM canonical at v0.1; cross-chain analogues across Kleros, Reality.eth, Augur REP)" ], "first_documented": "Polymarket UMA whale-vote-capture March 2025; cohort scale-out 2025–2026 across Polymarket-class subjective-oracle prediction markets", "aliases": [ "subjective oracle attack", "DVM vote capture", "resolution-spec manipulation", "prediction-market oracle attack", "non-numeric oracle manipulation" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006-subjective-oracle-resolution-manipulation.md" }, { "id": "OAK-T9.006.001", "name": "DVM Vote Capture by Economically-Interested Holder", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "first_documented": "2025-03 (Polymarket Ukraine mineral deal)", "aliases": [ "UMA whale vote capture", "DVM governance attack", "oracle-vote corruption" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.001-dvm-vote-capture.md" }, { "id": "OAK-T9.006.002", "name": "Resolution-Spec Ambiguity Exploitation", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "first_documented": "2025-07 (Polymarket Zelenskyy-suit market)", "aliases": [ "spec-ambiguity attack", "natural-language oracle ambiguity", "interpretive-resolution exploitation" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.002-resolution-spec-ambiguity-exploitation.md" }, { "id": "OAK-T9.006.003", "name": "Off-chain Resolution-Source Coercion", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon canonical at v0.1)" ], "first_documented": "2026-03 (Times of Israel correspondent Emanuel Fabian, Iran-strike market)", "aliases": [ "journalist coercion", "off-chain reporter extortion", "resolution-input-layer attack", "oracle-input physical-coercion" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.003-off-chain-resolution-source-coercion.md" }, { "id": "OAK-T9.006.004", "name": "Operational-Insider Trading on Subjective-Resolution Prediction Markets", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon canonical at v0.1)" ], "first_documented": "2025-12 (Van Dyke / Operation Absolute Resolve betting window) → 2026-01 (real-world execution) → 2026-04 (DOJ SDNY indictment + CFTC parallel civil action). Multi-jurisdictional confirmation 2026-02 (Tel Aviv District Court indictment of IDF reservist).", "aliases": [ "operational-insider Polymarket", "classified-information prediction-market trading", "causal-actor insider trading" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.004-operational-insider-trading.md" }, { "id": "OAK-T9.006.005", "name": "Platform-Override of Oracle Outcome", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "first_documented": "2024-06 (Polymarket / DJT memecoin / Barron Trump market)", "aliases": [ "platform override", "oracle-outcome override", "discretionary-resolution override", "ultimate-discretion clause attack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.005-platform-override-oracle-outcome.md" }, { "id": "OAK-T9.007", "name": "Fork-Substrate Vulnerability (Not Mitigated at Fork Time)", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM (primary); cross-chain analogues (forked-protocols deployed on non-EVM chains) are pipeline anchor candidates at v0.x" ], "first_documented": "~2022-04 (Hundred Finance → Midas Capital cohort initial fork-and-exploit chain); class-level awareness solidified through 2023–2024 with the Compound V2 fork cohort cascade (Midas → Sonne → Onyx → Resupply)", "aliases": [ "fork-vulnerability cascade", "unpatched-fork exploit", "upstream-disclosure-failure", "inherited vulnerability", "Compound V2 fork vulnerability chain", "fork-and-forget pattern" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.007-fork-substrate-vulnerability-not-mitigated.md" }, { "id": "OAK-T9.008", "name": "Diamond-Pattern Facet-Audit Incomplete", "parent_tactics": [ "OAK-T9", "OAK-T6" ], "maturity": "emerging", "chains": [ "EVM (primary; EIP-2535 diamond pattern is EVM-native); non-EVM diamond-pattern analogues (proxy-facet architectures on Solana, Sui, Aptos) are pipeline anchor candidates at v0.x" ], "first_documented": "~2022-07 (Li.Fi exploit ~$600K, v1 diamond-pattern facet-addition vulnerability); class-level calibration anchor Li.Fi July 2024 (~$10M, post-audit facet addition)", "aliases": [ "diamond-proxy facet gap", "post-audit facet addition", "unaudited-facet exploit", "EIP-2535 audit-scope gap", "facet-upgrade-path exploitation", "diamond-cut attack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.008-diamond-pattern-facet-audit-incomplete.md" }, { "id": "OAK-T9.009", "name": "Cross-Contract Reinitialization Attack", "parent_tactics": [ "OAK-T9" ], "maturity": "emerging", "chains": [ "EVM (primary); any chain whose execution model allows cross-contract calls during initialisation (upgradeable proxy patterns are EVM-native but the reinitialisation surface generalises)" ], "first_documented": "2023 (class characterised in audit-firm literature post-UUPS/transparent-proxy proliferation; specific named exploits from 2023 onward)", "aliases": [ "reinitialization attack", "double-init attack", "cross-contract init callback", "proxy reinitialization", "init-state injection" ], "citations": [ "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.009-cross-contract-reinitialization-attack.md" }, { "id": "OAK-T9.010", "name": "Read-Only Reentrancy", "parent_tactics": [ "OAK-T9" ], "maturity": "emerging", "chains": [ "EVM (primary); any chain whose execution model allows `staticcall` to a contract that is mid-execution in the same transaction" ], "first_documented": "2022–2023 (class characterised in audit-firm literature; Curve Finance Vyper + Market.xyz read-only reentrancy chain, July 2023, is the canonical operational anchor)", "aliases": [ "view reentrancy", "staticcall reentrancy", "stale-read reentrancy", "cross-protocol view manipulation" ], "citations": [ "curvepostmortem2023", "vyperpostmortem2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.010-read-only-reentrancy.md" }, { "id": "OAK-T9.011", "name": "Precision-Loss Rounding Attack", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM (primary); any chain whose arithmetic model uses integer division with floor/truncation rounding" ], "first_documented": "2021–2022 (ERC-4626 vault share-price manipulation via donation + rounding formally characterised by the Yearn, Solmate, and OpenZeppelin communities; the first large-loss operational anchors follow in 2023)", "aliases": [ "rounding-error exploit", "donation attack", "inflation attack", "vault-share-price manipulation", "dust-accumulation attack", "share-price front-running via donation" ], "citations": [ "hundredfinance2023postmortem", "owaspscstop10", "sonnefinance2024postmortem", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.011-precision-loss-rounding-attack.md" }, { "id": "OAK-T9.012", "name": "Initial Liquidity Sandwich Attack", "parent_tactics": [ "OAK-T9" ], "maturity": "emerging", "chains": [ "EVM (primary); any chain with a public mempool and AMM-based token-deployment pattern (Uniswap V2/V3, PancakeSwap, Raydium-equivalent AMMs)" ], "first_documented": "2020–2021 (the \"sniping\" pattern emerged with the Uniswap V2 token-deployment wave; the sandwich-at-addLiquidity variant is a refinement characterised by MEV researchers)", "aliases": [ "token-launch sandwich", "addLiquidity snipe", "initial-liquidity front-run", "token-genesis sandwich", "liquidity-addition MEV" ], "citations": [ "daian2019flashboys", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.012-initial-liquidity-sandwich-attack.md" }, { "id": "OAK-T9.013", "name": "Slippage-Manipulation Sandwich Attack", "parent_tactics": [ "OAK-T9" ], "maturity": "observed", "chains": [ "EVM (primary — Uniswap-style AMMs with user-specified slippage tolerance); Solana (Jupiter DCA / limit-order slippage surface); any chain with an AMM that exposes user-configurable slippage parameters in swap transactions" ], "first_documented": "2020–2021 (slippage-manipulation attacks characterised alongside the MEV sandwich literature)", "aliases": [ "slippage-tolerance exploitation", "max-slippage sandwich", "sandwich-via-slippage-setting", "slippage-override attack" ], "citations": [ "daian2019flashboys", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.013-slippage-manipulation-sandwich-attack.md" }, { "id": "OAK-T9.014", "name": "Protocol-Client Consensus Bug", "parent_tactics": [ "OAK-T9" ], "maturity": "emerging", "chains": [ "Bitcoin (canonical anchor); structurally generalisable to any blockchain whose consensus is determined by a reference-client implementation (Ethereum, Solana, Cosmos SDK chains, etc.)" ], "first_documented": "2010-08-15 (Bitcoin value overflow bug, block 74638, CVE-2010-5139)", "aliases": [ "reference-client bug", "consensus-layer integer overflow", "client-implementation vulnerability", "protocol-level arithmetic bug", "consensus-code validation bypass" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.014-protocol-client-consensus-bug.md" } ], "mitigations": [ { "id": "OAK-M01", "name": "Source-Bytecode Verification", "class": "detection", "audience": [ "vendor", "risk-team", "venue" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T2.004", "OAK-T6.001", "OAK-T6.003" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M01-source-bytecode-verification.md" }, { "id": "OAK-M02", "name": "Static-Analysis Pre-Deployment", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T6.001", "OAK-T6.002", "OAK-T9.004", "OAK-T9.005", "OAK-T13.001" ], "citations": [ "chainalysiseuler2023", "halborneuler2023", "osecpaymasters2025", "owaspscstop10", "ozaa4337audit", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M02-static-analysis-pre-deployment.md" }, { "id": "OAK-M03", "name": "Continuous Bytecode-Diff Monitoring", "class": "detection", "audience": [ "vendor", "risk-team" ], "maps_to_techniques": [ "OAK-T1.003", "OAK-T1.004", "OAK-T2.004", "OAK-T6.001", "OAK-T6.003", "OAK-T9.004", "OAK-T11.003" ], "citations": [ "chainalysis2025rug", "halbornwintermute2022", "nomicproxybackdoor", "quillauditsbackdoor" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M03-continuous-bytecode-diff-monitoring.md" }, { "id": "OAK-M04", "name": "Funder-Graph Clustering", "class": "detection", "audience": [ "vendor", "risk-team" ], "maps_to_techniques": [ "OAK-T2.001", "OAK-T3.001", "OAK-T3.002", "OAK-T3.003", "OAK-T8.001", "OAK-T8.002", "OAK-T1.001", "OAK-T2.004" ], "citations": [ "chainalysis2024dprk", "chainalysis2025rug", "chainalysisprivacychain2024", "dydx2024sybil", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M04-funder-graph-clustering.md" }, { "id": "OAK-M05", "name": "Authority-Graph Enumeration", "class": "detection", "audience": [ "custody-customer", "risk-team", "vendor" ], "maps_to_techniques": [ "OAK-T1.003", "OAK-T1.004", "OAK-T9.003", "OAK-T9.004", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysisbadger2021", "checkpoint2023drainers", "halbornwintermute2022", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M05-authority-graph-enumeration.md" }, { "id": "OAK-M06", "name": "Mempool / Pre-Block Telemetry", "class": "detection", "audience": [ "vendor", "trader", "protocol" ], "maps_to_techniques": [ "OAK-T5.004", "OAK-T13.002", "OAK-T14.002" ], "citations": [ "blockpi2023bundlermempool", "blocksecmevboost2023", "bloxroutemevboost2023", "dojmevbros2024", "eigenphi2023aamev", "eigenphijared2023", "etherspot2023bundlermev", "fastlane2024erc4337mev", "flashbotsequivocation2023", "flashbotsmevboost2023", "mevwatch2024", "paradigmpbstime2023" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M06-mempool-pre-block-telemetry.md" }, { "id": "OAK-M07", "name": "Cross-Chain Attribution Graph", "class": "detection", "audience": [ "vendor", "risk-team", "venue" ], "maps_to_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T7.004", "OAK-T7.005", "OAK-T7.006", "OAK-T8.002", "OAK-T11.001" ], "citations": [ "chainalysis2022nft", "chainalysis2024dprk", "chainalysis2024laundering", "chainalysisprivacychain2024", "coindeskthorchainlazarus2025", "crystalwazirx2024", "ellipticronin2022", "trmlabs2024nomadextradition" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M07-cross-chain-attribution-graph.md" }, { "id": "OAK-M08", "name": "Per-Spender Approval Audit and Revocation", "class": "wallet-ux", "audience": [ "wallet", "custody-customer", "vendor" ], "maps_to_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "checkpoint2023drainers", "rektcurve2022", "slowmist2024report", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M08-per-spender-approval-audit-and-revocation.md" }, { "id": "OAK-M09", "name": "TWAP + Multi-Venue Oracle with Deviation Circuit-Breaker", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002" ], "citations": [ "cftcmango2023", "chainalysis2025rug", "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M09-twap-multi-venue-oracle-with-deviation-circuit-breaker.md" }, { "id": "OAK-M10", "name": "Checks-Effects-Interactions and ReentrancyGuard", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.005", "OAK-T9.002" ], "citations": [ "creamfinance2021postmortem", "daoreentrancy2016retrospective", "halborncream2021oct", "muditgupta2021cream", "owaspscstop10", "vyperpostmortem2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M10-checks-effects-interactions-and-reentrancy-guard.md" }, { "id": "OAK-M11", "name": "Rate-Limiting and Per-Block Caps", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T5.001", "OAK-T5.002", "OAK-T9.001", "OAK-T9.002", "OAK-T10.001", "OAK-T10.002" ], "citations": [ "chainalysis2025rug", "ellipticronin2022", "ethfoundationdaohardfork2016", "mandiantnomad2022", "owaspscstop10", "rektcurve2022", "vyperpostmortem2023" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M11-rate-limiting-and-per-block-caps.md" }, { "id": "OAK-M12", "name": "Per-Message Replay Binding", "class": "architecture", "audience": [ "protocol", "designer (bridge / cross-chain)" ], "maps_to_techniques": [ "OAK-T10.002", "OAK-T10.003" ], "citations": [ "bhuptanioptbridges2022", "halbornnomadoptimistic2022", "mandiantnomad2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M12-per-message-replay-binding.md" }, { "id": "OAK-M13", "name": "Long Challenge Window with Economic Challenger Incentives", "class": "architecture", "audience": [ "protocol", "designer (optimistic-bridge / rollup)" ], "maps_to_techniques": [ "OAK-T10.004" ], "citations": [ "bhuptanioptbridges2022", "halbornnomadoptimistic2022", "hollowvictory2025", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M13-long-challenge-window-with-economic-challenger-incentives.md" }, { "id": "OAK-M14", "name": "Multi-Prover Redundancy", "class": "architecture", "audience": [ "protocol", "designer (zk-bridge / zk-rollup)" ], "maps_to_techniques": [ "OAK-T10.005" ], "citations": [ "soksnarkvulns2024", "verichainsdragonberry2022", "xie2022zkbridge", "zhou2023sok", "zkbugtracker" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M14-multi-prover-redundancy.md" }, { "id": "OAK-M15", "name": "Threshold Signing with Operator Separation", "class": "architecture", "audience": [ "custody-customer", "custody-vendor", "protocol (bridge)" ], "maps_to_techniques": [ "OAK-T10.001", "OAK-T11.001", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "ellipticharmony2022", "ellipticronin2022", "fbiharmony2023", "halbornharmony2022", "halbornmultichain2023", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M15-threshold-signing-with-operator-separation.md" }, { "id": "OAK-M16", "name": "Pre-Deployment Audit and Formal Verification", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.003", "OAK-T1.004", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "daoreentrancy2016retrospective", "dlnewsswaprum2023", "halbornnomadoptimistic2022", "owaspscstop10", "slowmist2024report", "soksnarkvulns2024", "verichainsdragonberry2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M16-pre-deployment-audit-and-formal-verification.md" }, { "id": "OAK-M17", "name": "Time-Locked Governance and Multi-Block Quorum", "class": "architecture", "audience": [ "protocol", "designer (governance)" ], "maps_to_techniques": [ "OAK-T9.003" ], "citations": [ "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M17-time-locked-governance-and-multi-block-quorum.md" }, { "id": "OAK-M18", "name": "Out-of-Band Destination Verification", "class": "operational", "audience": [ "custody-customer", "custody-vendor" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T4.001", "OAK-T4.002", "OAK-T4.003", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "chainalysis2024dprk", "chainalysis2024poisoning", "checkpoint2023drainers", "crystalwazirx2024", "ellipticatomic2023", "slowmist2024report", "tsuchiya2025poisoning", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M18-out-of-band-destination-verification.md" }, { "id": "OAK-M19", "name": "Air-Gap Cold-Wallet Signing", "class": "operational", "audience": [ "custody-customer" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023", "mandiantradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M19-air-gap-cold-wallet-signing.md" }, { "id": "OAK-M20", "name": "Vendor Breach-Notification SLA", "class": "operational", "audience": [ "custody-customer", "risk-team", "venue" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "ellipticatomic2023", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M20-vendor-breach-notification-sla.md" }, { "id": "OAK-M21", "name": "Anti-Phishing Training for Privileged Staff", "class": "operational", "audience": [ "custody-customer", "custody-vendor", "protocol" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "fbidmm2024", "mandiantradiant2024", "microsoftcitrineradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M21-anti-phishing-training-privileged-staff.md" }, { "id": "OAK-M22", "name": "Rotate-on-Disclosure Discipline", "class": "operational", "audience": [ "custody-customer", "custody-vendor", "protocol" ], "maps_to_techniques": [ "OAK-T1.003", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T9.004" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "halbornwintermute2022", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M22-rotate-on-disclosure-discipline.md" }, { "id": "OAK-M23", "name": "Audit-Attestation Public-Registry Verification", "class": "venue", "audience": [ "venue", "risk-team", "trader" ], "maps_to_techniques": [ "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T1.001" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "dlnewsswaprum2023", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M23-audit-attestation-public-registry-verification.md" }, { "id": "OAK-M24", "name": "Out-of-Band Audit-Engagement Verification", "class": "venue", "audience": [ "venue", "risk-team", "trader" ], "maps_to_techniques": [ "OAK-T6.002", "OAK-T6.004" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "dlnewsswaprum2023", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M24-out-of-band-audit-engagement-verification.md" }, { "id": "OAK-M25", "name": "Listing-Time Source-Verification + Audit-Status Gate", "class": "venue", "audience": [ "venue (CEX, DEX aggregator)", "aggregator (token-data, market-data)", "launchpad" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T2.001", "OAK-T2.002", "OAK-T2.003", "OAK-T2.004", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "slowmist2024report", "torres2019", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M25-listing-time-source-verification-and-audit-status-gate.md" }, { "id": "OAK-M26", "name": "Wash-Trade-Rate Metrics at Marketplace Layer", "class": "venue", "audience": [ "venue (NFT marketplace, DEX)", "aggregator (analytics)", "risk-team" ], "maps_to_techniques": [ "OAK-T3.002", "OAK-T7.004", "OAK-T12.001" ], "citations": [ "chainalysis2022nft", "chainalysis2024laundering", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M26-wash-trade-rate-metrics-at-marketplace-layer.md" }, { "id": "OAK-M27", "name": "Travel Rule and KYC at Privacy-Chain Boundary", "class": "venue", "audience": [ "venue (CEX, OTC desk, instant-swap service)", "regulator", "risk-team" ], "maps_to_techniques": [ "OAK-T7.002", "OAK-T7.003", "OAK-T7.005" ], "citations": [ "binancexmrdelist2024", "chainalysis2024dprk", "chainalysis2024laundering", "chainalysisprivacychain2024", "coindeskthorchainlazarus2025", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M27-travel-rule-and-kyc-at-privacy-chain-boundary.md" }, { "id": "OAK-M28", "name": "Token-Unlock Calendar Integration", "class": "venue", "audience": [ "venue (DEX aggregator, CEX, market-data aggregator)", "risk-team", "trader" ], "maps_to_techniques": [ "OAK-T5.006" ], "citations": [ "chainalysis2025rug", "cryptorank2026unlock", "defillama2026unlocks", "tokenunlocks2026platform" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M28-token-unlock-calendar-integration.md" }, { "id": "OAK-M29", "name": "Full-Address Verification and Lookalike Detection", "class": "wallet-ux", "audience": [ "wallet (mobile, browser-extension, hardware-wallet companion)", "custody-customer", "risk-team" ], "maps_to_techniques": [ "OAK-T4.003" ], "citations": [ "chainalysis2024poisoning", "tsuchiya2025poisoning" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M29-full-address-verification-and-lookalike-detection.md" }, { "id": "OAK-M30", "name": "Per-dApp Domain and App-Store-Package Allowlist", "class": "wallet-ux", "audience": [ "wallet (mobile, browser-extension)", "custody-customer" ], "maps_to_techniques": [ "OAK-T4.001", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "checkpoint2023drainers", "slowmist2024report", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M30-per-dapp-domain-and-app-store-package-allowlist.md" }, { "id": "OAK-M31", "name": "EIP-712 Permit Display and Signing-Risk Heuristics", "class": "wallet-ux", "audience": [ "wallet (mobile, browser-extension, hardware-wallet companion)", "custody-customer" ], "maps_to_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "checkpoint2023drainers", "slowmist2024report", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M31-eip-712-permit-display-and-signing-risk-heuristics.md" }, { "id": "OAK-M32", "name": "Bug Bounty Programs", "class": "operational", "audience": [ "protocol", "designer", "vendor" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005" ], "citations": [ "chainalysis2024dprk", "chainalysiseuler2023", "immunefikream2021", "slowmist2024report", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M32-bug-bounty-programs.md" }, { "id": "OAK-M33", "name": "Decentralized Insurance Protocols", "class": "operational", "audience": [ "trader", "protocol", "custody-customer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "chainalysis2025rug", "chainalysiseuler2023", "crystalwazirx2024", "slowmist2024report", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M33-decentralized-insurance-protocols.md" }, { "id": "OAK-M34", "name": "Pause-by-Default Emergency Pause", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.003" ], "citations": [ "blocksecsaddle2022", "chainalysiseuler2023", "crystalwazirx2024", "openzeppelinupgradesstorage", "saddleincidentreport2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M34-pause-by-default-emergency-pause.md" }, { "id": "OAK-M35", "name": "Whitehat-Rescue Coordination", "class": "operational", "audience": [ "protocol", "designer", "vendor" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "blocksec2023euler", "chainalysis2024dprk", "chainalysiseuler2023", "elliptipeuler2023", "eulerlabs2023statement", "halborneuler2023", "hypernativeronin2024", "ronin2024postmortem", "skymavisronin2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M35-whitehat-rescue-coordination.md" }, { "id": "OAK-M36", "name": "Proof-of-Reserves Cryptographic Auditing", "class": "venue", "audience": [ "venue (CEX)", "risk-team", "regulator" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "bitfinexpostmortem2016", "chainalysis2024dprk", "mtgoxbankruptcy2014", "mtgoxtrustee2024", "wizsecmtgox2015", "wizsecmtgox2017", "wizsecmtgox2020" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M36-proof-of-reserves-cryptographic-auditing.md" }, { "id": "OAK-M37", "name": "HSM and MPC Custody Architectures", "class": "operational", "audience": [ "custody-customer", "custody-vendor", "protocol (treasury)", "risk-team" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T10.001" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023", "fbidmm2024", "halbornwintermute2022", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M37-hsm-mpc-custody.md" }, { "id": "OAK-M38", "name": "Time-Windowed Withdrawal Limits", "class": "architecture", "audience": [ "protocol", "designer", "custody-vendor" ], "maps_to_techniques": [ "OAK-T5.001", "OAK-T5.002", "OAK-T5.005", "OAK-T9.001", "OAK-T9.002", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "chainalysis2024lockbit", "chainalysis2025rug", "ellipticronin2022", "halbornwintermute2022" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M38-time-windowed-withdrawal-limits.md" }, { "id": "OAK-M39", "name": "Cross-Protocol Watcher Network", "class": "detection", "audience": [ "vendor", "risk-team", "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "blocksecparaspace2023", "blocksecronin2024", "chainalysis2024dprk", "hypernativeronin2024", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M39-cross-protocol-watcher-network.md" }, { "id": "OAK-M40", "name": "Supply-Chain Package Integrity", "class": "operational", "audience": [ "protocol (engineering staff)", "designer", "custody-customer", "custody-vendor", "wallet" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T1.003", "OAK-T4.001", "OAK-T4.002", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023", "mandiant3cx2023", "mandiantucsx2023", "unit42beavertail2023" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M40-supply-chain-package-integrity.md" }, { "id": "OAK-M41", "name": "Asset Freeze and Confiscate Coordination Workflow", "class": "venue", "audience": [ "venue (CEX, OTC desk, stablecoin issuer, bridge protocol)", "regulator", "law-enforcement agency", "risk-team" ], "maps_to_techniques": [ "OAK-T7.002", "OAK-T7.003", "OAK-T7.006", "OAK-T7.007", "OAK-T7.008", "OAK-T5.008" ], "citations": [], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M41-asset-freeze-confiscate-coordination-workflow.md" }, { "id": "OAK-M42", "name": "SAR/STR Filing and Financial Intelligence Feedback Loop", "class": "venue", "audience": [ "venue (CEX, OTC desk, custodian, stablecoin issuer)", "regulator", "financial-intelligence unit (FIU)", "risk-team" ], "maps_to_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T7.005", "OAK-T5.008" ], "citations": [], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M42-sar-str-filing-and-financial-intelligence-feedback.md" }, { "id": "OAK-M43", "name": "KYT Operational Practice and Cross-VASP Coordination", "class": "venue", "audience": [ "venue (CEX, OTC desk, custodian, bridge protocol)", "compliance-provider vendor", "risk-team" ], "maps_to_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T7.006", "OAK-T7.007", "OAK-T7.008", "OAK-T8.001", "OAK-T8.002" ], "citations": [], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M43-kyt-operational-practice-and-cross-vasp-coordination.md" } ], "software": [ { "id": "OAK-S01", "name": "Inferno Drainer", "type": "drainer-kit", "aliases": [ "Inferno", "Inferno DaaS", "Discord-link drainer kit\" (per affiliate-channel framing in `[checkpoint2023drainers]`)." ], "active": "sunset — Inferno publicly announced its shutdown on Telegram on November 26, 2023 (`[slowmist2024report]`). Affiliates and tooling re-emerged in successor families through 2024 (Angel Drainer / OAK-S02 absorbed a meaningful share of the Inferno affiliate base, but the November 2023 announcement is the primary-source shutdown event, not an October 2024 \"handover\"). The kit-and-affiliate-base persistence under successor branding is the structural OAK-G02 lesson; the original-branded operation was already retired by end-2023.", "first_observed": "approximately 2022, contemporaneous with broader Permit2 adoption.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "chainalysis2024dprk", "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S01-inferno-drainer.md" }, { "id": "OAK-S02", "name": "Angel Drainer", "type": "drainer-kit", "aliases": [ "Angel", "Angel DaaS", "Angel-X\" (occasional rebranding suffix observed in industry forensic posts)." ], "active": "yes — in market since approximately early 2023; received the Inferno Drainer (OAK-S01) affiliate base and infrastructure tooling in the October 19, 2024 service-layer handover (`[slowmist2024report]`); primary heir to Inferno's market share through end-of-2024.", "first_observed": "approximately early 2023.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S02-angel-drainer.md" }, { "id": "OAK-S03", "name": "Pink Drainer", "type": "drainer-kit", "aliases": [ "Pink", "Pinkdrainer", "Pink-X\" (occasional industry shorthand for the operator-of-record team behind the kit)." ], "active": "yes — in market since approximately mid-2023.", "first_observed": "approximately mid-2023.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "scamsniffer2024pink", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S03-pink-drainer.md" }, { "id": "OAK-S04", "name": "Monkey Drainer", "type": "drainer-kit", "aliases": [ "Monkey", "Monkey-Drainer.eth\" (one of the historically-associated naming patterns in industry forensic posts)." ], "active": "sunset — operator announced retirement in approximately March 2023, framed publicly as burn-out / \"moving on\" rather than as a transfer of operations to a successor; affiliate base is generally understood to have migrated into Inferno (OAK-S01) and other contemporaneous kits.", "first_observed": "approximately 2022.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "slowmist2024report", "zachxbtmonkey2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S04-monkey-drainer.md" }, { "id": "OAK-S05", "name": "Venom Drainer", "type": "drainer-kit", "aliases": [ "Venom", "Venom DaaS." ], "active": "yes — in market since approximately mid-2023.", "first_observed": "approximately mid-2023.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S05-venom-drainer.md" }, { "id": "OAK-S06", "name": "Vanilla Drainer", "type": "drainer-kit", "aliases": [ "Vanilla", "Vanilla DaaS." ], "active": "yes — in market since approximately 2024; newer entrant in the OAK-G02 category.", "first_observed": "approximately 2024 (industry forensic posts begin tracking the brand as a distinct kit in this period).", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "checkpoint2023drainers", "scamsniffer2024lineage", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S06-vanilla-drainer.md" }, { "id": "OAK-S07", "name": "Chick Drainer", "type": "drainer-kit", "aliases": [ "Chick", "Chick DaaS." ], "active": "yes — in market since approximately 2024; recent entrant in the OAK-G02 category cited in SlowMist's cohort tracking.", "first_observed": "approximately 2024.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S07-chick-drainer.md" }, { "id": "OAK-S08", "name": "TraderTraitor", "type": "malware", "aliases": [ "TraderTraitor (FBI / CISA naming for the DPRK cross-platform job-lure trojan family); naming overlaps with the broader FBI-tracked DPRK-crypto-theft operator label of the same name (the malware family and the operator-cluster nomenclature were aligned by the U.S. government in the April 2022 advisory rather than separated). Industry-side aliases for related/derived loaders include \"JS_TraderTraitor\" (npm-package-delivery variants)", "ManuscryptCrypto\" sub-family overlaps as documented by Kaspersky and Mandiant", "and \"Hidden Risk\" / \"RustBucket\" successors tracked separately by SentinelOne and Jamf for macOS evolution." ], "active": "yes", "first_observed": "2022-04 (CISA AA22-108A canonical advisory date; underlying campaign activity tracked by FBI from 2020 forward).", "host_platforms": [ "cross-platform (macOS-focused — both Intel and Apple Silicon builds documented; Windows builds also distributed via the same lure infrastructure; Linux builds reported in narrower vendor-corroborated cases)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "chainalysisdprktradertraitor", "cisaaa22108a", "fbidmm2024", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S08-tradertraitor.md" }, { "id": "OAK-S09", "name": "AppleJeus", "type": "malware", "aliases": [ "AppleJeus (Kaspersky-original 2018 naming, retained by CISA / FBI as canonical); UNC4736 (Mandiant operator-cluster designation that runs the AppleJeus toolset alongside related macOS payloads); Citrine Sleet (Microsoft, post-2023 weather-system naming convention); CryptoCore (overlapping but distinct industry naming used by F-Secure / WithSecure for related DPRK macOS activity); BLINDINGCAN", "COPPERHEDGE", "and INLETDRIFT are CISA / Mandiant naming for components and successor tooling within the broader AppleJeus toolset; \"Hidden Cobra\" is the legacy U.S.-government umbrella label that subsumes AppleJeus along with other DPRK families." ], "active": "yes (continuous evolution since 2018; Citrine Sleet / UNC4736 lineage active through 2024–2025 per Mandiant Radiant Capital attribution).", "first_observed": "2018-08 (Kaspersky's original \"Operation AppleJeus\" report, August 2018, documenting the Celas Trade Pro distribution); CISA / FBI joint advisory AA21-048A of February 17, 2021 (`[cisaaa21048a]`) is the canonical U.S.-government reference.", "host_platforms": [ "cross-platform (macOS-focused with foundational role in establishing the macOS-targeting DPRK tradecraft; Windows builds distributed in parallel through 2018–2021)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.002", "OAK-T11.001" ], "citations": [ "chainalysis2024dprk", "cisaaa21048a", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S09-applejeus.md" }, { "id": "OAK-S10", "name": "Manuscrypt", "type": "malware", "aliases": [ "Manuscrypt (Kaspersky-original naming, retained as the most-used industry label); KEYMARBLE (NCCIC / US-CERT 2018 catalogue naming for an overlapping component / variant); FALLCHILL (CISA / FBI naming for an earlier Lazarus Windows backdoor with documented code overlap with later Manuscrypt builds); NukeSped (alternate naming used by some CTI vendors for related Lazarus Windows tooling); Volgmer is a related-but-distinct Lazarus Windows backdoor sometimes confused with Manuscrypt in older catalogues; the Manuscrypt name is canonical for the multi-stage Windows backdoor family used by Lazarus through 2017–2024 and is anchored in external cyber-threat-intel taxonomy Software entry S0259." ], "active": "yes (continued evolution; updated builds observed in incidents through 2024 per Kaspersky, ESET, and AhnLab reporting).", "first_observed": "~2014–2015 (early variants under FALLCHILL naming); Manuscrypt naming consolidated approximately 2017 alongside the Lazarus crypto-pivot; long-running family that pre-dates the modern crypto-theft cluster but has been adapted continuously into it.", "host_platforms": [ "Windows (long-running Windows-only family; macOS and Linux-side DPRK tooling sits in the AppleJeus / RustBucket / KandyKorn lineage rather than the Manuscrypt lineage)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T10.001" ], "citations": [ "chainalysis2024dprk", "chainalysiskucoinlazarus", "mandiantcoincheck2018" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S10-manuscrypt.md" }, { "id": "OAK-S11", "name": "3CX VoIP Client Trojan", "type": "malware", "aliases": [ "3CX Desktop App trojan; \"3CX supply-chain compromise\" (incident-naming convention used by Mandiant, Volexity, SentinelOne, CrowdStrike, and Sophos in the March-April 2023 reporting cohort); UNC4736 (Mandiant operator-cluster naming for the DPRK financial-funding operator within the broader Lazarus cluster that ran the 3CX intrusion); SmoothOperator (SentinelOne campaign naming); ICONIC (CrowdStrike naming); the trojanized binaries themselves are `3CXDesktopApp` (macOS Mach-O) and `3CXDesktopApp.exe` (Windows PE) and the second-stage payloads include ICONICSTEALER (Windows infostealer) and UNC4736's macOS payload chain. The cascading X_Trader supply-chain compromise that enabled the 3CX intrusion is tracked under separate naming (Mandiant: VEILEDSIGNAL backdoor; the X_Trader package itself is the Trading Technologies trading-software family)." ], "active": "sunset (March 2023 incident; incident-specific binaries and infrastructure burned during the public response in April 2023; UNC4736 operator continues to operate under follow-on tooling — see Radiant Capital September 2024 attribution to the same cluster).", "first_observed": "2023-03-22 (initial public detection by SentinelOne and CrowdStrike; Mandiant retained as 3CX's incident-response provider; public attribution to UNC4736 / DPRK published April 11, 2023).", "host_platforms": [ "cross-platform (Windows and macOS — both `3CXDesktopApp.exe` and `3CXDesktopApp` Mach-O binaries were trojanized in the supply-chain compromise; Linux 3CX builds were not affected per public reporting)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001" ], "citations": [ "chainalysis2024dprk", "mandiant3cx2023", "mandiantradiant2024", "mandiantucsx2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S11-3cx-trojan.md" }, { "id": "OAK-S12", "name": "JADESNOW", "type": "malware", "aliases": [ "JADESNOW (Mandiant-original naming, retained as the canonical industry label per the March 2023 APT43 attribution report); related Mandiant-tracked components in the APT43 toolset that JADESNOW operates alongside include LATEOP (initial-access loader)", "BABYSHARK (PowerShell-based reconnaissance / staging family also documented in Kimsuky activity by multiple vendors)", "and QUASARRAT customisations attributed to the cluster; the broader Kimsuky / APT43 toolset is tracked under external Group ID G0094 with a software-entry list that overlaps JADESNOW's operational role." ], "active": "yes (continued use within APT43 / Kimsuky operations through 2024–2025 per Mandiant, Microsoft, and Recorded Future reporting; specific JADESNOW build-versioning is not consolidated in public reporting at the level of detail that AppleJeus or Manuscrypt enjoy).", "first_observed": "2023-03 (Mandiant March 28, 2023 APT43 attribution report public-naming date; underlying tool-development-and-deployment activity dates to earlier within Kimsuky's operational history per Mandiant's longitudinal tracking).", "host_platforms": [ "Windows (the dominant deployment target for JADESNOW within the APT43 / Kimsuky operational profile, consistent with the cluster's spear-phishing-into-Windows-victim-environment tradecraft against policy researchers, journalists, and government targets)." ], "used_by_groups": [ "OAK-G07" ], "observed_techniques": [ "OAK-T8.001" ], "citations": [ "bfvnis2023kimsuky", "chainalysis2024dprk", "mandiantapt432023", "mofakimsuky2023", "ofac2023kimsuky" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S12-jadesnow.md" }, { "id": "OAK-S13", "name": "RedLine Stealer", "type": "infostealer", "aliases": [ "RedLine", "RedLine Infostealer" ], "active": "yes (2020-present; intermittent disruption efforts but no confirmed sunset as of 2026)", "first_observed": "2020-03 (early forum advertisements; broadly distributed by mid-2020)", "host_platforms": [ "Windows (primary); cross-platform browser-data targets (Chromium-family, Gecko-family)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.002", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "opmagnus2024", "redlineflashpoint2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S13-redline-stealer.md" }, { "id": "OAK-S14", "name": "Lumma Stealer", "type": "infostealer", "aliases": [ "LummaC2", "Lumma", "Lumma C2 Stealer" ], "active": "yes (2022-present; significant disruption May 2025; partial reconstitution observed thereafter)", "first_observed": "2022-08 (early forum advertisements under the LummaC2 brand)", "host_platforms": [ "Windows (primary)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.002", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "clickfixproofpoint2024", "lummasekoia2023", "lummatakedown2025" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S14-lumma-stealer.md" }, { "id": "OAK-S15", "name": "AsyncRAT", "type": "malware (open-source remote access trojan)", "aliases": [ "Async RAT", "AsyncRAT C#" ], "active": "yes (2019-present; continuously forked and rebuilt)", "first_observed": "2019-01 (initial public release of the open-source C# project on GitHub)", "host_platforms": [ "Windows (primary; .NET Framework / .NET Core targets)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.002", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "asyncratmandiant2023", "asyncratorigingithub2019" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S15-asyncrat.md" }, { "id": "OAK-S16", "name": "Profanity", "type": "tool / vanity-gen (open-source Ethereum vanity-address generator)", "aliases": [ "Profanity (johguse/profanity)" ], "active": "sunset / deprecated (2022-09; upstream archived and explicitly marked unsafe following the 1inch disclosure; some forks persist but are not treated as safe by the defender community)", "first_observed": "2017 (initial release as a GPU-accelerated Ethereum vanity-address generator)", "host_platforms": [ "Linux / Windows / macOS (GPU-accelerated, OpenCL)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.004" ], "citations": [ "halbornwintermute2022" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S16-profanity.md" }, { "id": "OAK-S17", "name": "jaredfromsubway.eth", "type": "mev-bot", "aliases": [ "Jared", "jaredfromsubway", "Jared 2.0\" (2024 iteration tracked by EigenPhi)" ], "active": "yes (operating since 2023-02-27; continuously tracked publicly through 2024 and beyond)", "first_observed": "2023-02-27 (first publicly-tracked transactions on Ethereum mainnet)", "host_platforms": [ "Ethereum mainnet (sandwich-MEV operation); off-chain searcher infrastructure not publicly characterised" ], "used_by_groups": [], "observed_techniques": [ "OAK-T5.004" ], "citations": [ "daian2019flashboys", "eigenphijared2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S17-jaredfromsubway.md" }, { "id": "OAK-S18", "name": "Pump.fun-style Bundlers", "type": "tool / mev-bot (class)", "aliases": [ "Pump.fun bundlers", "launch bundlers", "dev-snipe bundlers", "Jito bundlers (in this context)" ], "active": "yes (2023-present; continuous activity tracking the lifecycle of Pump.fun and similar Solana token-launch venues)", "first_observed": "2023-Q4 (emergence alongside Pump.fun's launch and rapid growth in late 2023 / early 2024)", "host_platforms": [ "Solana (primary); equivalent classes have emerged on other chains' token-launch venues" ], "used_by_groups": [], "observed_techniques": [ "OAK-T3.001", "OAK-T2.001", "OAK-T13.002" ], "citations": [ "jitobundlepolicies2024", "pumpfunbundlerbubblemaps2024", "pumpfunlaunchruganalytics2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S18-pumpfun-bundlers.md" }, { "id": "OAK-S19", "name": "KandyKorn", "type": "malware", "aliases": [ "KANDYKORN (Elastic Security Labs original naming, November 2023, retained as the canonical industry label); SUGARLOADER (Elastic naming for the early-stage component within the same intrusion chain that loads the KandyKorn Mach-O backdoor); HLOADER (Elastic naming for the LaunchAgent-persistence helper observed in the same chain — sometimes catalogued separately, sometimes folded into the KandyKorn family entry depending on vendor); naming-overlap caveat: KandyKorn is operationally tracked by Mandiant within the broader UNC4736 / AppleJeus / Citrine Sleet umbrella and by Microsoft within the Citrine Sleet weather-name lineage", "so the same observed activity may be reported as \"KandyKorn detected\" or as \"Citrine Sleet macOS staging\" depending on the reporting vendor." ], "active": "yes (Elastic's original 2023 reporting characterised the family as actively-evolving; subsequent industry coverage through 2024–2025 places it within the continuing macOS DPRK lineage).", "first_observed": "2023-11 (Elastic Security Labs, \"KANDYKORN: Inside the Stash,\" November 1, 2023 — the canonical first-public-documentation date; underlying campaign activity tracked by Elastic from earlier in 2023).", "host_platforms": [ "macOS (Intel and Apple Silicon — Elastic's original reporting documented Mach-O builds for both architectures within the same campaign infrastructure, consistent with the broader DPRK macOS lineage's shift to universal-binary distribution from 2022 onward)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "cisaaa22108a", "elastickandykorn2023", "mandiantradiant2024", "microsoftcitrineradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S19-kandykorn.md" }, { "id": "OAK-S20", "name": "RustBucket", "type": "malware", "aliases": [ "RustBucket (Jamf Threat Labs original naming, April 2023, retained as the canonical industry label); naming overlap with the Mandiant UNC4899 / TraderTraitor sub-cluster tracking and with the Microsoft Sapphire Sleet weather-name lineage that covers BlueNoroff macOS activity through 2024; \"Hidden Risk\" is a related but operationally distinct subsequent-campaign naming used by SentinelOne / Phil Stokes for the late-2024 BlueNoroff macOS lure cohort that re-uses elements of the RustBucket toolset; the family is sometimes catalogued under the broader BlueNoroff macOS umbrella alongside ObjCShellz (OAK-S22) and SwiftLoader (OAK-S21) rather than as a wholly-distinct entry", "but Jamf's original RustBucket naming remains the canonical industry label for the Rust-language second-stage loader specifically." ], "active": "yes (Jamf's April 2023 reporting was followed by SentinelOne's continuing coverage through 2023–2024 documenting iterative variants and the RustBucket → ObjCShellz chain; the family remains in active service per multi-vendor reporting).", "first_observed": "2023-04 (Jamf Threat Labs, \"BlueNoroff Targets macOS — RustBucket,\" April 21, 2023 — the canonical first-public-documentation date; underlying campaign activity tracked by Jamf from earlier in 2023).", "host_platforms": [ "macOS (Intel-first, with Apple Silicon variants documented in subsequent Jamf and SentinelOne reporting through 2023–2024 consistent with the broader DPRK macOS lineage's shift to universal-binary distribution)." ], "used_by_groups": [ "OAK-G08", "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "jamfrustbucket2023", "microsoftsapphiresleet2023", "sentinelhiddenrisk2024", "sentinelobjcshellz2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S20-rustbucket.md" }, { "id": "OAK-S21", "name": "SwiftLoader", "type": "malware", "aliases": [ "SwiftLoader (SentinelOne / Phil Stokes naming used through 2023–2024 reporting, retained as the canonical industry label for the Swift-language initial-stage downloader); naming-overlap caveat: SwiftLoader is operationally tracked alongside RustBucket (OAK-S20)", "ObjCShellz (OAK-S22)", "and the Hidden Risk campaign cohort within the broader BlueNoroff and Lazarus macOS lineages", "so the same observed activity may be reported as \"SwiftLoader detected\" or as \"BlueNoroff macOS staging\" or as \"Citrine Sleet macOS downloader\" depending on the reporting vendor; the Microsoft weather-name conventions (Sapphire Sleet for BlueNoroff, Citrine Sleet for the AppleJeus / UNC4736 cluster) cover SwiftLoader-lineage staging on both sides; some reporting catalogues SwiftLoader as a stage within the broader Hidden Risk campaign rather than as a wholly-distinct family entry." ], "active": "yes (continuing service through 2024–2025 per SentinelOne and corroborating-vendor reporting; the Swift-implementation initial-stage downloader role is one of the persistently-utilised slots in the cross-cluster DPRK macOS toolset).", "first_observed": "2023 (SentinelOne / Phil Stokes coverage through late 2023 documented the Swift-language initial-stage downloader role within observed BlueNoroff macOS chains; subsequent 2024 reporting expanded the family-level coverage); precise first-public-documentation date varies by which SentinelOne post is cited, with continuing iterative documentation through the Hidden Risk reporting cohort (`[sentinelhiddenrisk2024]`).", "host_platforms": [ "macOS (Intel and Apple Silicon — universal-binary distribution consistent with the broader DPRK macOS lineage's 2022-onward shift to universal builds)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "jamfrustbucket2023", "microsoftcitrineradiant2024", "microsoftsapphiresleet2023", "sentinelhiddenrisk2024", "sentinelobjcshellz2023", "sentinelswiftloader2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S21-swiftloader.md" }, { "id": "OAK-S22", "name": "ObjCShellz", "type": "malware", "aliases": [ "ObjCShellz (SentinelOne / Phil Stokes original naming, November 2023, retained as the canonical industry label); naming-overlap caveat: ObjCShellz is operationally tracked alongside RustBucket (OAK-S20)", "SwiftLoader (OAK-S21)", "and the Hidden Risk campaign cohort within the broader BlueNoroff and Lazarus macOS lineages; Microsoft's weather-name conventions (Sapphire Sleet for BlueNoroff, Citrine Sleet for the AppleJeus / UNC4736 cluster) cover ObjCShellz-lineage staging on both sides; some reporting catalogues ObjCShellz as a third-stage component within the broader RustBucket → ObjCShellz chain rather than as a wholly-distinct family entry", "but SentinelOne's original naming remains the canonical industry label for the Objective-C-language reverse-shell specifically." ], "active": "yes (continuing service through 2024–2025 per SentinelOne and corroborating-vendor reporting; the lightweight Objective-C reverse-shell role is one of the persistently-utilised post-loader components in the cross-cluster DPRK macOS toolset).", "first_observed": "2023-11 (SentinelOne / Phil Stokes, \"BlueNoroff Strikes Again with New macOS Malware,\" November 6, 2023 — the canonical first-public-documentation date; underlying campaign activity tracked by SentinelOne from earlier in 2023).", "host_platforms": [ "macOS (Intel and Apple Silicon — universal-binary distribution consistent with the broader DPRK macOS lineage's 2022-onward shift to universal builds)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "jamfrustbucket2023", "microsoftsapphiresleet2023", "sentinelhiddenrisk2024", "sentinelobjcshellz2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S22-objcshellz.md" }, { "id": "OAK-S23", "name": "LockBit ransomware", "type": "ransomware", "aliases": [ "LockBit (the encryptor brand maintained by the LockBitSupp / Khoroshev development line, January 2020 onward); LockBit 1.0 / \"ABCD\" ransomware (the .abcd-extension first variant from January 2020 that gave the family its earliest informal name); LockBit 2.0 / LockBit Red (June 2021, introduced StealBit data-exfiltration tooling and the \"automated\" affiliate-onboarding model); LockBit 3.0 / LockBit Black (June 2022, introduced the bug-bounty programme on the leak site and partial code reuse from the leaked BlackMatter source); LockBit Green (January 2023, a build incorporating leaked Conti v3 source code and re-released under LockBit branding); LockBit-NG-Dev (a 2024 pre-release Rust-language rewrite recovered during Operation Cronos and not field-deployed). Industry-side cross-attribution labels include the external cyber-threat-intel taxonomy ID S1180." ], "active": "degraded — Operation Cronos disruption February 19–20, 2024 (`[nca2024operationcronos]`); brand-attributable extortion volume down approximately 79% in H2 2024 versus H1 2024 per `[chainalysis2025ransomware]`; LockBit-branded leak-site activity continued at much-reduced cadence into 2025 but the operator network's operational continuity is structurally damaged. Khoroshev remained at large in Russia as of v0.1.", "first_observed": "2020-01 (LockBit 1.0 first observed in the wild; January 2020 advertisements on Russian-language criminal forums marked the brand's debut).", "host_platforms": [ "Windows (primary, all major versions); Linux (LockBit 2.0 onward, with dedicated Linux/ESXi targeting in LockBit 3.0); VMware ESXi (the dedicated ESXi-hypervisor variant from 2021 onward is one of the family's defining technical features and shaped the ESXi-targeting trend across the broader RaaS sector); cross-platform aspirations in the unreleased LockBit-NG-Dev Rust rewrite (which mirrored the BlackCat / ALPHV cross-platform-Rust design choice)." ], "used_by_groups": [ "OAK-G05", "OAK-G06" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003" ], "citations": [ "chainalysis2024khoroshev", "chainalysis2024lockbit", "chainalysis2025ransomware", "cisaaa23165a", "doj2024khoroshev", "doj2024ryzhenkov", "mandiant2022unc2165lockbit", "nca2024operationcronos", "ofac2024khoroshev", "ofac2024lockbitaffiliates", "sophos2024lockbit", "trendmicro2024lockbit", "unit42lockbit2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S23-lockbit.md" }, { "id": "OAK-S24", "name": "BlackCat / ALPHV ransomware", "type": "ransomware", "aliases": [ "ALPHV (the operator-side preferred name on Russian-language criminal forums and the leak-site branding); BlackCat (the industry / vendor naming convention adopted from the leak-site logo and the cat-iconography in the encryptor's ransom-note theming); Noberus (Symantec / Broadcom analyst naming); ALPHV/BlackCat (the conjoined form used in U.S. government advisories and in most CTI vendor reporting); external cyber-threat-intel taxonomy ID S1068." ], "active": "sunset (2024-03) — the ALPHV operators executed an exit-scam in early March 2024 after receiving an approximately $22M ransom payment from Change Healthcare / UnitedHealth Group affiliate \"Notchy,\" redirecting the payment from the affiliate to operator-controlled wallets and posting a fabricated \"FBI seizure\" banner on the leak site (the FBI itself disclaimed the takedown, distinguishing the self-exit-scam from the prior December 2023 FBI-led disruption). No genuine ALPHV-branded operations have been observed post-exit; affiliate-side migration to RansomHub, Cl0p, and other brands is documented through 2024.", "first_observed": "2021-11 (first leak-site postings November 2021; FBI Flash CU-000167-MW April 19, 2022 was the first U.S.-government public reference).", "host_platforms": [ "Windows (primary, with Windows-server enterprise targeting the dominant deployment surface); Linux (parity build released alongside Windows); VMware ESXi (a dedicated hypervisor variant, mirroring the LockBit-3.0-era sector pivot to ESXi-targeting); the Rust-language implementation produces structurally identical builds across these platforms", "which is the family's defining technical innovation and the principal reason for ALPHV's 2022–2023 affiliate-attractiveness." ], "used_by_groups": [ "OAK-G10" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003" ], "citations": [ "chainalysis2024changehealthcare", "chainalysis2025ransomware", "cisaaa23061a", "cisaaa24061a", "doj2023alphvtakedown", "fbiflashalphv2022", "mandiant2023unc3944", "microsoft2024blackcat", "symantecnoberus2022", "witty2024testimony" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S24-blackcat-alphv.md" }, { "id": "OAK-S25", "name": "Maui ransomware", "type": "ransomware", "aliases": [ "Maui (the canonical CISA / FBI naming, established by joint advisory AA22-187A on July 6, 2022); industry-side alternative naming is sparse because the family was never offered as a commodity-or-affiliate product and so does not have the parallel vendor-naming proliferation of LockBit / ALPHV / Conti; Mandiant attributes operationally to the Andariel sub-cluster of the broader Lazarus / DPRK constellation; CrowdStrike-side overlap with the Stonefly / Silent Chollima naming for the same operator cohort." ], "active": "dormant — no public Maui-attributed deployments observed post-2023 in open-source CTI; the family was always low-volume and operator-bespoke rather than commodity, and Andariel cluster activity has rotated through several subsequent ransomware families (e.g. Maui → H0lyGh0st / PLAY-affiliated activity → SiennaPurple / SiennaBlue successors per Microsoft tracking). Treat as dormant rather than confirmed-sunset because operator continuity is documented and re-emergence under the same Andariel umbrella with rebadged tooling is expected.", "first_observed": "2021-05 (the earliest deployment documented in CISA AA22-187A is May 2021 against an unnamed U.S. healthcare-sector victim; the advisory itself was published July 6, 2022).", "host_platforms": [ "Windows (the only platform observed in public reporting; CISA AA22-187A and the subsequent Mandiant / Microsoft / Stairwell technical analyses describe a Windows-only x86 implementation)." ], "used_by_groups": [ "OAK-G09", "OAK-G01" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.002" ], "citations": [ "chainalysis2024dprk", "chainalysisdprkmaui2024", "cisaaa22187a", "doj2024rimjonghyok", "mandiantandariel2022", "microsoftonyxsleet2022", "stairwell2022maui" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S25-maui.md" }, { "id": "OAK-S26", "name": "Conti ransomware", "type": "ransomware", "aliases": [ "Conti (the operator-side and leak-site-branded name, May 2020 onward); Wizard Spider (CrowdStrike's intrusion-set naming for the operator cohort, predating the Conti brand and continuing through Conti-successor-brand era); UNC1878 (Mandiant's earlier intrusion-set naming for the same cohort, partially superseded by the operator-cohort-rebranding pattern post-2022); TrickBot Group (informal industry naming linking the cohort to its earlier banker-trojan operating substrate); external cyber-threat-intel taxonomy ID S0575. Conti is operationally the successor brand to Ryuk (2018–2020) within the same operator-cohort identity", "and predecessor brand-of-record to the post-May-2022 dispersal cohort (Black Basta, Royal / BlackSuit, Karakurt, BlackByte, Quantum / Zeon, AvosLocker partial overlap, and broader Conti-diaspora affiliate placements)." ], "active": "sunset (2022-05) — operator-cluster dissolution announced internally during May 2022 following the late-February-2022 ContiLeaks insider-disclosure event in which a pro-Ukraine cluster member published approximately 60,000 internal chat-log messages, source code, and operational documents in retaliation for the operator's public alignment with the Russian state's invasion of Ukraine. The Conti-branded leak site went offline in late May / early June 2022; the operator cohort dispersed into multiple successor brands while retaining operator continuity at the personnel level. *No genuine Conti-branded operations have been observed post-mid-2022; the brand is fully sunset, but operator continuity into the successor brands is the dominant 2022–2025 ransomware-sector trajectory.*", "first_observed": "2020-05 (Conti leak-site debut May 2020; Wizard-Spider-cohort ransomware operations under earlier branding, principally Ryuk, dated to August 2018).", "host_platforms": [ "Windows (primary, all variants); Linux (a Conti-Linux variant emerged in late 2021 with VMware ESXi targeting, mirroring the broader RaaS-sector ESXi pivot; partial code reuse of the Conti-Linux variant is documented in Hive's Linux build per Mandiant); the Conti v3 Windows codebase was leaked in full during the ContiLeaks dump and has since been forked / rebadged by multiple unrelated groups (LockBit Green is the highest-profile rebadge — see OAK-S23 — but unaffiliated commodity-tier Conti-fork builds also circulate)." ], "used_by_groups": [ "OAK-G06", "OAK-G05" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "chainalysis2022conti", "chainalysis2025ransomware", "cisaaa21265a", "cisaaa22046a", "contileaks2022", "costaricaconti2022", "crowdstrikewizardspider2022", "mandiantcontileaks2022", "ofac2022garantex", "recordedfuturecontihse2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S26-conti.md" }, { "id": "OAK-S27", "name": "Black Basta ransomware", "type": "ransomware", "aliases": [ "Black Basta (the operator-side and leak-site-branded name from the brand's April 2022 debut); industry-side cross-attribution labels include UNC4393 (Mandiant intrusion-set naming for the operator cluster)", "Storm-1811 (Microsoft Threat Intelligence naming, partially overlapping the broader Conti-successor-cohort surface)", "and the informal \"Conti Team 3\" / \"Conti Black\" naming used in early 2022 industry reporting that documented the operator-cohort continuity from Conti at the personnel level. The brand is operationally the most-prominent direct-successor brand in the Conti-cohort dispersal network (see OAK-S26 Discussion for the broader Conti-successor framing). The internal-chat-leak event of February 2024 (the \"BlackBastaGPT\" / `[blackbastaleaks2024]` corpus) provides a primary-source record of the operator cohort's internal organisation comparable in evidentiary weight to the ContiLeaks corpus for Conti." ], "active": "degraded — brand-attributable extortion volume declined materially through H2 2024 and into early 2025 following the February 2024 internal-chat-leak event and subsequent affiliate migration; some affiliate-cohort members rotated onto Cactus and BlackSuit affiliate panels per Mandiant and Microsoft post-leak tracking. Brand had not been formally sunset as of v0.1 but operational-continuity is structurally damaged in the same idiom as OAK-S23 LockBit post-Cronos.", "first_observed": "2022-04 (Black Basta leak-site debut April 2022; brand emergence is read as immediately pre-Conti-dissolution, with operator personnel migration from the Conti cohort into the new brand identity documented at the internal-chat-recovered level via the February 2024 leak corpus).", "host_platforms": [ "Windows (primary, all enterprise-server variants); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged June 2022, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks established by LockBit and ALPHV). The Windows codebase is C++-authored with structural-and-stylistic similarities to Conti v3 documented by Trend Micro", "Sophos", "and Mandiant; the lineage is read as *Conti-codebase-derivative-with-rewrites* rather than a clean fork." ], "used_by_groups": [ "OAK-G11" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "blackbastaleaks2024", "chainalysis2025ransomware", "chainalysisblackbasta2024", "cisaaa24131a", "mandiantunc4393", "microsoftstorm1811", "ofac2022garantex", "sophosblackbasta2022", "trendmicroblackbasta2022" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S27-black-basta.md" }, { "id": "OAK-S28", "name": "Royal / BlackSuit ransomware", "type": "ransomware", "aliases": [ "Royal (the operator-side and leak-site-branded name from the brand's September 2022 debut through mid-2023); BlackSuit (the rebranded operator-and-encryptor identity from June 2023 onward); industry-side cross-attribution labels include DEV-0569 / Storm-0569 (early Microsoft Threat Intelligence naming for the operator cluster prior to the BlackSuit rebrand)", "the informal \"Royal/BlackSuit\" conjoined naming used in CISA AA23-061A and the November 2023 / August 2024 update advisories", "and the \"Zeon\" naming used in earlier 2022 Conti-successor-brand reporting that documented the encryptor's lineage to Conti's Zeon variant. The brand-rotation event from Royal to BlackSuit in mid-2023 is widely read by Mandiant", "Microsoft", "and CISA as a *brand-toxicity-management response to attribution-graph tracking* — an attempt to shed the Royal-name accumulation of attributable victim count and U.S.-government advisory surface (CISA AA23-061A specifically) and continue operations under a fresh brand identity. The encryptor-codebase", "leak-site infrastructure", "and operator-cohort were continuous across the rebrand at the wallet-cluster and tradecraft-fingerprint levels." ], "active": "active — BlackSuit-branded operations continued through 2024 and into 2025 with the OFAC December 2023 designation surface providing institutional pressure but not operational disruption; the brand had not been formally sunset as of v0.1 and remains an active-detection target. Brand-attributable extortion volume placed BlackSuit in the top-five ransomware brands by leak-site postings through 2024 per Recorded Future / Coveware tracking.", "first_observed": "2022-09 (Royal-branded operations debuted September 2022; the Royal encryptor was forked from Conti's Zeon variant per Mandiant and Microsoft attribution work, providing direct codebase continuity to the Conti-cohort dispersal network); brand rebrand to BlackSuit in June 2023.", "host_platforms": [ "Windows (primary, all enterprise-server variants); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in early 2023, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks). The Windows codebase's lineage to Conti's Zeon variant is the cleanest documented case of *direct Conti-codebase fork as a successor-brand encryptor* — Royal forked from Zeon rather than being a clean rewrite", "distinguishing it from the Black Basta lineage where the Conti v3 codebase was substantively rewritten before redeployment." ], "used_by_groups": [], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "chainalysis2025ransomware", "chainalysisroyalblacksuit2024", "cisaaa23061a", "cisaaa24228a", "mandiantroyalblacksuit2023", "microsoftstorm0569", "ofac2023royalblacksuit", "sophosroyalblacksuit2023", "trendmicroroyalblacksuit2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S28-royal-blacksuit.md" }, { "id": "OAK-S29", "name": "BeaverTail", "type": "malware (npm-package supply-chain malware / first-stage JavaScript loader and infostealer)", "aliases": [ "BeaverTail (the Palo Alto Unit 42 naming established in the canonical July 2023 publication that first publicly documented the family); industry-side cross-attribution labels include the broader campaign naming \"Contagious Interview\" (Unit 42 campaign-level naming for the recruiter-pretext intrusion set carrying BeaverTail and InvisibleFerret payloads) and \"Wagemole\" (an adjacent / partially-overlapping campaign naming used by Unit 42 and Mandiant for the DPRK-IT-worker-fraud surface that shares operator cohort and tooling with Contagious Interview); operator-cluster naming overlaps with the broader DPRK Lazarus / TraderTraitor / BlueNoroff intrusion set (CrowdStrike's Famous Chollima naming and Microsoft's Sapphire Sleet / Moonstone Sleet naming for related operator-cohort surfaces)." ], "active": "yes — continuous variants observed through 2024–2025 with sustained npm-registry submission cadence; Unit 42, SentinelOne, ReversingLabs, and Sonatype track ongoing variant-rotation and registry-submission patterns; the principal mitigation surface is npm-registry-side takedown of malicious packages, but operator-side rotation onto new fake-author personas and new package-name surfaces is faster than registry-side takedown response.", "first_observed": "2023-07 (Palo Alto Unit 42 canonical publication date, `[unit42beavertail2023]`; the underlying campaign activity is attributed back at least into early 2023 by retrospective registry-submission analysis).", "host_platforms": [ "cross-platform (Windows, macOS, Linux — the JavaScript implementation runs natively in the Node.js runtime that the npm-package delivery surface presupposes; this cross-platform property is itself a defining family-architectural feature, distinguishing BeaverTail from the platform-specific macOS-focused TraderTraitor / RustBucket / KandyKorn / SwiftLoader / ObjCShellz lineage at OAK-S08 / S20 / S21 / S22)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "crowdstrikefamouschollima2024", "mandiantwagemole2024", "unit42beavertail2023", "unit42contagiousinterview2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S29-beavertail.md" }, { "id": "OAK-S30", "name": "InvisibleFerret", "type": "malware (Python second-stage backdoor / credential-and-wallet-data infostealer)", "aliases": [ "InvisibleFerret (the Palo Alto Unit 42 naming established alongside the BeaverTail naming in the canonical July 2023 publication that first publicly documented both families); industry-side cross-attribution labels include the broader campaign naming \"Contagious Interview\" (Unit 42 campaign-level naming for the recruiter-pretext intrusion set carrying the BeaverTail → InvisibleFerret payload chain) and \"Wagemole\" (the adjacent DPRK-IT-worker-fraud campaign sharing operator cohort and tooling); operator-cluster naming overlaps with the broader DPRK Lazarus / TraderTraitor / BlueNoroff intrusion set under CrowdStrike's Famous Chollima naming and Microsoft's Sapphire Sleet / Moonstone Sleet naming." ], "active": "yes — continuous variants tracked through 2024–2025 with Unit 42, SentinelOne, and Mandiant documenting per-version evolution; the family operates as the persistent-second-stage backdoor in the BeaverTail-led Contagious Interview / Wagemole campaign and is paired with BeaverTail in essentially all observed campaign deployments rather than operating standalone.", "first_observed": "2023-07 (Palo Alto Unit 42 canonical publication date, paired with the BeaverTail family disclosure in `[unit42beavertail2023]`; the underlying campaign activity is attributed back at least into early 2023 by retrospective analysis).", "host_platforms": [ "cross-platform (Windows, macOS, Linux — the Python implementation runs natively in any Python-3 runtime that the BeaverTail first-stage establishes; cross-platform property mirrors BeaverTail and distinguishes the family from the platform-specific macOS-focused TraderTraitor lineage at OAK-S08)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "crowdstrikefamouschollima2024", "jamfinvisibleferret2024", "mandiantwagemole2024", "sentineloneinvisibleferret2024", "unit42beavertail2023", "unit42invisibleferret2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S30-invisibleferret.md" }, { "id": "OAK-S31", "name": "TigerRAT", "type": "malware (Windows backdoor / persistent-access remote-access-trojan)", "aliases": [ "TigerRAT (the canonical KrCERT/CC + AhnLab naming established in 2022 publications and sustained across continuous Korean-side CTI reporting through 2024–2025); industry-side cross-attribution labels include the broader Andariel cluster naming surface — Silent Chollima (CrowdStrike)", "Onyx Sleet / Plutonium (Microsoft Threat Intelligence's continuous Andariel-cluster naming)", "Stonefly (Symantec / Broadcom)", "DarkSeoul-cohort historical naming for the broader DPRK destructive-and-espionage cluster from which Andariel is the contemporary financially-motivated sub-cluster", "and the external Group ID G0138 Andariel Group profile under which TigerRAT activity is documented." ], "active": "yes — continuous variants tracked through 2024–2025 by KrCERT/CC, AhnLab, Mandiant, Microsoft, and Symantec; the family is a sustained-deployment Andariel-cluster persistence-and-staging tool rather than a campaign-bounded payload, and its operational tempo is paced by Andariel's broader campaign cadence rather than by per-version-release boundaries.", "first_observed": "2022 (KrCERT/CC + AhnLab canonical publications established the family naming in 2022; underlying Andariel-cluster activity using the family is attributed back further by retrospective analysis but the public-record family-naming anchor is 2022).", "host_platforms": [ "Windows (the only platform observed in public reporting; KrCERT/CC, AhnLab, and Mandiant analyses describe a Windows-only x86 implementation; no macOS or Linux variants documented as of v0.1)." ], "used_by_groups": [ "OAK-G09" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.002" ], "citations": [ "ahnlabtigerrat2022", "chainalysisdprkmaui2024", "cisa2024andarieladvisory", "cisaaa22187a", "cisaaa22321a", "doj2024rimjonghyok", "krcerttigerrat2022", "mandiantandariel2022", "microsoftonyxsleet2022", "symantec2024stonefly" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S31-tigerrat.md" }, { "id": "OAK-S32", "name": "AppleSeed", "type": "malware (Windows backdoor / persistent-access remote-access-trojan with HWP-document-borne delivery surface)", "aliases": [ "AppleSeed (the canonical industry naming established across Cisco Talos, ESET, Mandiant, AhnLab, and KISA / KrCERT/CC publications and sustained as the dominant naming convention in continuous CTI reporting from approximately 2019 forward); industry-side cross-attribution labels include the broader Kimsuky / APT43 cluster naming surface — Kimsuky (the canonical Korean and U.S.-government naming for the operator cluster)", "Thallium (Microsoft Threat Intelligence's earlier Kimsuky naming)", "Black Banshee (CrowdStrike's Kimsuky-cluster naming)", "Velvet Chollima and the broader Chollima-family naming", "APT43 (Mandiant's March 2023 cluster-naming consolidation)", "TA406 (Proofpoint's Kimsuky naming)", "and the external Group ID G0094 Kimsuky Group profile under which AppleSeed activity is documented." ], "active": "yes — continuous variants tracked through 2024–2025 by Talos, ESET, Mandiant, AhnLab, KISA, and KrCERT/CC; the family is the primary Kimsuky persistence tool from approximately 2019 forward and the operational tempo is paced by Kimsuky's broader spear-phishing-campaign cadence rather than by per-version-release boundaries.", "first_observed": "2019 (the public-record family-naming anchor is approximately 2019 across early Kimsuky-cluster CTI reporting; underlying Kimsuky-cluster activity is attributed back further by retrospective analysis but the AppleSeed family naming and the documented HWP-document-borne delivery surface stabilised in industry reporting around 2019–2020).", "host_platforms": [ "Windows (the only platform observed in public reporting; Talos, ESET, Mandiant, AhnLab, and KISA analyses describe a Windows-only x86 implementation; no macOS or Linux variants documented as of v0.1, consistent with the family's HWP-document-borne delivery surface that presupposes a Korean-language Windows-host target population)." ], "used_by_groups": [ "OAK-G07" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.002" ], "citations": [ "ahnlabappleseed2021", "bfvnis2023kimsuky", "chainalysis2024dprk", "esetkimsuky2021", "mandiantapt43_2023", "mofakimsuky2023", "ofac2023kimsuky", "talosappleseed2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S32-appleseed.md" }, { "id": "OAK-S33", "name": "Akira ransomware", "type": "ransomware", "aliases": [ "Akira (the operator-side and leak-site-branded name from the brand's March 2023 debut, with the leak-site visual identity adopting a deliberate retro-1980s green-on-black terminal aesthetic that became the family's most-recognisable surface signature); Megazord (a short-lived Rust-language Linux/ESXi variant identifier used in mid-2023 builds before consolidation back under the Akira brand); industry-side cross-attribution labels include the informal \"Akira-Conti-derivative\" naming used in 2023 industry reporting that documented partial code-reuse signals between the Akira Windows codebase and the Conti v3 leaked source. Akira is widely read by Mandiant", "Sophos", "and Avast as a Conti-cohort-adjacent operator emergence rather than a direct Conti-cohort-continuity case in the idiom of OAK-S27 Black Basta or OAK-S28 Royal/BlackSuit; the lineage relationship is *partial-codebase-derivative-with-distinct-operator-cohort* rather than full cohort-continuity." ], "active": "active — Akira-branded operations continued through 2024 and into 2025 with sustained leak-site cadence and over 250 confirmed victim organisations through early 2024 per the April 2024 CISA / FBI / EC3 / NCSC-NL joint advisory AA24-109A (`[cisaaa24109a]`); the brand had not been subjected to a government takedown comparable to Operation Cronos (LockBit) or the December 2023 ALPHV action as of v0.1, and remains an active-detection target. Recorded Future / Coveware tracking placed Akira in the top-five ransomware brands by leak-site postings through 2024.", "first_observed": "2023-03 (Akira-branded operations debuted March 2023 with the Windows C++ encryptor; the Rust-language Linux / VMware ESXi variant followed in April–May 2023, mirroring the broader RaaS-sector pivot to Rust-implemented hypervisor variants established by ALPHV / BlackCat).", "host_platforms": [ "Windows (primary, all enterprise-server variants, C++-authored codebase with partial structural similarities to Conti v3 documented by Sophos and Avast); Linux / VMware ESXi (a Rust-language variant emerged April–May 2023 under the temporary \"Megazord\" naming before consolidation back to the Akira brand). The dual-language architecture — C++ Windows + Rust ESXi/Linux — mirrors the ALPHV-influenced sector-wide pattern of Rust-for-cross-platform-hypervisor-variants while retaining C++ for the Windows codebase", "a hybrid pattern that became more common across 2023–2024 RaaS emergences." ], "used_by_groups": [ "OAK-G16" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "avast2023akira", "chainalysis2025ransomware", "chainalysisakira2024", "cisaaa24109a", "mandiantakira2023", "ofac2022garantex", "sophosakira2023", "trendmicroakira2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S33-akira-ransomware.md" }, { "id": "OAK-S34", "name": "RansomHub ransomware", "type": "ransomware", "aliases": [ "RansomHub (the operator-side and leak-site-branded name from the brand's February 2024 debut on Russian-language criminal forums); industry-side cross-attribution labels include the informal \"Knight-derivative\" naming used in mid-2024 industry reporting that documented partial code-reuse signals between the RansomHub Windows codebase and the prior Knight / Cyclops-Blink-class encryptor codebase (the operator-cohort behind Knight is widely read as having sold or licensed source code to the RansomHub developer team)", "and the \"post-ALPHV-affiliate-absorber\" descriptive used across CTI-vendor reporting to characterise the brand's principal market-positioning function in 2024. RansomHub is the canonical worked example of *operator-cohort opportunism in the wake of a competitor brand's exit-scam-driven dissolution* — the brand's rapid Q2–Q4 2024 growth is widely attributed to its capacity to absorb the high-tier ALPHV affiliate diaspora following the March 2024 ALPHV exit-scam (see OAK-S24 Discussion)", "with the \"Notchy\" affiliate behind the Change Healthcare attack widely-reported as having rotated onto the RansomHub affiliate panel." ], "active": "active — RansomHub-branded operations continued through 2024 and into 2025 with sustained leak-site cadence; brand-attributable extortion volume placed RansomHub as the top-by-leak-site-postings RaaS brand in H2 2024 per Recorded Future / Coveware tracking, displacing both the post-Cronos LockBit and the post-exit-scam ALPHV from their prior market-share positions. The brand had not been subjected to a government takedown comparable to Operation Cronos or the December 2023 ALPHV action as of v0.1, and remains an active-detection target.", "first_observed": "2024-02 (RansomHub leak-site debut February 2024; advertisements on Russian-language criminal forums marked the brand's debut and the affiliate-onboarding panel was operational immediately, suggesting a substantial pre-launch development period and an operator-side cohort with prior RaaS-operational experience).", "host_platforms": [ "Windows (primary, all enterprise-server variants, with the encryptor codebase showing partial structural similarities to the prior Knight / Cyclops-class codebase per Mandiant and Microsoft attribution work); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in mid-2024); Go-language and Rust-language partial implementations have been documented in different RansomHub builds across 2024", "with the dual-language architecture mirroring the broader sector pattern of hybrid-codebase RaaS designs established by Akira (OAK-S33) and the LockBit NG-Dev rewrite." ], "used_by_groups": [ "OAK-G15" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "chainalysis2025ransomware", "chainalysisransomhub2024", "cisaaa24242a", "mandiantransomhub2024", "microsoftransomhub2024", "ofac2022garantex", "recordedfutureransomhub2024", "sophosransomhub2024", "trendmicroransomhub2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S34-ransomhub-ransomware.md" }, { "id": "OAK-S35", "name": "BlackByte ransomware", "type": "ransomware", "aliases": [ "BlackByte (the operator-side and leak-site-branded name from the brand's July 2021 debut, retained continuously across the multi-language codebase rotation through 2024); industry-side cross-attribution labels include the Wizard-Spider-cohort-adjacent / Conti-cohort-partial-overlap descriptive used in 2022 industry reporting that documented operator-personnel overlap with the broader Conti-cohort dispersal network", "and the BlackByte 2.0 / NT / 3.0 version-string naming used to disambiguate the multi-language codebase rotations across .NET (2021–2022)", "Go (2022–2023)", "and C++ (2023–2025) implementations. BlackByte sits in the Conti-cohort-adjacent category alongside Akira (OAK-S33) — operator-personnel overlap with the broader post-Conti dispersal network is documented but the lineage relationship is partial-overlap rather than full cohort-continuity in the idiom of OAK-S27 Black Basta or OAK-S28 Royal/BlackSuit." ], "active": "active — BlackByte-branded operations continued through 2024 and into 2025 with sustained leak-site cadence; the brand had not been subjected to a government takedown comparable to Operation Cronos (LockBit) or the December 2023 ALPHV action as of v0.1, and remains an active-detection target. Brand-attributable extortion volume placed BlackByte as a mid-tier RaaS strain across 2022–2024 — below the top-three by leak-site postings but with sustained presence and continued multi-vertical targeting per Recorded Future / Coveware tracking.", "first_observed": "2021-07 (BlackByte-branded operations debuted July 2021 with the .NET-language Windows encryptor; subsequent codebase rotations to Go (2022) and C++ (2023+) reflect a sustained operator-side investment in encryptor-codebase modernisation across the brand's lifetime, distinguishing BlackByte from the more-typical RaaS-sector pattern of either single-language codebase persistence or single-rewrite codebase rotation).", "host_platforms": [ "Windows (primary, all enterprise-server variants, with the codebase rotated across .NET (2021–2022) → Go (2022–2023) → C++ (2023–2025) per Trustwave, Microsoft, and Sophos attribution work); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in 2022, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks established by LockBit and ALPHV). The multi-language codebase rotation is the family's defining technical history and provides a useful comparative reference for understanding the *operator-side codebase-modernisation cadence* across a long-lifetime mid-tier RaaS brand — distinct from both single-language persistence (Conti's C++-only history) and single-rewrite rotation (LockBit's NG-Dev Rust rewrite recovered pre-deployment)." ], "used_by_groups": [ "OAK-G17" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "chainalysis2025ransomware", "chainalysisblackbyte2024", "cisaaa22039a", "microsoftblackbyte2023", "ofac2022garantex", "sophosblackbyte2023", "trendmicroblackbyte2022", "trustwaveblackbyte2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S35-blackbyte-ransomware.md" }, { "id": "OAK-S36", "name": "Karakurt extortion-only kit", "type": "tool / extortion-only operation tooling", "aliases": [ "Karakurt extortion kit; Karakurt Lair (operator leak-site branding); part of the Conti-spinoff cohort tracked by Mandiant and CrowdStrike under the Wizard Spider successor-brand umbrella." ], "active": "yes (continuous May 2021 → present, with periodic operating-tempo dips). Activity tracked through 2024–2025.", "first_observed": "2021-05.", "host_platforms": [ "Cross-platform-by-tool-stack — Karakurt does not develop or deploy a custom encryptor and is not", "in the strict sense", "a \"ransomware family.\" Its operating tooling is a curated configuration of commodity post-exploitation and exfiltration utilities: Cobalt Strike (OAK-S37)", "Mimikatz", "AnyDesk", "rclone (the dominant Karakurt-fingerprint exfiltration utility)", "Filezilla / WinSCP", "Mega.io's MEGAsync", "and a custom set of automated victim-data-publication scripts running against the Karakurt Lair leak site." ], "used_by_groups": [ "OAK-G18" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "chainalysis2022conti", "cisaaa22152a", "contileaks2022", "crowdstrikewizardspider2022", "mandiantcontileaks2022" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S36-karakurt-extortion-kit.md" }, { "id": "OAK-S37", "name": "Cobalt Strike", "type": "tool / commodity post-exploitation framework (legitimate red-team product, widely abused)", "aliases": [ "Cobalt Strike Beacon (the canonical implant component); CS (industry shorthand). Originally developed by Raphael Mudge (commercial release 2012); acquired by HelpSystems / Fortra in 2020. external cyber-threat-intel taxonomy ID S0154." ], "active": "yes — both legitimate licensed deployments (red-team, penetration-testing) and the much-larger cracked-and-trojaned threat-actor population. Continuous abuse since approximately 2015; remains the dominant single post-exploitation framework in OAK-relevant ransomware-and-targeted-intrusion deployments through 2025.", "first_observed": "2012 (legitimate commercial release); first widely-documented criminal abuse approximately 2015–2016; ubiquity in major-RaaS-deployment chains established by 2020.", "host_platforms": [ "Windows (primary, all variants); cross-platform Beacon variants (Linux, macOS) exist in legitimate licensed deployments and have been observed in some cracked-criminal deployments through 2024." ], "used_by_groups": [ "OAK-G05", "OAK-G09", "OAK-G10", "OAK-G11", "OAK-G14", "OAK-G15", "OAK-G16", "OAK-G17", "OAK-G18", "OAK-G06" ], "observed_techniques": [ "OAK-T11.001", "OAK-T8.001" ], "citations": [ "cisaaa22046a", "cisaaa22152a", "cisaaa24131a", "mandiant3cx2023", "mandiantradiant2024", "microsoftcitrineradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S37-cobalt-strike.md" }, { "id": "OAK-S38", "name": "IcedID + Pikabot loaders", "type": "malware / commodity loader (initial-access broker class)", "aliases": [ "IcedID — also tracked as BokBot (CrowdStrike) and as TA551-and-derivatives (Proofpoint historical naming for some delivery cohorts). Pikabot — successor-and-overlap loader to Qakbot (OAK-S40)", "tracked by Trend Micro", "Elastic", "and Zscaler from early 2023. The two are combined into a single OAK-S entry because they share the Russian-cybercrime-ecosystem operator substrate", "the initial-access-broker operating role", "and the May 2024 Operation Endgame disruption-event scope." ], "active": "IcedID — yes (2017 → present, with reduced post-Operation-Endgame tempo). Pikabot — yes (2023 → present, with reduced post-Operation-Endgame tempo).", "first_observed": "IcedID — 2017 (originally a banking-trojan; pivoted to ransomware-loader role from approximately 2020 onward). Pikabot — early 2023 (post-Qakbot-takedown gap-filling role established by Q2 2023).", "host_platforms": [ "Windows (primary, all variants)." ], "used_by_groups": [ "OAK-G05", "OAK-G10", "OAK-G11", "OAK-G14", "OAK-G16", "OAK-G17", "OAK-G18" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T8.001" ], "citations": [ "chainalysis2024lockbit", "cisaaa24131a", "mandiantcontileaks2022", "microsoftstorm1811" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S38-icedid-pikabot.md" }, { "id": "OAK-S39", "name": "DanaBot", "type": "malware / banking trojan + commodity loader", "aliases": [ "DanaBot (the canonical industry naming since 2018); external cyber-threat-intel taxonomy ID S0634. Some early 2018 reporting tracked DanaBot under the placeholder name \"Trojan.Win32.Spy\" before family-level naming stabilised." ], "active": "yes through May 2024 (Operation Endgame target). Post-Operation-Endgame the operating-tempo has been significantly reduced; activity continues through 2025 at lower volume.", "first_observed": "2018-05.", "host_platforms": [ "Windows (primary, all variants)." ], "used_by_groups": [ "OAK-G05", "OAK-G10", "OAK-G11", "OAK-G16" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T8.001" ], "citations": [ "chainalysis2024lockbit", "cisaaa24131a", "microsoftstorm1811" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S39-danabot.md" }, { "id": "OAK-S40", "name": "Qakbot / Pinkslipbot / QBot", "type": "malware / banking trojan + commodity loader", "aliases": [ "Qakbot (the dominant industry naming since approximately 2010); QBot (CrowdStrike historical naming); Pinkslipbot (an earlier-era name from Symantec / Broadcom). external cyber-threat-intel taxonomy ID S0650. One of the longest-running individual malware families on the OAK-relevant timeline." ], "active": "sunset for original infrastructure post-August 2023 (Operation Duck Hunt). Cohort-level operating substrate persists in OAK-S38 Pikabot which is structurally a successor-and-overlap loader rebuilt by the same Russian-cybercrime-ecosystem operator cohort.", "first_observed": "approximately 2008 (initial banking-trojan operation; some pre-2008 ancestor variants are documented but the family-level naming stabilises at 2008–2010).", "host_platforms": [ "Windows (primary, all variants)." ], "used_by_groups": [ "OAK-G05", "OAK-G10", "OAK-G11", "OAK-G14" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T8.001" ], "citations": [ "chainalysis2024lockbit", "cisaaa22046a", "cisaaa24131a", "mandiantcontileaks2022", "microsoftstorm1811" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S40-qakbot-pinkslipbot.md" } ], "relationships": [ { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T13.001" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T2.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T3.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T3.002" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T3.003" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T8.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T8.002" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M06", "target": "OAK-T5.004" }, { "type": "mitigates", "source": "OAK-M06", "target": "OAK-T13.002" }, { "type": "mitigates", "source": "OAK-M06", "target": "OAK-T14.002" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.001" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.004" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.005" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.006" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T8.002" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.004" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M09", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M09", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M10", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M10", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T5.001" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T5.002" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M12", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M12", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M13", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M14", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M15", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M15", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M15", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M17", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.002" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.003" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.004" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M19", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M19", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M19", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M20", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M20", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M21", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M21", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M24", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M24", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.002" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.001" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.002" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.003" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M26", "target": "OAK-T3.002" }, { "type": "mitigates", "source": "OAK-M26", "target": "OAK-T7.004" }, { "type": "mitigates", "source": "OAK-M26", "target": "OAK-T12.001" }, { "type": "mitigates", "source": "OAK-M27", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M27", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M27", "target": "OAK-T7.005" }, { "type": "mitigates", "source": "OAK-M28", "target": "OAK-T5.006" }, { "type": "mitigates", "source": "OAK-M29", "target": "OAK-T4.003" }, { "type": "mitigates", "source": "OAK-M30", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M30", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M30", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M31", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M31", "target": "OAK-T4.004" }, { "type": "mitigates", "source": "OAK-M31", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M36", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M36", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M36", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T5.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T5.002" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T5.005" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T8.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T8.002" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.002" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M41", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M41", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M41", "target": "OAK-T7.006" }, { "type": "mitigates", "source": "OAK-M41", "target": "OAK-T7.007" }, { "type": "mitigates", "source": "OAK-M41", "target": "OAK-T7.008" }, { "type": "mitigates", "source": "OAK-M41", "target": "OAK-T5.008" }, { "type": "mitigates", "source": "OAK-M42", "target": "OAK-T7.001" }, { "type": "mitigates", "source": "OAK-M42", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M42", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M42", "target": "OAK-T7.005" }, { "type": "mitigates", "source": "OAK-M42", "target": "OAK-T5.008" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T7.001" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T7.006" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T7.007" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T7.008" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T8.001" }, { "type": "mitigates", "source": "OAK-M43", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.002" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S01" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.002" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S02" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.002" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.006" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S03" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S04" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S05" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S06" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S07" }, { "type": "uses", "source": "OAK-S08", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S08", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S08" }, { "type": "uses", "source": "OAK-S09", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S09", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S09" }, { "type": "uses", "source": "OAK-S10", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S10", "target": "OAK-T10.001" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S10" }, { "type": "uses", "source": "OAK-S11", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S11" }, { "type": "uses", "source": "OAK-S12", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G07", "target": "OAK-S12" }, { "type": "uses", "source": "OAK-S13", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S13", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S13", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S14", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S14", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S14", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S15", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S15", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S15", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S16", "target": "OAK-T11.004" }, { "type": "uses", "source": "OAK-S17", "target": "OAK-T5.004" }, { "type": "uses", "source": "OAK-S18", "target": "OAK-T3.001" }, { "type": "uses", "source": "OAK-S18", "target": "OAK-T2.001" }, { "type": "uses", "source": "OAK-S18", "target": "OAK-T13.002" }, { "type": "uses", "source": "OAK-S19", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S19", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S19" }, { "type": "uses", "source": "OAK-S20", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S20", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S20" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S20" }, { "type": "uses", "source": "OAK-S21", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S21", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S21" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S21" }, { "type": "uses", "source": "OAK-S22", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S22", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S22" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S22" }, { "type": "uses", "source": "OAK-S23", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S23", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S23", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S23" }, { "type": "uses", "source": "OAK-G06", "target": "OAK-S23" }, { "type": "uses", "source": "OAK-S24", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S24", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S24", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S24" }, { "type": "uses", "source": "OAK-S25", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S25", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S25", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G09", "target": "OAK-S25" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S25" }, { "type": "uses", "source": "OAK-S26", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S26", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S26", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G06", "target": "OAK-S26" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S26" }, { "type": "uses", "source": "OAK-S27", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S27", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S27", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S27" }, { "type": "uses", "source": "OAK-S28", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S28", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S28", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S29", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S29", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S29" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S29" }, { "type": "uses", "source": "OAK-S30", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S30", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S30" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S30" }, { "type": "uses", "source": "OAK-S31", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S31", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S31", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G09", "target": "OAK-S31" }, { "type": "uses", "source": "OAK-S32", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S32", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S32", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G07", "target": "OAK-S32" }, { "type": "uses", "source": "OAK-S33", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S33", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S33", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S33" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G15", "target": "OAK-S34" }, { "type": "uses", "source": "OAK-S35", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S35", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S35", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G17", "target": "OAK-S35" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G18", "target": "OAK-S36" }, { "type": "uses", "source": "OAK-S37", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S37", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G09", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G14", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G15", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G17", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G18", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G06", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-S38", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S38", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S38", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G14", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G17", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G18", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-S39", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S39", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S39", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-S40", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S40", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S40", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S40" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S40" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S40" }, { "type": "uses", "source": "OAK-G14", "target": "OAK-S40" } ] }