{ "schema_version": "2", "oak_version": "0.1.0-draft", "generated_at": "2026-05-04T12:46:13+00:00", "tactics": [ { "id": "OAK-T1", "name": "Token Genesis", "phase": "Pre-launch / Launch", "adjacent_tactics": [], "techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T1.006", "OAK-T1.007", "OAK-T14.003.001", "OAK-T6.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T1-token-genesis.md" }, { "id": "OAK-T10", "name": "Bridge and Cross-Chain", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T6.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T10-bridge-and-cross-chain.md" }, { "id": "OAK-T11", "name": "Custody and Signing Infrastructure", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T11.004", "OAK-T11.005", "OAK-T11.006", "OAK-T11.007", "OAK-T11.008", "OAK-T11.009" ], "source_file": "/home/runner/work/oak/oak/tactics/T11-custody-and-signing-infrastructure.md" }, { "id": "OAK-T12", "name": "NFT-Specific Patterns", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T12.001", "OAK-T12.002", "OAK-T12.003" ], "source_file": "/home/runner/work/oak/oak/tactics/T12-nft-specific-patterns.md" }, { "id": "OAK-T13", "name": "Account Abstraction Attacks", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T13.001", "OAK-T13.001.001", "OAK-T13.001.002", "OAK-T13.001.003", "OAK-T13.001.004", "OAK-T13.002", "OAK-T13.003", "OAK-T13.004" ], "source_file": "/home/runner/work/oak/oak/tactics/T13-account-abstraction-attacks.md" }, { "id": "OAK-T14", "name": "Validator / Staking / Restaking Attacks", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T14.001", "OAK-T14.002", "OAK-T14.003", "OAK-T14.003.001" ], "source_file": "/home/runner/work/oak/oak/tactics/T14-validator-staking-restaking-attacks.md" }, { "id": "OAK-T15", "name": "Off-chain Entry-Vector / Pre-Positioning", "phase": "Pre-positioning", "adjacent_tactics": [], "techniques": [ "OAK-T15.001", "OAK-T15.002", "OAK-T15.003", "OAK-T15.004", "OAK-T15.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T15-off-chain-entry-vector.md" }, { "id": "OAK-T16", "name": "Governance / Voting Manipulation", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T16.001", "OAK-T16.002", "OAK-T16.003", "OAK-T16.004", "OAK-T16.005" ], "source_file": "/home/runner/work/oak/oak/tactics/T16-governance-voting-manipulation.md" }, { "id": "OAK-T17", "name": "Market Manipulation", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T17.001", "OAK-T17.002", "OAK-T17.003", "OAK-T17.004", "OAK-T3.002", "OAK-T3.003", "OAK-T3.004", "OAK-T5.004", "OAK-T9.001", "OAK-T9.006", "OAK-T9.006.001", "OAK-T9.006.002", "OAK-T9.006.003", "OAK-T9.006.004" ], "source_file": "/home/runner/work/oak/oak/tactics/T17-market-manipulation.md" }, { "id": "OAK-T2", "name": "Liquidity Establishment", "phase": "Pre-launch / Launch", "adjacent_tactics": [], "techniques": [ "OAK-T2.001", "OAK-T2.002", "OAK-T2.003", "OAK-T2.004" ], "source_file": "/home/runner/work/oak/oak/tactics/T2-liquidity-establishment.md" }, { "id": "OAK-T3", "name": "Holder Capture", "phase": "Pre-launch / Launch", "adjacent_tactics": [], "techniques": [ "OAK-T3.001", "OAK-T3.002", "OAK-T3.003", "OAK-T3.004" ], "source_file": "/home/runner/work/oak/oak/tactics/T3-holder-capture.md" }, { "id": "OAK-T4", "name": "Access Acquisition", "phase": "Targeted compromise", "adjacent_tactics": [], "techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.003", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006", "OAK-T4.007", "OAK-T4.008", "OAK-T6.006" ], "source_file": "/home/runner/work/oak/oak/tactics/T4-access-acquisition.md" }, { "id": "OAK-T5", "name": "Value Extraction", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T3.003", "OAK-T5.001", "OAK-T5.002", "OAK-T5.003", "OAK-T5.004", "OAK-T5.005", "OAK-T5.006", "OAK-T5.007", "OAK-T6.006" ], "source_file": "/home/runner/work/oak/oak/tactics/T5-value-extraction.md" }, { "id": "OAK-T6", "name": "Defense Evasion", "phase": "Cross-cutting", "adjacent_tactics": [], "techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T1.007", "OAK-T2.002", "OAK-T2.003", "OAK-T2.004", "OAK-T4.002", "OAK-T4.003", "OAK-T5.002", "OAK-T5.005", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T6.005", "OAK-T6.006", "OAK-T6.007" ], "source_file": "/home/runner/work/oak/oak/tactics/T6-defense-evasion.md" }, { "id": "OAK-T7", "name": "Laundering", "phase": "Post-extraction", "adjacent_tactics": [], "techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T7.004", "OAK-T7.005", "OAK-T7.006" ], "source_file": "/home/runner/work/oak/oak/tactics/T7-laundering.md" }, { "id": "OAK-T8", "name": "Operator Continuity / Attribution Signals", "phase": "Post-extraction", "adjacent_tactics": [], "techniques": [ "OAK-T8.001", "OAK-T8.002" ], "source_file": "/home/runner/work/oak/oak/tactics/T8-operational-reuse.md" }, { "id": "OAK-T9", "name": "Smart-Contract Exploit", "phase": "Realization", "adjacent_tactics": [], "techniques": [ "OAK-T11.003", "OAK-T6.005", "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T9.006", "OAK-T9.006.001", "OAK-T9.006.002", "OAK-T9.006.003", "OAK-T9.006.004" ], "source_file": "/home/runner/work/oak/oak/tactics/T9-smart-contract-exploit.md" } ], "techniques": [ { "id": "OAK-T1.001", "name": "Modifiable Tax Function", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2018 (academic), widespread by 2020", "aliases": [ "honeypot tax", "trap tax", "anti-sell tax", "tax trap" ], "citations": [ "chainalysis2025rug", "cointelegraphanubismixer2022", "decryptanubis2021", "quillauditsbackdoor", "slowmist2024report", "torres2019", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.001-modifiable-tax-function.md" }, { "id": "OAK-T1.002", "name": "Token-2022 Permanent Delegate Authority", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "observed", "chains": [ "Solana" ], "first_documented": "2024 (industry advisories); industrial-scale abuse from late 2024 onward", "aliases": [ "permanent delegate token", "PD authority", "burn-on-buy scam" ], "citations": [ "neodyme2024token2022", "solana2024permdelegate" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.002-token-2022-permanent-delegate.md" }, { "id": "OAK-T1.003", "name": "Renounced-But-Not-Really (Proxy-Upgrade Backdoor)", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "systematic 2022 onward; Shido 2024 as a canonical large-scale named case", "aliases": [ "fake renounce", "proxy backdoor", "ghost owner", "transferOwnership-not-really" ], "citations": [ "chainalysis2025rug", "nomicproxybackdoor", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.003-renounced-but-not-really.md" }, { "id": "OAK-T1.004", "name": "Blacklist / Pausable Transfer Weaponization", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "widespread from approximately 2020 onward", "aliases": [ "blacklist scam", "pausable token", "anti-sell pausable", "selective-block transfer", "freeze-on-buy" ], "citations": [ "chainalysis2025rug", "ofac2022tornado", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.004-blacklist-pausable-weaponization.md" }, { "id": "OAK-T1.005", "name": "Hidden Fee-on-Transfer", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)", "Solana (SPL via Token-2022 transfer-fee extension; secondary)" ], "first_documented": "widespread from approximately 2020 onward", "aliases": [ "sell tax", "anti-bot tax", "asymmetric fee", "router-only fee", "honeypot-lite", "conditional fee-on-transfer" ], "citations": [ "chainalysis2025rug", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.005-hidden-fee-on-transfer.md" }, { "id": "OAK-T1.006", "name": "Honeypot-by-Design", "parent_tactics": [ "OAK-T1" ], "maturity": "emerging", "chains": [ "EVM (BNB Chain dominant by deployment count; Base, Ethereum); cross-chain" ], "first_documented": "academic foundational reference 2019 (`[torres2019]`); industrial-scale cohort observable from 2023 onward; canonical 2024-Q4 cross-chain prevalence", "aliases": [ "honeypot token", "buy-only token", "cannot-sell token", "sell-blocking smart contract", "asymmetric-fee honeypot" ], "citations": [ "certikhoneypotproliferation", "chainalysis2025rug", "cryptorankhoneypotbase2025", "dipprofithoneypot2024", "goplusq42024honeypot", "hackenhoneypotscam", "mediumsnibbb2023", "slowmist2024report", "torres2019" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.006-honeypot-by-design.md" }, { "id": "OAK-T1.007", "name": "Token-2022 Transfer-Hook Abuse", "parent_tactics": [ "OAK-T1", "OAK-T6" ], "maturity": "emerging", "chains": [ "Solana (SPL Token-2022); cross-standard analogues on EVM (ERC-777 `tokensReceived`, ERC-1363 transfer-and-call, ERC-4626 vault hooks) covered separately at OAK-T9.005" ], "first_documented": "Halborn pre-production audit of Token-2022 (November 2022); class-level developer-side documentation 2023–2025; April 2025 ZK-ElGamal proof zero-day disclosure-and-patch cycle. Per-incident externally-attributed-exploit anchor remains empty at v0.1 freeze.", "aliases": [ "transfer-hook callback abuse", "Token-2022 hook reentrancy", "SPL transfer-hook attack" ], "citations": [ "ackeesolanahandbook", "chainstacktransferhook", "coindesksolanatoken2022zk2025", "cryptonomistsolanatoken2022zk2025", "cryptoslatesolanatoken2022zk2025", "dailycoinsolanatoken2022zk2025", "devtosolanahooks2025", "halbornsolanatokenception2022", "neodyme2024token2022", "quicknodetransferhook", "rareskillstoken2022", "solanatransferhookguide" ], "source_file": "/home/runner/work/oak/oak/techniques/T1.007-token-2022-transfer-hook-abuse.md" }, { "id": "OAK-T10.001", "name": "Validator / Signer Key Compromise", "parent_tactics": [ "OAK-T10" ], "maturity": "stable", "chains": [ "EVM", "cross-chain" ], "first_documented": "2022 (Ronin canonical case)", "aliases": [ "validator key theft", "multisig compromise", "MPC key loss" ], "citations": [ "chainalysis2024dprk", "ellipticronin2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.001-validator-signer-key-compromise.md" }, { "id": "OAK-T10.002", "name": "Message-Verification Bypass", "parent_tactics": [ "OAK-T10" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "2022 (Wormhole, Nomad canonical cases)", "aliases": [ "bridge proof bypass", "message-validation flaw", "VAA forgery\" (Wormhole-specific)" ], "citations": [ "mandiantnomad2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.002-message-verification-bypass.md" }, { "id": "OAK-T10.003", "name": "Cross-Chain Replay", "parent_tactics": [ "OAK-T10" ], "maturity": "observed", "chains": [ "EVM", "cross-chain" ], "first_documented": "2022 (concept characterised in academic literature; recurring across smaller incidents)", "aliases": [ "bridge replay attack", "chain-ID replay", "message-replay across chains" ], "citations": [ "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.003-cross-chain-replay.md" }, { "id": "OAK-T10.004", "name": "Optimistic-Bridge Fraud-Proof Gap", "parent_tactics": [ "OAK-T10" ], "maturity": "observed", "chains": [ "EVM", "cross-chain (any optimistic-message-verification or optimistic-rollup-bridged architecture)" ], "first_documented": "2022 (concept characterised in Connext / Nomad architecture write-ups; recurring as architecture-review finding)", "aliases": [ "watcher-liveness failure", "challenge-window inadequacy", "fraud-proof system gap", "1-of-N honest-verifier assumption failure" ], "citations": [ "bhuptanioptbridges2022", "halbornnomadoptimistic2022", "hollowvictory2025", "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.004-optimistic-bridge-fraud-proof-gap.md" }, { "id": "OAK-T10.005", "name": "Light-Client Verification Bypass", "parent_tactics": [ "OAK-T10" ], "maturity": "observed", "chains": [ "EVM", "Cosmos / IBC", "Bitcoin SPV consumers", "cross-chain (any bridge whose security reduces to a cryptographic light-client or proof-verification primitive)" ], "first_documented": "2022 (Verichains \"Dragonberry\" disclosure of an ICS-23 Merkle-proof soundness bug affecting IBC light-client verification across Cosmos-SDK chains; class characterised earlier in zk-bridge academic literature)", "aliases": [ "circuit soundness bug", "trusted-setup compromise", "proof-system bypass", "light-client verifier bug", "zk-bridge soundness failure" ], "citations": [ "owaspscstop10", "soksnarkvulns2024", "verichainsdragonberry2022", "xie2022zkbridge", "zhou2023sok", "zkbugtracker" ], "source_file": "/home/runner/work/oak/oak/techniques/T10.005-light-client-verification-bypass.md" }, { "id": "OAK-T11.001", "name": "Third-Party Signing-Vendor UI / Signing-Flow Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "systematic 2022 onward; canonical large-scale case Bybit / Safe{Wallet} 2025-02", "aliases": [ "signing-vendor UI compromise", "Safe{Wallet}-class supply-chain compromise", "UI-payload substitution at sign time" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.001-third-party-signing-vendor-compromise.md" }, { "id": "OAK-T11.002", "name": "Wallet-Software Distribution Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "stable", "chains": [ "multi-chain (any chain the affected wallet supports)" ], "first_documented": "systematic 2023 onward; canonical case Atomic Wallet June 2023", "aliases": [ "wallet supply-chain attack", "trojanised wallet update", "self-custodial wallet compromise" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.002-wallet-software-distribution-compromise.md" }, { "id": "OAK-T11.003", "name": "In-Use Multisig Smart-Contract Manipulation", "parent_tactics": [ "OAK-T11", "OAK-T9" ], "maturity": "observed", "chains": [ "EVM" ], "first_documented": "2024 (WazirX canonical case)", "aliases": [ "multisig hijack", "in-flight multisig modification" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.003-multisig-contract-manipulation.md" }, { "id": "OAK-T11.004", "name": "Insufficient-Entropy Key Generation", "parent_tactics": [ "OAK-T11" ], "maturity": "stable", "chains": [ "chain-agnostic (any ECDSA / EdDSA-curve chain whose end-user keys are produced by an off-chain generator); canonical anchors on Ethereum" ], "first_documented": "2022-09 (Profanity vanity-address generator public disclosure by 1inch); the structural class is older (Bitcoin \"RNG bug\" cohorts predate the canonical Ethereum case but are not the v0.1 anchor)", "aliases": [ "weak-RNG key generation", "vanity-address entropy collapse", "Profanity-class private-key recovery", "32-bit-seed key recovery" ], "citations": [ "cointelegraphprofanitycohort2022", "halbornprofanitytool2022", "halbornwintermute2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.004-insufficient-entropy-key-generation.md" }, { "id": "OAK-T11.005", "name": "Operator-side Fake-Platform Fraud", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (deposit substrate is BTC / ETH / stablecoins on-chain; the fraud \"platform\" is off-chain operator-controlled UI/database)" ], "first_documented": "2014 (OneCoin) at the modern threshold; pre-pig-butchering-era (2014–2018) MLM-Ponzi cohort plus 2018-onward multi-asset-wallet Ponzi plus 2020-onward fake-CEX / pig-butchering cohort", "aliases": [ "fake-CEX", "pig-butchering platform", "fake custodian", "investment-fraud platform", "MLM fake-cryptocurrency Ponzi", "rug platform" ], "citations": [ "bbc2019cryptoqueenpodcast", "behindmlmonecoin", "chainalysis2025rug", "coindesk2026onecoinvictims", "doj2017ignatovaindictment", "doj2022greenwoodguiltyplea", "doj2023greenwoodsentencing", "fbi2022ignatovamostwanted", "state2024ignatovareward" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.005-operator-side-fake-platform-fraud.md" }, { "id": "OAK-T11.006", "name": "Cold-storage Seed-phrase Exfiltration at Rest", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-extraction is the BIP39 seed phrase / private key material itself; downstream extraction occurs across whichever chains the affected wallet holds)" ], "first_documented": "2022-04 (iCloud-backup MetaMask / Iacovone case) for the implicit-cloud-custody sub-pattern; 2022-12 (LastPass encrypted-vault exfiltration) for the user-initiated plaintext-storage sub-pattern; cohort window remains open at v0.1 reporting horizon", "aliases": [ "seed-phrase at rest exfiltration", "password-manager seed-storage compromise", "iCloud-backup wallet drain", "third-party-storage seed-phrase compromise" ], "citations": [ "bleepinglastpass2025", "cointelegraphlarsen2024", "hackernewslastpass2025", "infosecuritylastpass2023", "krebslastpass2023", "krebslastpass2025", "lastpassbreachdisclosure2022", "theblocklastpass2023", "trmlabslastpass2025", "zachxbtlastpass2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T11.006-cold-storage-seed-phrase-exfiltration-at-rest.md" }, { "id": "OAK-T11.007", "name": "Hardware-wallet Supply-chain / Physical-access Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-extraction is the BIP39 seed phrase / hardware-wallet-controlled private-key material; downstream extraction occurs across whichever chains the affected wallet supports)" ], "first_documented": "2017 (early Ledger Nano S inserts cohort) at the cohort-shape layer; 2020-01-31 (Trezor One / Model T RDP-downgrade Kraken disclosure) for the physical-access capability anchor; 2025 counterfeit Ledger Nano S Plus cohort for the deployed-attack anchor; 2023–2026 fake-firmware-update / recovery-app phishing cohort for the active-phishing sub-pattern", "aliases": [ "counterfeit hardware wallet", "fake Ledger / fake Trezor", "pre-seeded recovery card", "hardware-wallet phishing", "physical-access seed extraction" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.007-hardware-wallet-supply-chain-physical-access-compromise.md" }, { "id": "OAK-T11.008", "name": "Embedded-Wallet Identity-Provider Compromise", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket / Magic Labs canonical at v0.1; cross-chain analogues across Privy / Web3Auth / Dynamic deployments on Ethereum, Base, Arbitrum, Solana, others)" ], "first_documented": "2024-09 (Polymarket Magic-Labs takeover); cohort scale-out 2024–2026 across Polymarket-class platforms whose user onboarding runs through third-party email-auth / OAuth / MPC-social-login providers", "aliases": [ "Magic Labs takeover", "Privy / Web3Auth / Dynamic compromise", "embedded-wallet auth-provider compromise", "email-magic-link wallet hijack", "social-login wallet drain" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.008-embedded-wallet-identity-provider-compromise.md" }, { "id": "OAK-T11.009", "name": "Trader-Tooling Supply-Chain Compromise targeting `.env` Private Keys", "parent_tactics": [ "OAK-T11" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-extraction is the developer-environment plaintext key file; downstream extraction occurs across whichever chains the bot operates on — Polygon, Solana, Ethereum, Base, Arbitrum, BNB Chain are all in scope across the cohort)" ], "first_documented": "2025-12 / 2026-01 (Polymarket trader-tooling supply-chain compromise via npm `polymarket-clob` and `dev-protocol` GitHub-org hijack); the broader cohort context spans 2024–2026 with overlapping infrastructure to DPRK-attributed BeaverTail / InvisibleFerret npm campaigns", "aliases": [ "trader-bot npm supply-chain", "developer-environment .env exfiltration", "GitHub-org-hijack trojan-bot distribution", "wallet.json infostealer via package registry" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T11.009-trader-tooling-supply-chain-env-key-compromise.md" }, { "id": "OAK-T12.001", "name": "NFT Wash-Trade Volume Inflation", "parent_tactics": [ "OAK-T12" ], "maturity": "observed", "chains": [ "EVM (primary; Ethereum / Polygon)", "Solana (Magic Eden, Tensor)" ], "first_documented": "2021–2022 (Chainalysis NFT retrospective; LooksRare incentive-wash episode)", "aliases": [ "NFT volume wash", "collection-rank inflation", "floor-price wash", "marketplace-incentive wash" ], "citations": [ "chainalysis2022nft", "chainalysis2025rug", "victor2021washtrade" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.001-nft-wash-trade-volume-inflation.md" }, { "id": "OAK-T12.002", "name": "Fake-Mint / Counterfeit Collection", "parent_tactics": [ "OAK-T12" ], "maturity": "stable", "chains": [ "EVM (primary; Ethereum / Polygon)", "Solana (Magic Eden cohort)" ], "first_documented": "2021 (early counterfeit cohort on OpenSea); industrial-scale through 2022 Discord-compromise wave", "aliases": [ "fake mint", "counterfeit collection", "copymint", "spoofed collection", "impersonation drop" ], "citations": [ "baycdiscord2022", "certikpremint2022", "chainalysis2022nft", "chainalysisnftcounterfeit2022", "fortunebaycjune2022", "magicedeny00ts2023", "openseamoderation2022", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.002-fake-mint-counterfeit-collection.md" }, { "id": "OAK-T12.003", "name": "Royalty Bypass / Marketplace Manipulation", "parent_tactics": [ "OAK-T12" ], "maturity": "observed", "chains": [ "EVM (primary; Ethereum / Polygon / other ERC-721-bearing chains)" ], "first_documented": "2022 (Blur launch and the LooksRare / X2Y2 royalty-optional shift); structural problem ongoing", "aliases": [ "royalty stripping", "royalty-optional trading", "marketplace royalty disregard" ], "citations": [ "blurzeroroyalty2022", "chainalysis2022nft", "eip2981", "openseaoperatorfilter2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T12.003-royalty-bypass-marketplace-manipulation.md" }, { "id": "OAK-T13.001", "name": "Paymaster Compromise", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction (zkSync Era, Starknet) where the paymaster role is analogous; conceptually portable to any chain whose execution model separates gas-sponsorship validation from execution" ], "first_documented": "2023 (Alchemy / OpenZeppelin disclosure of the UserOperation packing inconsistency in EntryPoint v0.6 affecting `VerifyingPaymaster`); class characterised continuously through 2024–2026 in audit-firm advisories on deployed paymasters", "aliases": [ "paymaster drain", "sponsorship policy bypass", "postOp griefing", "paymaster DoS", "validatePaymasterUserOp bypass", "gasless-transaction abuse" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "ozaa4337audit", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001-paymaster-compromise.md" }, { "id": "OAK-T13.001.001", "name": "Paymaster Accounting Drain", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction (zkSync Era, Starknet) where the paymaster role is analogous" ], "first_documented": "2025 (OSEC paymaster security review enumerates the `postOp` revert / gas-token-mechanic surfaces explicitly); class characterised continuously through audit-firm advisories on deployed paymasters", "aliases": [ "paymaster drain", "postOp revert drain", "gas-token-mechanic accounting drain", "validation-time-debit not unwound" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "ozaa4337audit", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.001-paymaster-accounting-drain.md" }, { "id": "OAK-T13.001.002", "name": "Paymaster Policy Bypass", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction; Solana (analogous fee-payer / Token-2022 paymaster surfaces — Kora advisory)" ], "first_documented": "2023 (Alchemy / OpenZeppelin disclosure of the UserOperation-packing inconsistency in EntryPoint v0.6 affecting `VerifyingPaymaster`); Solana / Token-2022 analogue documented 2025 (Kora paymaster advisory)", "aliases": [ "sponsorship policy bypass", "validatePaymasterUserOp bypass", "off-chain-signer / on-chain-hash parity violation", "fail-open instruction parser" ], "citations": [ "alchemyuoppack2023", "aviggiano4337checklist", "dailycvekora2025", "erc4337spec", "ozaa4337audit", "quantstampalchemypm", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.002-paymaster-policy-bypass.md" }, { "id": "OAK-T13.001.003", "name": "Paymaster Reentrancy", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction" ], "first_documented": "2023 (ERC-4337 reference-implementation guidance warns explicitly against external calls before sponsorship-accounting finalisation); class continues to surface in audit-firm advisories on deployed paymasters", "aliases": [ "validatePaymasterUserOp reentrancy", "postOp reentrancy", "paymaster validation-surface reentrancy", "paymaster-specific T9.005" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "owaspscstop10", "ozaa4337audit", "tobsixmistakes2026", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.003-paymaster-reentrancy.md" }, { "id": "OAK-T13.001.004", "name": "Paymaster Griefing", "parent_tactics": [ "OAK-T13" ], "maturity": "observed", "chains": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction" ], "first_documented": "2023 (EntryPoint v0.7 added the unused-gas-penalty mechanism specifically to address paymaster-DoS surface); 2026 (EntryPoint v0.9 closed the temporary-revert griefing vector)", "aliases": [ "paymaster DoS", "paymaster balance griefing", "postOp griefing", "unused-gas-penalty abuse", "bundler-reputation griefing" ], "citations": [ "aviggiano4337checklist", "erc4337spec", "osecpaymasters2025", "ozaa4337audit", "projecteleven2026v09", "tobsixmistakes2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.001.004-paymaster-griefing.md" }, { "id": "OAK-T13.002", "name": "Bundler MEV", "parent_tactics": [ "OAK-T13" ], "maturity": "emerging", "chains": [ "EVM (any chain with deployed ERC-4337 EntryPoint, including Ethereum mainnet, Polygon, Arbitrum, Optimism, Base, BNB Chain)" ], "first_documented": "2023 (concurrent with EntryPoint v0.6 mainnet deployment and the first vendor-side analyses of the alt-mempool)", "aliases": [ "UserOp MEV", "AA sandwich", "4337 front-run" ], "citations": [ "blockpi2023bundlermempool", "daian2019flashboys", "eigenphi2023aamev", "eigenphijared2023", "erc4337eip", "etherspot2023bundlermev", "fastlane2024erc4337mev", "gmu2024aaempirical" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.002-bundler-mev.md" }, { "id": "OAK-T13.003", "name": "Session-Key Hijacking", "parent_tactics": [ "OAK-T13" ], "maturity": "emerging", "chains": [ "EVM (ERC-4337 / ERC-7579 smart accounts); Solana analogues out of scope at v0.1" ], "first_documented": "vendor advisories 2023 onward; class-level discussion in `[zhou2023sok]`; cohort of public incident write-ups remains thin at v0.1 freeze", "aliases": [ "session-key compromise", "delegated-signer hijack", "smart-session abuse", "scoped-key drainer" ], "citations": [ "openfortssa2026", "owaspscstop10", "smartsessions2024", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.003-session-key-hijacking.md" }, { "id": "OAK-T13.004", "name": "EIP-7702 Delegation Abuse", "parent_tactics": [ "OAK-T13" ], "maturity": "emerging", "chains": [ "EVM (Ethereum mainnet primary; cross-chain replay surface across all EIP-7702-activated chains)" ], "first_documented": "Pectra hard-fork activation 2025-05-07; cohort onset within first weeks; canonical Wintermute \"CrimeEnjoyor\" tag 2025-06-02", "aliases": [ "EIP-7702 phishing", "set-code transaction abuse", "CrimeEnjoyor delegation", "persistent-execution-authority abuse", "delegator sweeper" ], "citations": [ "coindeskcrimeenjoyor2025", "cryptopolitan7702aug2025", "cryptotimes7702quant2026", "devohmygodcrimeenjoyor2025", "eip7702phishingarxiv", "eip7702spec", "goplus7702malicious2025", "hacken7702aa2025", "slowmist7702aug2025", "slowmistinferno7702may2025", "threesigma7702wallets2025", "wintermute7702crimeenjoyor2025" ], "source_file": "/home/runner/work/oak/oak/techniques/T13.004-eip7702-delegation-abuse.md" }, { "id": "OAK-T14.001", "name": "Slashing-Condition Exploit", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum (Beacon Chain / consensus layer)", "Cosmos-SDK family (Cosmos Hub, Osmosis, Injective, Terra, etc.)", "Polkadot / Kusama (NPoS)", "Solana (lite slashing model)", "restaking layers (EigenLayer, Symbiotic, Karak)", "interchain-security consumer chains" ], "first_documented": "2020 (concept characterised at Beacon Chain genesis; first Ethereum slashings 2020-2021; ICS-style equivocation slashing extended in Cosmos 2023; mass-correlated incidents on Ethereum mainnet through 2024-2025; Ethereum 2025-09 SSV-Network operator-procedural-error correlated-self-slashing event as the canonical operator-side sub-surface anchor)", "aliases": [ "slashing griefing", "forced equivocation", "slashing-as-MEV", "whistleblower-reward race", "consumer-chain equivocation slash", "slashable-message attack", "operator-procedural-error correlated self-slashing", "DVT-failover mass slashing" ], "citations": [ "a16zslashingecon", "coindeskssv2025", "cosmosasa2024005", "eigenlayerslashing2025", "eth2bookslashing", "neuder2021posattacks", "polkadotoffenses", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.001-slashing-condition-exploit.md" }, { "id": "OAK-T14.002", "name": "MEV-Boost Relay Attack", "parent_tactics": [ "OAK-T14" ], "maturity": "stable", "chains": [ "Ethereum (mainnet PoS; secondarily any EVM L1 running an MEV-Boost-compatible PBS sidecar — Holesky/Hoodi testnets, Gnosis Chain, etc.)" ], "first_documented": "2023 (April 3rd unbundling incident; concurrent vendor disclosures of equivocation-class timing issues)", "aliases": [ "relay unbundling", "MEV-Boost timing exploit", "block equivocation attack", "low-carb-crusader attack" ], "citations": [ "aestusverticalintegration2023", "blocksecmevboost2023", "bloxroutemevboost2023", "chainlightpbs2023", "daian2019flashboys", "dojmevbros2024", "eigenphijared2023", "flashbotsequivocation2023", "flashbotsmevboost2023", "mevwatch2024", "paradigmpbstime2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.002-mev-boost-relay-attack.md" }, { "id": "OAK-T14.003", "name": "Restaking Cascading Risk", "parent_tactics": [ "OAK-T14" ], "maturity": "emerging", "chains": [ "Ethereum L1 (canonical)", "EVM L2s with restaking-secured AVS", "Cosmos-style shared-security analogues" ], "first_documented": "2023 (concept characterised in Vitalik Buterin's \"Don't overload Ethereum's consensus\" essay; class formalised through 2024 in restaking risk-analysis literature; mainnet slashing enabled by EigenLayer 2025-04)", "aliases": [ "shared-security cascade", "AVS slashing-cascade", "LRT depeg cascade", "restaking systemic risk", "pooled-security contagion" ], "citations": [ "alexanderleveragedrestaking2024", "eigenlabsslashinglive2025", "gauntletrestaking2024", "steakhouselrt2024", "vitalikrestaking2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T14.003-restaking-cascading-risk.md" }, { "id": "OAK-T14.003.001", "name": "LST/LRT Depeg-Cascade as Constrained-Primitive Sub-class", "parent_tactics": [ "OAK-T14", "OAK-T1" ], "maturity": "emerging", "chains": [ "Ethereum L1 canonical (Lido stETH; Renzo ezETH); EVM L2s and L1s with LST / LRT collateral integration into lending markets" ], "first_documented": "2022-05/06 (Lido stETH cascade, pre-Shapella, chain-level redemption-absence sub-class); 2024-04 (Renzo ezETH cascade, operator-blocked redemption sub-class); 2025-07 (Lido stETH / Aave / Justin-Sun-driven cascade, withdrawal-queue-depth saturation sub-class)", "aliases": [ "stETH depeg cascade", "ezETH depeg cascade", "LRT depeg cascade", "constrained-redemption depeg", "looped-leverage liquidation cascade" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T14.003.001-lst-lrt-depeg-cascade-constrained-primitive.md" }, { "id": "OAK-T15.001", "name": "Social Engineering of Operator Personnel", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the social-engineering vector is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2019 onward (DragonEx WFC Proof \"trading-bot\" lure as the canonical pre-2020 anchor); the LinkedIn fake-job-offer / Telegram fake-recruiter / fake-investor / fake-trading-bot variants stabilised across 2020–2026 OAK-G01 operations", "aliases": [ "TraderTraitor entry vector", "LinkedIn fake-job-offer", "fake-recruiter lure", "DPRK fake-coding-test", "fake-investor pretext", "Penpie audit-report lure", "WFC Proof", "Contagious Interview / Wagemole" ], "citations": [ "chainalysis2024dprk", "ellipticronin2022", "mandiantradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T15.001-social-engineering-of-operator-personnel.md" }, { "id": "OAK-T15.002", "name": "Supply-Chain / Vendor-Pipeline Compromise", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the supply-chain compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2023 onward (Atomic Wallet, Ledger Connect Kit), with earlier antecedents in npm / package-registry compromise outside crypto", "aliases": [ "supply-chain attack", "build-pipeline injection", "npm package compromise", "CI/CD compromise", "post-install backdoor", "vendor-pipeline compromise" ], "citations": [ "chainalysis2024dprk", "mandiant3cx2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T15.002-supply-chain-vendor-pipeline-compromise.md" }, { "id": "OAK-T15.003", "name": "Operator-Endpoint Compromise (Developer Workstation / Signing Machine)", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the endpoint compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2017 onward (Bithumb employee-laptop with customer-data DB as the canonical pre-2020 anchor); the developer-workstation / signing-host sub-shape stabilised across the 2024-2025 OAK-G01 wave", "aliases": [ "developer workstation compromise", "signing-host compromise", "MITM on signing host", "INLETDRIFT-class macOS implant", "signing-machine takeover", "employee endpoint compromise" ], "citations": [ "chainalysis2024dprk", "mandiantradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T15.003-operator-endpoint-compromise.md" }, { "id": "OAK-T15.004", "name": "Operator-Side Credential Compromise (SSO / Cloud / Registrar / DNS / Package Registry)", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the credential compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2022 onward (Curve DNS hijack as a canonical anchor)", "aliases": [ "registrar credential compromise", "DNS hijack", "SSO compromise", "cloud-account takeover", "package-publisher credential compromise", "domain-control compromise" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T15.004-operator-credential-compromise.md" }, { "id": "OAK-T15.005", "name": "Operator-Communication-Channel Takeover (Discord / X / Telegram)", "parent_tactics": [ "OAK-T15" ], "maturity": "emerging", "chains": [ "chain-agnostic (the channel takeover is off-chain; downstream on-chain manifestation is per-incident)" ], "first_documented": "systematically 2022 onward (the Bored Ape / Yuga / Ronin Discord wave is the foundational cohort)", "aliases": [ "Discord compromise", "X account compromise", "Telegram channel takeover", "operator-brand-channel compromise", "community-manager account compromise", "official-channel phishing" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T15.005-operator-communication-channel-takeover.md" }, { "id": "OAK-T16.001", "name": "Vote Takeover via Flash-Loan", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM (canonical anchors); cross-chain governance contracts inherit the surface where flash-loan liquidity exists in the same execution context as the voting-power-eligibility check" ], "first_documented": "2022 (Beanstalk April 2022 as the canonical anchor)", "aliases": [ "flash-loan governance attack", "same-block flash-borrow vote", "BIP attack", "voting-power flash-borrow", "governance flash-loan" ], "citations": [ "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.001-vote-takeover-via-flash-loan.md" }, { "id": "OAK-T16.002", "name": "Hostile-Vote Treasury Drain", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM", "Solana", "cross-chain (any DAO with on-chain governance over a treasury whose voting-token can be acquired or inflated by the attacker)" ], "first_documented": "2022 (Mango Markets October 2022 as the canonical anchor)", "aliases": [ "DAO settlement vote", "treasury self-pay vote", "post-exploit governance settlement", "hostile DAO vote", "negotiated extraction vote" ], "citations": [ "cftcmango2023", "compoundforumproposal289_2024", "compoundproposal289_2024", "goldenboyscompound2024", "tallygovernancecompound2024", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.002-hostile-vote-treasury-drain.md" }, { "id": "OAK-T16.003", "name": "Delegation-Cluster Vote Takeover", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM (canonical anchors at Compound, Balancer, SushiSwap); cross-chain governance contracts inherit the surface where delegation-graph mechanics exist" ], "first_documented": "2022-2024 (Humpy pattern-of-conduct at Balancer / SushiSwap as antecedents; Compound Proposal 289 July 2024 as the canonical anchor)", "aliases": [ "delegation pull attack", "delegate-takeover", "delegation cluster", "delegate-coordination governance attack", "cohort-coordinated vote", "Humpy-class governance accumulation" ], "citations": [ "blocksecgovernance2024", "compoundforumproposal289_2024", "compoundproposal289_2024", "goldenboyscompound2024", "tallygovernancecompound2024", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.003-delegation-cluster-vote-takeover.md" }, { "id": "OAK-T16.004", "name": "Snapshot / Off-chain Voting Exploitation", "parent_tactics": [ "OAK-T16" ], "maturity": "draft", "chains": [ "chain-agnostic (off-chain Snapshot.org-class voting platforms operate independently of any specific chain; signature schemes vary)" ], "first_documented": "Class anchored conceptually 2020-2022 (Snapshot.org production deployment 2020); no canonical extraction-scale anchor at v0.1", "aliases": [ "off-chain governance attack", "Snapshot Sybil", "off-chain vote without binding", "non-binding-vote exploitation", "signature-replay governance", "social-consensus governance attack" ], "citations": [ "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.004-snapshot-off-chain-voting-exploitation.md" }, { "id": "OAK-T16.005", "name": "Malicious Proposal Snowballing", "parent_tactics": [ "OAK-T16" ], "maturity": "emerging", "chains": [ "EVM (canonical anchors at Tornado Cash, Audius, Curio); cross-chain governance contracts inherit the surface where proposal payloads can contain `delegatecall` or storage-collision-mediated authority capture" ], "first_documented": "2022 (Audius July 2022 storage-collision case as the earliest canonical anchor); refined by Tornado Cash governance May 2023 self-modifying-contract case", "aliases": [ "hidden malicious proposal", "self-modifying proposal", "storage-collision governance attack", "delegatecall governance attack", "proposal-payload-as-attack-vector", "Tornado-class governance attack", "proposal text-vs-execution divergence" ], "citations": [ "blocksectornadogov2023", "peckshieldtornado2023", "slowmisttornadogov2023", "tornadocomm2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T16.005-malicious-proposal-snowballing.md" }, { "id": "OAK-T17.001", "name": "Cross-Venue Arbitrage-Driven Price-Discovery Distortion", "parent_tactics": [ "OAK-T17" ], "maturity": "draft", "chains": [ "chain-agnostic (cross-venue arbitrage is a continuous phenomenon across CEX / DEX venues on every chain with non-trivial trading activity; the load-bearing surface is the inter-venue spread, not the chain-level state)" ], "first_documented": "Class anchored conceptually 2017-2020 (CEX / DEX arbitrage as a continuous phenomenon throughout the period); no canonical extraction-scale OAK anchor at v0.4", "aliases": [ "cross-venue arbitrage manipulation", "spread-driven price-discovery distortion", "lagging-venue victim cohort", "cross-CEX/DEX arbitrage exploit" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.001-cross-venue-arbitrage-price-distortion.md" }, { "id": "OAK-T17.002", "name": "Liquidation-Cascade Engineering", "parent_tactics": [ "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Aave / Compound / Maker / Liquity / Morpho / Spark canonical); Solana (Solend / Marginfi / Kamino); cross-chain liquidation-engine designs broadly inherit the surface" ], "first_documented": "Class anchored 2020-2022 (early DeFi liquidation-engine designs); systematic cascade-engineering 2022+ (Terra / UST collapse May 2022, stETH-Aave cascade June 2022 as canonical anchors)", "aliases": [ "predatory liquidation", "cascade ignition", "liquidation harvesting", "thin-liquidity liquidation farming", "depeg-cascade harvest" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.002-liquidation-cascade-engineering.md" }, { "id": "OAK-T17.003", "name": "Spoofing / Cancel-Flood Order-Book Manipulation", "parent_tactics": [ "OAK-T17" ], "maturity": "draft", "chains": [ "EVM-L2 (dYdX / GMX V2 perps / Aevo); Hyperliquid HyperEVM; Solana (Drift, Phoenix, Mango v4); cross-chain order-book-DEX designs broadly inherit the surface" ], "first_documented": "Class anchored conceptually 2010-2015 (CFTC enforcement against Sarao 2015 in equity-futures CME context); crypto-DEX-specific class anchored 2022-2024 (operational deployment of order-book DEXes); no canonical extraction-scale OAK anchor at v0.4", "aliases": [ "spoofing", "cancel-flood", "layering", "phantom liquidity", "spoof-and-cancel", "DEX order-book manipulation", "perp spoofing" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.003-orderbook-spoofing-cancel-flood.md" }, { "id": "OAK-T17.004", "name": "TWAP / Time-Window Manipulation Against DAO Treasury / Vesting Math", "parent_tactics": [ "OAK-T17" ], "maturity": "draft", "chains": [ "EVM (Uniswap V2/V3 TWAP windows used as oracle reference; OpenZeppelin TimelockController / Compound Timelock-class windows; vesting-contract designs across OpenZeppelin VestingWallet / Sablier / Hedgey); cross-chain TWAP-consuming designs broadly inherit the surface" ], "first_documented": "Class anchored conceptually 2020-2022 (Uniswap V2 / V3 TWAP-as-oracle deployment); canonical extraction-scale OAK anchor not yet landed at v0.4", "aliases": [ "TWAP manipulation", "window timing attack", "vesting-window manipulation", "treasury-swap window manipulation", "time-weighted price manipulation", "settlement-window timing" ], "citations": [ "chainalysis2025rug", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T17.004-twap-window-manipulation.md" }, { "id": "OAK-T2.001", "name": "Single-Sided Liquidity Plant", "parent_tactics": [ "OAK-T2" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "empirical (no canonical academic citation)", "aliases": [ "thin LP", "shallow pool", "single-side seed", "asymmetric seed" ], "citations": [ "chainalysis2025rug", "cointelegraphanubismixer2022", "decryptanubis2021", "slowmist2024report", "solrpds", "tmrugpull2026", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.001-single-sided-liquidity-plant.md" }, { "id": "OAK-T2.002", "name": "Locked-Liquidity Spoof", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM", "BNB Chain", "Solana" ], "first_documented": "2021 (industry reports)", "aliases": [ "fake lock", "soft lock", "LP lock theatre", "partial lock", "lock receipt forgery" ], "citations": [ "chainalysis2025rug", "secsafemoon2023", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.002-locked-liquidity-spoof.md" }, { "id": "OAK-T2.003", "name": "Cross-Chain Locked-Liquidity Spoof", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM (Ethereum, BSC, Polygon, Arbitrum, Base)", "Solana", "cross-chain" ], "first_documented": "2022 (concept characterised in cohort-scale rug-pull retrospectives; recurring in multi-chain launch venues)", "aliases": [ "off-chain lock claim", "wrong-chain lock receipt", "split-chain LP lock", "lock-on-A pool-on-B" ], "citations": [ "chainalysis2025rug", "solrpds", "tmrugpull2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.003-cross-chain-locked-liquidity-spoof.md" }, { "id": "OAK-T2.004", "name": "Initial-Liquidity Backdoor", "parent_tactics": [ "OAK-T2", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM (Ethereum, BSC, Polygon, Arbitrum, Base)", "Solana" ], "first_documented": "empirical (industry-survey scale; characterised in rug-pull retrospectives and backdoor-code static-analysis research)", "aliases": [ "shadow LP mint", "router-mint backdoor", "creation-time LP backdoor", "privileged pool admin" ], "citations": [ "applsci2025backdoor", "chainalysis2025rug", "quillauditsbackdoor", "rphunter2025", "slowmist2024report", "solrpds", "tmrugpull2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T2.004-initial-liquidity-backdoor.md" }, { "id": "OAK-T3.001", "name": "Sybil-Bundled Launch", "parent_tactics": [ "OAK-T3" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2024–2025 (industry observation; Liu et al. 2025 covers the related airdrop-sybil case with transferable methodology)", "aliases": [ "bundled buys", "atomic launch", "sniper bundle", "bundler-cluster launch" ], "citations": [ "dydx2024sybil", "jitobundlepolicies2024", "liu2025sybil", "pumpfunbundlerbubblemaps2024", "pumpfunlaunchruganalytics2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.001-sybil-bundled-launch.md" }, { "id": "OAK-T3.002", "name": "Wash-Trade Volume Inflation", "parent_tactics": [ "OAK-T3", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM", "Solana", "CEX (cross-venue)" ], "first_documented": "2019 (Bitwise SEC filing on CEX wash); 2021 (Victor & Weintraud, DEX academic cohort)", "aliases": [ "self-trading", "circular volume", "fake volume", "incentive-farming wash" ], "citations": [ "bitwise2019fakevolumes", "chainalysis2022nft", "chainalysis2025rug", "victor2021washtrade" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.002-wash-trade-volume-inflation.md" }, { "id": "OAK-T3.003", "name": "Coordinated Pump-and-Dump", "parent_tactics": [ "OAK-T3", "OAK-T5", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM", "Solana", "BSC", "CEX (cross-venue)" ], "first_documented": "2017–2018 (Telegram-group studies); 2021 (Bitwise CEX-cohort context); systematic 2024–2025", "aliases": [ "P&D", "coordinated pump", "group pump", "shill-coordinated dump" ], "citations": [ "bolz2024", "chainalysis2025rug", "karbalaii2025", "pumpfunbundlerbubblemaps2024", "pumpfunlaunchruganalytics2024", "secsafemoon2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T3.003-pump-and-dump-coordination.md" }, { "id": "OAK-T3.004", "name": "Influencer-Amplified Promotion-and-Dump", "parent_tactics": [ "OAK-T3", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Ethereum, Solana via Pump.fun, BNB Chain); cross-chain" ], "first_documented": "2021-06 (Save the Kids / $KIDS — FaZe Clan / Frazier Kay / RiceGum / Sommer Ray); 2021-12 (CryptoZoo — Logan Paul); cohort scale-out 2024–2026 with the Pump.fun celebrity-launch wave (DADDY / JENNER / MOTHER / DJT)", "aliases": [ "celebrity coin rug", "influencer pump and dump", "celebrity NFT rug", "external-to-crypto promoter dump", "YouTube / X / Twitch celebrity-coin promotion-and-dump" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T3.004-influencer-amplified-promotion-and-dump.md" }, { "id": "OAK-T4.001", "name": "Permit2 Signature-Based Authority Misuse", "parent_tactics": [ "OAK-T4" ], "maturity": "stable", "chains": [ "EVM" ], "first_documented": "2022–2023 (industry incident reports)", "aliases": [ "permit2 phishing", "signature-based asset transfer", "off-chain approval drainer" ], "citations": [ "checkpoint2023drainers", "scamsniffer2024lineage", "scamsniffer2024pink", "slowmist2024report", "zachxbtmonkey2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.001-permit2-authority-misuse.md" }, { "id": "OAK-T4.002", "name": "Compromised Front-End Permit Solicitation", "parent_tactics": [ "OAK-T4", "OAK-T6" ], "maturity": "observed", "chains": [ "EVM" ], "first_documented": "2022 (Curve Finance DNS hijack)", "aliases": [ "frontend hijack permit", "DNS-takeover permit", "BGP-hijack frontend" ], "citations": [ "blocksec_coinstats2024", "coinstats20240622", "dexxstatements2024", "galxepostmortem2023", "peckshieldcoinstats2024", "peckshielddexx2024", "peckshieldgalxe2023", "rektcurve2022", "rektgalxe2023", "slowmist2024report", "slowmistcoinstats2024", "slowmistdexx2024", "zachxbtcoinstats2024", "zachxbtdexx2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.002-compromised-frontend-permit-solicitation.md" }, { "id": "OAK-T4.003", "name": "Address Poisoning", "parent_tactics": [ "OAK-T4", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)", "Solana", "Tron" ], "first_documented": "2022 (early reports); industrial-scale 2023 onward (Tsuchiya et al. 2025 USENIX Security cohort)", "aliases": [ "zero-value transfer scam", "lookalike-address phishing", "wallet-history poisoning" ], "citations": [ "chainalysis2024poisoning", "chainalysisnftcounterfeit2022", "tsuchiya2025poisoning" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.003-address-poisoning.md" }, { "id": "OAK-T4.004", "name": "Allowance / Approve-Pattern Drainer", "parent_tactics": [ "OAK-T4" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "widespread from approximately 2022; characterised in `[checkpoint2023drainers]`", "aliases": [ "approve drainer", "unlimited allowance phishing", "ERC-20 approve scam" ], "citations": [ "blocksec_coinstats2024", "checkpoint2023drainers", "coinstats20240622", "dexxstatements2024", "peckshieldcoinstats2024", "peckshielddexx2024", "scamsniffer2024lineage", "scamsniffer2024pink", "slowmist2024report", "slowmistcoinstats2024", "slowmistdexx2024", "theblock2022boredape", "zachxbtcoinstats2024", "zachxbtdexx2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.004-allowance-approve-drainer.md" }, { "id": "OAK-T4.005", "name": "`setApprovalForAll` NFT Drainer", "parent_tactics": [ "OAK-T4" ], "maturity": "stable", "chains": [ "EVM (primary; Ethereum / Polygon / BNB Chain)" ], "first_documented": "2021 (early Bored Ape phishing wave); industrial-scale 2022+", "aliases": [ "NFT phishing drainer", "approval-for-all phishing", "BAYC phishing" ], "citations": [ "baycdiscord2022", "checkpoint2023drainers", "fortunebaycjune2022", "openseamoderation2022", "openseaoperatorfilter2022", "peckshieldyugaotherside2022", "slowmist2024report", "slowmistyugaotherside2022", "theblock2022boredape", "theblockyugaotherside2022", "yugaotherside2022", "zachxbtyugaotherside2022" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.005-setapprovalforall-nft-drainer.md" }, { "id": "OAK-T4.006", "name": "WalletConnect Session Hijack", "parent_tactics": [ "OAK-T4" ], "maturity": "observed", "chains": [ "EVM (primary)", "Solana", "multi-chain (any chain WalletConnect supports)" ], "first_documented": "systematic 2023 onward; mobile-app-impersonation cases at scale 2024", "aliases": [ "WalletConnect phishing", "fake-dApp pairing", "QR-code wallet hijack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T4.006-walletconnect-session-hijack.md" }, { "id": "OAK-T4.007", "name": "Native-app Social Phishing on Engagement-Weighted Platforms", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket canonical at v0.1; cross-platform analogues across Friend.tech, Pump.fun, Farcaster, and any platform with engagement-weighted in-platform distribution)" ], "first_documented": "2025-10/11 (Polymarket comment-section phishing campaign exploiting comment-pinning mechanic)", "aliases": [ "comment-section phishing", "engagement-weighted phishing", "in-platform paid-pinning phishing", "native-app social phishing" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T4.007-native-app-social-phishing-engagement-weighted-platforms.md" }, { "id": "OAK-T4.008", "name": "Fake-DEX Clone-Frontend Phishing", "parent_tactics": [ "OAK-T4" ], "maturity": "emerging", "chains": [ "EVM dominant (Uniswap / PancakeSwap / Lido / Curve / Stargate / Orbiter / Radiant / Zapper / DefiLlama clone-frontends); Solana (Raydium clone-frontends); cross-chain" ], "first_documented": "2023-03 (MS Drainer kit cohort initial deployment); class-level industrial cohort observable across 2023–2026 with continuing distribution surface", "aliases": [ "fake DEX phishing", "clone-frontend phishing", "typosquat DEX UI", "paid-ad fake-DEX cohort", "Inferno-Drainer fake-frontend" ], "citations": [ "bleepingmsdrainer2023", "bleepingtelegrambots2024", "cointelegraphmsdrainer2023", "cryptonewsuniswap12m2025", "cyblecryptophishingapps2024", "gateuniswap2025", "hackreadgoogleplaypishing2024", "kasperskytelegram2025", "protosuniswap2025", "scamsniffermsdrainer2023", "techradarcryptoplaystore2024" ], "source_file": "/home/runner/work/oak/oak/techniques/T4.008-fake-dex-clone-frontend-phishing.md" }, { "id": "OAK-T5.001", "name": "Hard LP Drain", "parent_tactics": [ "OAK-T5" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2020 (industry reports)", "aliases": [ "hard rug", "LP withdrawal event" ], "citations": [ "chainalysis2021scams", "chainalysis2025rug", "cointelegraphanubismixer2022", "decryptanubis2021", "slowmist2024report", "solrpds", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.001-hard-lp-drain.md" }, { "id": "OAK-T5.002", "name": "Slow LP Trickle Removal", "parent_tactics": [ "OAK-T5", "OAK-T6" ], "maturity": "emerging", "chains": [ "EVM", "Solana" ], "first_documented": "2024–2026 (TM-RugPull research, 2026; Tran et al. 2025 Fragmented Rug Pull)", "aliases": [ "slow rug", "trickle drain", "patient drain", "fragmented rug pull (FRP)" ], "citations": [ "frp2025", "fullycryptosoftrug", "secsafemoon2023", "tmrugpull2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.002-slow-lp-trickle-removal.md" }, { "id": "OAK-T5.003", "name": "Hidden-Mint Dilution", "parent_tactics": [ "OAK-T5" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2021 (Xia et al. canonical Uniswap scam-token cohort)", "aliases": [ "stealth mint", "hidden inflation", "post-launch mint" ], "citations": [ "badgerpostmortem2021", "chainalysisbadger2021", "halbornbadger2021", "neodyme2024token2022", "solana2024permdelegate", "tmrugpull2026", "xia2021mintdump" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.003-hidden-mint-dilution.md" }, { "id": "OAK-T5.004", "name": "Sandwich / MEV Extraction", "parent_tactics": [ "OAK-T5", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM" ], "first_documented": "2019 (Daian et al., \"Flash Boys 2.0\")", "aliases": [ "sandwich", "MEV sandwich", "front-run + back-run" ], "citations": [ "daian2019flashboys", "eigenphijared2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.004-sandwich-mev-extraction.md" }, { "id": "OAK-T5.005", "name": "Treasury-Management Exit", "parent_tactics": [ "OAK-T5", "OAK-T6" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2021 (Polywhale-class incidents); regulatory record 2023 (SafeMoon federal complaint)", "aliases": [ "soft rug via treasury", "treasury draw exit", "team-unlock dump", "salary-rug" ], "citations": [ "chainalysis2025rug", "fullycryptosoftrug", "secsafemoon2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.005-treasury-management-exit.md" }, { "id": "OAK-T5.006", "name": "Vesting Cliff Dump", "parent_tactics": [ "OAK-T5" ], "maturity": "emerging", "chains": [ "EVM", "Solana", "Cosmos", "BNB Chain (any chain hosting time-locked allocation contracts)" ], "first_documented": "2021–2024 (industry retrospectives at token-unlock-tracker level)", "aliases": [ "cliff dump", "unlock dump", "investor unlock sell-pressure" ], "citations": [ "chainalysis2025rug", "cryptorank2026unlock", "defillama2026unlocks", "tokenunlocks2026platform" ], "source_file": "/home/runner/work/oak/oak/techniques/T5.006-vesting-cliff-dump.md" }, { "id": "OAK-T5.007", "name": "Third-party Brand-impersonation Custodial Soft-rug", "parent_tactics": [ "OAK-T5" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket-branded canonical case at v0.1; cross-platform analogues across any high-trust platform whose brand can be impersonated by off-platform services — Polymarket, Hyperliquid, dYdX, Pump.fun, GMX, prediction-market and trader-tooling ecosystems)" ], "first_documented": "2026-01 (Polycule trading bot — Polymarket-branded but unaffiliated, ~$230K, exit-via-\"hack\" announcement followed by communication blackout)", "aliases": [ "third-party brand-impersonation soft rug", "Polymarket-branded bot exit", "fake-affiliated trading-bot rug", "custodial soft-rug exit-as-hack" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T5.007-third-party-brand-impersonation-custodial-soft-rug.md" }, { "id": "OAK-T6.001", "name": "Source-Verification Mismatch", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "EVM (primary)" ], "first_documented": "widespread from approximately 2020 onward", "aliases": [ "verified-but-not-really", "fake source verification", "bytecode-source mismatch" ], "citations": [ "chainalysis2025rug" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.001-source-verification-mismatch.md" }, { "id": "OAK-T6.002", "name": "Fake Audit-Claim", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "chain-agnostic (the failure mode lives off-chain; the underlying Technique it modifies may be on any chain)" ], "first_documented": "widespread from approximately 2021 onward", "aliases": [ "audit fraud", "fake CertiK audit", "audit-affiliation impersonation" ], "citations": [ "certikfakeaudit", "dlnewsswaprum2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.002-fake-audit-claim.md" }, { "id": "OAK-T6.003", "name": "Audit-of-Different-Bytecode-Version", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "chain-agnostic (the failure mode is the audit-vs-deployed gap; the underlying Technique it modifies may be on any chain)" ], "first_documented": "widespread from approximately 2021 onward", "aliases": [ "audit-deployed mismatch", "post-audit redeploy", "audit-version drift", "audit of fork" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "dlnewsswaprum2023" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.003-audit-of-different-bytecode-version.md" }, { "id": "OAK-T6.004", "name": "Audit-Pending Marketing Claim", "parent_tactics": [ "OAK-T6" ], "maturity": "stable", "chains": [ "chain-agnostic (the failure mode lives off-chain at the marketing-claim layer; the underlying Technique it modifies may be on any chain)" ], "first_documented": "widespread from approximately 2021 onward", "aliases": [ "audit pending", "audit in progress", "audit forthcoming", "working with [firm]", "audit Q[X]" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.004-audit-pending-marketing-claim.md" }, { "id": "OAK-T6.005", "name": "Proxy-Upgrade Malicious Switching", "parent_tactics": [ "OAK-T6", "OAK-T1", "OAK-T9", "OAK-T10" ], "maturity": "emerging", "chains": [ "EVM (primary); cross-chain bridge variants (Polkadot ⇄ EVM canonical at v0.1)" ], "first_documented": "structural class anchored from approximately 2022; canonical contract-layer-message-forgery 2026-04 (Hyperbridge)", "aliases": [ "verified-then-malicious upgrade", "proxy implementation switching", "upgrade-as-attack-vector", "post-verification implementation substitution" ], "citations": [ "ambcryptohyperbridge2026", "audiuspostmortem2022", "autheobridgesecurity2026", "cmcacademyhyperbridge2026", "coindeskhyperbridge2026", "cointelegraphhyperbridge2026", "cryptobriefinghyperbridge2026", "cryptobriefinghyperbridgejump2026", "dlnewshyperbridge2026", "halbornaudius2022", "peckshieldaudius2022", "polkadotforumhyperbridge2026", "theblockaudius2022", "theblockhyperbridge2026", "thedefianthyperbridge2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.005-proxy-upgrade-malicious-switching.md" }, { "id": "OAK-T6.006", "name": "Counterfeit Token Impersonation", "parent_tactics": [ "OAK-T6", "OAK-T4", "OAK-T5" ], "maturity": "emerging", "chains": [ "EVM (primary); cross-chain bridge variants (Polkadot ⇄ EVM canonical at v0.1)" ], "first_documented": "dust-attack-lure / fake-LP cohort widespread from approximately 2022; canonical bridge-internal-mint sub-class 2026-04 (Hyperbridge)", "aliases": [ "fake-symbol-matching token", "bridge-token impersonation", "counterfeit-mint", "dust-attack lure", "fake LP-token" ], "citations": [ "ambcryptohyperbridge2026", "autheobridgesecurity2026", "chainalysis2025rug", "cmcacademyhyperbridge2026", "coindeskhyperbridge2026", "cointelegraphhyperbridge2026", "cryptobriefinghyperbridge2026", "cryptobriefinghyperbridgejump2026", "dlnewshyperbridge2026", "polkadotforumhyperbridge2026", "theblockhyperbridge2026", "thedefianthyperbridge2026" ], "source_file": "/home/runner/work/oak/oak/techniques/T6.006-counterfeit-token-impersonation.md" }, { "id": "OAK-T6.007", "name": "Trust-substrate Shift / Vendor-side Promise Revocation", "parent_tactics": [ "OAK-T6" ], "maturity": "emerging", "chains": [ "chain-agnostic (the substrate-of-revocation is the vendor / regulator / infrastructure-policy claim; the realised effect is on user-side threat-model construction across whichever chains the affected product operates)" ], "first_documented": "2023-05-16 (Ledger Recover seed-recovery service announcement collapsing the \"seed never leaves the device\" trust-substrate claim that had informed Ledger users' threat-model construction since 2016)", "aliases": [ "vendor-policy promise revocation", "trust-substrate revocation event", "non-attack defender-credibility event", "vendor-policy-as-defense-evasion" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T6.007-trust-substrate-shift-vendor-promise-revocation.md" }, { "id": "OAK-T7.001", "name": "Mixer-Routed Hop", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Bitcoin", "cross-chain" ], "first_documented": "2017 (academic interest), enforcement attention 2022+", "aliases": [ "mixer hop", "obfuscation hop", "anonymity-set hop" ], "citations": [ "chainalysis2024laundering", "coindeskthorchainlazarus2025", "cointelegraphanubismixer2022", "ellipticronin2022", "fbiharmony2023", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.001-mixer-routed-hop.md" }, { "id": "OAK-T7.002", "name": "CEX Deposit-Address Layering", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Solana", "Bitcoin", "cross-chain" ], "first_documented": "systematic from 2020 onward; characterised at scale in `[chainalysis2024laundering]`", "aliases": [ "deposit layering", "diversified-deposit laundering", "structured CEX off-ramp" ], "citations": [ "chainalysis2024laundering", "chainalysis2025garantex", "doj2025garantex", "ellipticatomic2023", "ofac2022garantex", "treasury2025garantexnetwork", "trmlabs2025grinex" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.002-cex-deposit-layering.md" }, { "id": "OAK-T7.003", "name": "Cross-Chain Bridge Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Solana", "Bitcoin", "cross-chain" ], "first_documented": "systematic from approximately 2022 onward; emerged as the dominant Lazarus laundering rail post Tornado Cash sanctions", "aliases": [ "chain hopping", "bridge laundering", "THORChain laundering\" (the dominant rail)" ], "citations": [ "chainalysis2024laundering", "chainalysismultichain2023", "coindeskthorchainlazarus2025", "dlnewsmultichain2023", "ellipticharmony2022", "ellipticronin2022", "fbiharmony2023", "halbornharmony2022", "halbornmultichain2023", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.003-cross-chain-bridge-laundering.md" }, { "id": "OAK-T7.004", "name": "NFT Wash-Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "observed", "chains": [ "EVM (primary; Ethereum / Polygon)" ], "first_documented": "2021 (early NFT-marketplace surge); systematic 2022 onward", "aliases": [ "NFT money laundering", "self-financed NFT trade", "wash-laundering through art" ], "citations": [ "blurzeroroyalty2022", "chainalysis2022nft", "chainalysisnftcounterfeit2022", "theblock2022boredape", "victor2021washtrade" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.004-nft-wash-laundering.md" }, { "id": "OAK-T7.005", "name": "Privacy-Chain Hops", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Bitcoin", "cross-chain", "Monero", "Zcash" ], "first_documented": "systematic from approximately 2017 onward (Monero gained darknet-market dominance in 2016–2017); enforcement-relevant attention 2020+", "aliases": [ "privacy-coin hop", "XMR hop", "Monero off-ramp", "shielded-pool hop" ], "citations": [ "binancexmrdelist2024", "chainalysis2024dprk", "chainalysis2024laundering", "chainalysisprivacychain2024", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.005-privacy-chain-hops.md" }, { "id": "OAK-T7.006", "name": "DeFi Yield-Strategy Laundering", "parent_tactics": [ "OAK-T7" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain (within-chain laundering rail per chain)" ], "first_documented": "systematic from approximately 2021 onward (DeFi-summer-and-after) as DeFi liquidity-and-yield surface grew large enough to absorb laundering flows; cohort-scale industry attention 2023+", "aliases": [ "yield-farm laundering", "LP-cover laundering", "staking-derivative laundering", "yield-user-persona laundering" ], "citations": [ "chainalysis2024dprk", "chainalysis2024laundering", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/techniques/T7.006-defi-yield-strategy-laundering.md" }, { "id": "OAK-T8.001", "name": "Common-Funder Cluster Reuse", "parent_tactics": [ "OAK-T8" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2021 (TRM SQUID cross-incident attribution); systematic 2024–2025", "aliases": [ "operator cluster", "funder reuse", "deployer fingerprint", "operator-graph reuse" ], "citations": [ "chainalysis2024dprk", "chainalysisdprktradertraitor", "liu2025sybil", "scamsniffer2024lineage", "scamsniffer2024pink", "slowmist2024report", "treasury2025garantexnetwork", "trmlabs2025grinex", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.001-cluster-reuse.md" }, { "id": "OAK-T8.002", "name": "Cross-Chain Operator Continuity", "parent_tactics": [ "OAK-T8" ], "maturity": "observed", "chains": [ "cross-chain" ], "first_documented": "systematic 2023 onward as multi-chain operator activity has scaled", "aliases": [ "multi-chain operator profile", "cross-chain attribution", "chain-hop operator" ], "citations": [ "chainalysis2024dprk", "chainalysis2024laundering", "chainalysis2025ransomware", "chainalysisbybitthorchain", "coindeskthorchainlazarus2025", "liu2025sybil", "scamsniffer2024lineage", "slowmist2024report", "trilateraldprkstatement2025" ], "source_file": "/home/runner/work/oak/oak/techniques/T8.002-cross-chain-operator-continuity.md" }, { "id": "OAK-T9.001", "name": "Oracle Price Manipulation", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "stable", "chains": [ "EVM", "Solana" ], "first_documented": "2020 (early cases on Compound and bZx); systematic 2022+", "aliases": [ "oracle attack", "price-feed manipulation", "single-block oracle exploit" ], "citations": [ "blocksecbonq2023", "blocksecveefinance2021", "bonqpostmortem2023", "cftcmango2023", "chainalysis2025rug", "creamfinance2021postmortem", "halbornbonq2023", "halborncream2021oct", "halbornveefinance2021", "immunefikream2021", "muditgupta2021cream", "owaspscstop10", "peckshieldbonq2023", "rektveefinance2021", "slowmistveefinance2021", "tellorbonq2023", "veefinancepostmortem2021", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.001-oracle-price-manipulation.md" }, { "id": "OAK-T9.002", "name": "Flash-Loan-Enabled Exploit", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "2020 (early bZx cases)", "aliases": [ "flash-loan attack", "atomic-borrow exploit" ], "citations": [ "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.002-flash-loan-enabled-exploit.md" }, { "id": "OAK-T9.003", "name": "Governance Attack", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM", "cross-chain" ], "first_documented": "2022 (Beanstalk canonical case)", "aliases": [ "DAO governance exploit", "voting-power attack", "BIP attack", "malicious proposal" ], "citations": [ "blocksectornadogov2023", "compoundforumproposal289_2024", "compoundproposal289_2024", "goldenboyscompound2024", "owaspscstop10", "peckshieldtornado2023", "slowmisttornadogov2023", "tallygovernancecompound2024", "tornadocomm2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.003-governance-attack.md" }, { "id": "OAK-T9.004", "name": "Access-Control Misconfiguration", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM", "Solana", "cross-chain" ], "first_documented": "widespread; canonical modern cases 2022+", "aliases": [ "broken access control", "missing authorization check", "guardian-bypass", "logic-flaw extraction", "privilege-boundary violation" ], "citations": [ "blocksec2023euler", "blocksecsuikiloex2025", "chainalysiseuler2023", "chainalysismultichain2023", "chainalysispoly2021", "dlnewsmultichain2023", "elliptipeuler2023", "elliptipoly2021", "eulerlabs2023statement", "halborneuler2023", "halbornmultichain2023", "kiloexpostmortem2025", "kudelskipoly2021", "owaspscstop10", "peckshieldkiloex2025", "slowmistkiloex2025", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.004-access-control-misconfiguration.md" }, { "id": "OAK-T9.005", "name": "Reentrancy", "parent_tactics": [ "OAK-T9" ], "maturity": "stable", "chains": [ "EVM (primary); EVM-compatible L2s; conceptually applicable to any chain whose execution model allows external calls before state finalisation" ], "first_documented": "2016 (The DAO); modern hook-based and cross-protocol variants 2020+", "aliases": [ "recursive call attack", "callback reentry", "cross-function reentrancy", "cross-protocol reentrancy", "read-only reentrancy", "ERC-777 hook reentrancy", "ERC-721/1155 receive-hook reentrancy" ], "citations": [ "daoreentrancy2016retrospective", "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/techniques/T9.005-reentrancy.md" }, { "id": "OAK-T9.006", "name": "Subjective-Oracle Resolution Manipulation", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polygon-resident Polymarket / Ethereum-resident UMA DVM canonical at v0.1; cross-chain analogues across Kleros, Reality.eth, Augur REP)" ], "first_documented": "Polymarket UMA whale-vote-capture March 2025; cohort scale-out 2025–2026 across Polymarket-class subjective-oracle prediction markets", "aliases": [ "subjective oracle attack", "DVM vote capture", "resolution-spec manipulation", "prediction-market oracle attack", "non-numeric oracle manipulation" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006-subjective-oracle-resolution-manipulation.md" }, { "id": "OAK-T9.006.001", "name": "DVM Vote Capture by Economically-Interested Holder", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "first_documented": "2025-03 (Polymarket Ukraine mineral deal)", "aliases": [ "UMA whale vote capture", "DVM governance attack", "oracle-vote corruption" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.001-dvm-vote-capture.md" }, { "id": "OAK-T9.006.002", "name": "Resolution-Spec Ambiguity Exploitation", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "first_documented": "2025-07 (Polymarket Zelenskyy-suit market)", "aliases": [ "spec-ambiguity attack", "natural-language oracle ambiguity", "interpretive-resolution exploitation" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.002-resolution-spec-ambiguity-exploitation.md" }, { "id": "OAK-T9.006.003", "name": "Off-chain Resolution-Source Coercion", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon canonical at v0.1)" ], "first_documented": "2026-03 (Times of Israel correspondent Emanuel Fabian, Iran-strike market)", "aliases": [ "journalist coercion", "off-chain reporter extortion", "resolution-input-layer attack", "oracle-input physical-coercion" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.003-off-chain-resolution-source-coercion.md" }, { "id": "OAK-T9.006.004", "name": "Operational-Insider Trading on Subjective-Resolution Prediction Markets", "parent_tactics": [ "OAK-T9", "OAK-T17" ], "maturity": "emerging", "chains": [ "EVM (Polymarket on Polygon canonical at v0.1)" ], "first_documented": "2025-12 (Van Dyke / Operation Absolute Resolve betting window) → 2026-01 (real-world execution) → 2026-04 (DOJ SDNY indictment + CFTC parallel civil action). Multi-jurisdictional confirmation 2026-02 (Tel Aviv District Court indictment of IDF reservist).", "aliases": [ "operational-insider Polymarket", "classified-information prediction-market trading", "causal-actor insider trading" ], "citations": [], "source_file": "/home/runner/work/oak/oak/techniques/T9.006.004-operational-insider-trading.md" } ], "mitigations": [ { "id": "OAK-M01", "name": "Source-Bytecode Verification", "class": "detection", "audience": [ "vendor", "risk-team", "venue" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T2.004", "OAK-T6.001", "OAK-T6.003" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "quillauditsbackdoor", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M01-source-bytecode-verification.md" }, { "id": "OAK-M02", "name": "Static-Analysis Pre-Deployment", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T6.001", "OAK-T6.002", "OAK-T9.004", "OAK-T9.005", "OAK-T13.001" ], "citations": [ "chainalysiseuler2023", "halborneuler2023", "osecpaymasters2025", "owaspscstop10", "ozaa4337audit", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M02-static-analysis-pre-deployment.md" }, { "id": "OAK-M03", "name": "Continuous Bytecode-Diff Monitoring", "class": "detection", "audience": [ "vendor", "risk-team" ], "maps_to_techniques": [ "OAK-T1.003", "OAK-T1.004", "OAK-T2.004", "OAK-T6.001", "OAK-T6.003", "OAK-T9.004", "OAK-T11.003" ], "citations": [ "chainalysis2025rug", "halbornwintermute2022", "nomicproxybackdoor", "quillauditsbackdoor" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M03-continuous-bytecode-diff-monitoring.md" }, { "id": "OAK-M04", "name": "Funder-Graph Clustering", "class": "detection", "audience": [ "vendor", "risk-team" ], "maps_to_techniques": [ "OAK-T2.001", "OAK-T3.001", "OAK-T3.002", "OAK-T3.003", "OAK-T8.001", "OAK-T8.002", "OAK-T1.001", "OAK-T2.004" ], "citations": [ "chainalysis2024dprk", "chainalysis2025rug", "chainalysisprivacychain2024", "dydx2024sybil", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M04-funder-graph-clustering.md" }, { "id": "OAK-M05", "name": "Authority-Graph Enumeration", "class": "detection", "audience": [ "custody-customer", "risk-team", "vendor" ], "maps_to_techniques": [ "OAK-T1.003", "OAK-T1.004", "OAK-T9.003", "OAK-T9.004", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysisbadger2021", "checkpoint2023drainers", "halbornwintermute2022", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M05-authority-graph-enumeration.md" }, { "id": "OAK-M06", "name": "Mempool / Pre-Block Telemetry", "class": "detection", "audience": [ "vendor", "trader", "protocol" ], "maps_to_techniques": [ "OAK-T5.004", "OAK-T13.002", "OAK-T14.002" ], "citations": [ "blockpi2023bundlermempool", "blocksecmevboost2023", "bloxroutemevboost2023", "dojmevbros2024", "eigenphi2023aamev", "eigenphijared2023", "etherspot2023bundlermev", "fastlane2024erc4337mev", "flashbotsequivocation2023", "flashbotsmevboost2023", "mevwatch2024", "paradigmpbstime2023" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M06-mempool-pre-block-telemetry.md" }, { "id": "OAK-M07", "name": "Cross-Chain Attribution Graph", "class": "detection", "audience": [ "vendor", "risk-team", "venue" ], "maps_to_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T7.004", "OAK-T7.005", "OAK-T7.006", "OAK-T8.002", "OAK-T11.001" ], "citations": [ "chainalysis2022nft", "chainalysis2024dprk", "chainalysis2024laundering", "chainalysisprivacychain2024", "coindeskthorchainlazarus2025", "crystalwazirx2024", "ellipticronin2022", "trmlabs2024nomadextradition" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M07-cross-chain-attribution-graph.md" }, { "id": "OAK-M08", "name": "Per-Spender Approval Audit and Revocation", "class": "wallet-ux", "audience": [ "wallet", "custody-customer", "vendor" ], "maps_to_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "checkpoint2023drainers", "rektcurve2022", "slowmist2024report", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M08-per-spender-approval-audit-and-revocation.md" }, { "id": "OAK-M09", "name": "TWAP + Multi-Venue Oracle with Deviation Circuit-Breaker", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002" ], "citations": [ "cftcmango2023", "chainalysis2025rug", "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M09-twap-multi-venue-oracle-with-deviation-circuit-breaker.md" }, { "id": "OAK-M10", "name": "Checks-Effects-Interactions and ReentrancyGuard", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.005", "OAK-T9.002" ], "citations": [ "creamfinance2021postmortem", "daoreentrancy2016retrospective", "halborncream2021oct", "muditgupta2021cream", "owaspscstop10", "vyperpostmortem2023", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M10-checks-effects-interactions-and-reentrancy-guard.md" }, { "id": "OAK-M11", "name": "Rate-Limiting and Per-Block Caps", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T5.001", "OAK-T5.002", "OAK-T9.001", "OAK-T9.002", "OAK-T10.001", "OAK-T10.002" ], "citations": [ "chainalysis2025rug", "ellipticronin2022", "ethfoundationdaohardfork2016", "mandiantnomad2022", "owaspscstop10", "rektcurve2022", "vyperpostmortem2023" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M11-rate-limiting-and-per-block-caps.md" }, { "id": "OAK-M12", "name": "Per-Message Replay Binding", "class": "architecture", "audience": [ "protocol", "designer (bridge / cross-chain)" ], "maps_to_techniques": [ "OAK-T10.002", "OAK-T10.003" ], "citations": [ "bhuptanioptbridges2022", "halbornnomadoptimistic2022", "mandiantnomad2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M12-per-message-replay-binding.md" }, { "id": "OAK-M13", "name": "Long Challenge Window with Economic Challenger Incentives", "class": "architecture", "audience": [ "protocol", "designer (optimistic-bridge / rollup)" ], "maps_to_techniques": [ "OAK-T10.004" ], "citations": [ "bhuptanioptbridges2022", "halbornnomadoptimistic2022", "hollowvictory2025", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M13-long-challenge-window-with-economic-challenger-incentives.md" }, { "id": "OAK-M14", "name": "Multi-Prover Redundancy", "class": "architecture", "audience": [ "protocol", "designer (zk-bridge / zk-rollup)" ], "maps_to_techniques": [ "OAK-T10.005" ], "citations": [ "soksnarkvulns2024", "verichainsdragonberry2022", "xie2022zkbridge", "zhou2023sok", "zkbugtracker" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M14-multi-prover-redundancy.md" }, { "id": "OAK-M15", "name": "Threshold Signing with Operator Separation", "class": "architecture", "audience": [ "custody-customer", "custody-vendor", "protocol (bridge)" ], "maps_to_techniques": [ "OAK-T10.001", "OAK-T11.001", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "ellipticharmony2022", "ellipticronin2022", "fbiharmony2023", "halbornharmony2022", "halbornmultichain2023", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M15-threshold-signing-with-operator-separation.md" }, { "id": "OAK-M16", "name": "Pre-Deployment Audit and Formal Verification", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.003", "OAK-T1.004", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "daoreentrancy2016retrospective", "dlnewsswaprum2023", "halbornnomadoptimistic2022", "owaspscstop10", "slowmist2024report", "soksnarkvulns2024", "verichainsdragonberry2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M16-pre-deployment-audit-and-formal-verification.md" }, { "id": "OAK-M17", "name": "Time-Locked Governance and Multi-Block Quorum", "class": "architecture", "audience": [ "protocol", "designer (governance)" ], "maps_to_techniques": [ "OAK-T9.003" ], "citations": [ "owaspscstop10", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M17-time-locked-governance-and-multi-block-quorum.md" }, { "id": "OAK-M18", "name": "Out-of-Band Destination Verification", "class": "operational", "audience": [ "custody-customer", "custody-vendor" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T4.001", "OAK-T4.002", "OAK-T4.003", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "chainalysis2024dprk", "chainalysis2024poisoning", "checkpoint2023drainers", "crystalwazirx2024", "ellipticatomic2023", "slowmist2024report", "tsuchiya2025poisoning", "wazirxwiki2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M18-out-of-band-destination-verification.md" }, { "id": "OAK-M19", "name": "Air-Gap Cold-Wallet Signing", "class": "operational", "audience": [ "custody-customer" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023", "mandiantradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M19-air-gap-cold-wallet-signing.md" }, { "id": "OAK-M20", "name": "Vendor Breach-Notification SLA", "class": "operational", "audience": [ "custody-customer", "risk-team", "venue" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "ellipticatomic2023", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M20-vendor-breach-notification-sla.md" }, { "id": "OAK-M21", "name": "Anti-Phishing Training for Privileged Staff", "class": "operational", "audience": [ "custody-customer", "custody-vendor", "protocol" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "fbidmm2024", "mandiantradiant2024", "microsoftcitrineradiant2024", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M21-anti-phishing-training-privileged-staff.md" }, { "id": "OAK-M22", "name": "Rotate-on-Disclosure Discipline", "class": "operational", "audience": [ "custody-customer", "custody-vendor", "protocol" ], "maps_to_techniques": [ "OAK-T1.003", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T9.004" ], "citations": [ "chainalysis2024dprk", "crystalwazirx2024", "halbornwintermute2022", "radiantpostmortem2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M22-rotate-on-disclosure-discipline.md" }, { "id": "OAK-M23", "name": "Audit-Attestation Public-Registry Verification", "class": "venue", "audience": [ "venue", "risk-team", "trader" ], "maps_to_techniques": [ "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T1.001" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "dlnewsswaprum2023", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M23-audit-attestation-public-registry-verification.md" }, { "id": "OAK-M24", "name": "Out-of-Band Audit-Engagement Verification", "class": "venue", "audience": [ "venue", "risk-team", "trader" ], "maps_to_techniques": [ "OAK-T6.002", "OAK-T6.004" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "dlnewsswaprum2023", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M24-out-of-band-audit-engagement-verification.md" }, { "id": "OAK-M25", "name": "Listing-Time Source-Verification + Audit-Status Gate", "class": "venue", "audience": [ "venue (CEX, DEX aggregator)", "aggregator (token-data, market-data)", "launchpad" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T2.001", "OAK-T2.002", "OAK-T2.003", "OAK-T2.004", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004" ], "citations": [ "certikfakeaudit", "chainalysis2025rug", "slowmist2024report", "torres2019", "trmsquid2021" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M25-listing-time-source-verification-and-audit-status-gate.md" }, { "id": "OAK-M26", "name": "Wash-Trade-Rate Metrics at Marketplace Layer", "class": "venue", "audience": [ "venue (NFT marketplace, DEX)", "aggregator (analytics)", "risk-team" ], "maps_to_techniques": [ "OAK-T3.002", "OAK-T7.004", "OAK-T12.001" ], "citations": [ "chainalysis2022nft", "chainalysis2024laundering", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M26-wash-trade-rate-metrics-at-marketplace-layer.md" }, { "id": "OAK-M27", "name": "Travel Rule and KYC at Privacy-Chain Boundary", "class": "venue", "audience": [ "venue (CEX, OTC desk, instant-swap service)", "regulator", "risk-team" ], "maps_to_techniques": [ "OAK-T7.002", "OAK-T7.003", "OAK-T7.005" ], "citations": [ "binancexmrdelist2024", "chainalysis2024dprk", "chainalysis2024laundering", "chainalysisprivacychain2024", "coindeskthorchainlazarus2025", "ofac2022tornado" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M27-travel-rule-and-kyc-at-privacy-chain-boundary.md" }, { "id": "OAK-M28", "name": "Token-Unlock Calendar Integration", "class": "venue", "audience": [ "venue (DEX aggregator, CEX, market-data aggregator)", "risk-team", "trader" ], "maps_to_techniques": [ "OAK-T5.006" ], "citations": [ "chainalysis2025rug", "cryptorank2026unlock", "defillama2026unlocks", "tokenunlocks2026platform" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M28-token-unlock-calendar-integration.md" }, { "id": "OAK-M29", "name": "Full-Address Verification and Lookalike Detection", "class": "wallet-ux", "audience": [ "wallet (mobile, browser-extension, hardware-wallet companion)", "custody-customer", "risk-team" ], "maps_to_techniques": [ "OAK-T4.003" ], "citations": [ "chainalysis2024poisoning", "tsuchiya2025poisoning" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M29-full-address-verification-and-lookalike-detection.md" }, { "id": "OAK-M30", "name": "Per-dApp Domain and App-Store-Package Allowlist", "class": "wallet-ux", "audience": [ "wallet (mobile, browser-extension)", "custody-customer" ], "maps_to_techniques": [ "OAK-T4.001", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "checkpoint2023drainers", "slowmist2024report", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M30-per-dapp-domain-and-app-store-package-allowlist.md" }, { "id": "OAK-M31", "name": "EIP-712 Permit Display and Signing-Risk Heuristics", "class": "wallet-ux", "audience": [ "wallet (mobile, browser-extension, hardware-wallet companion)", "custody-customer" ], "maps_to_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "checkpoint2023drainers", "slowmist2024report", "theblock2022boredape" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M31-eip-712-permit-display-and-signing-risk-heuristics.md" }, { "id": "OAK-M32", "name": "Bug Bounty Programs", "class": "operational", "audience": [ "protocol", "designer", "vendor" ], "maps_to_techniques": [ "OAK-T1.001", "OAK-T1.002", "OAK-T1.003", "OAK-T1.004", "OAK-T1.005", "OAK-T6.001", "OAK-T6.002", "OAK-T6.003", "OAK-T6.004", "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005" ], "citations": [ "chainalysis2024dprk", "chainalysiseuler2023", "immunefikream2021", "slowmist2024report", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M32-bug-bounty-programs.md" }, { "id": "OAK-M33", "name": "Decentralized Insurance Protocols", "class": "operational", "audience": [ "trader", "protocol", "custody-customer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "chainalysis2025rug", "chainalysiseuler2023", "crystalwazirx2024", "slowmist2024report", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M33-decentralized-insurance-protocols.md" }, { "id": "OAK-M34", "name": "Pause-by-Default Emergency Pause", "class": "architecture", "audience": [ "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.003" ], "citations": [ "blocksecsaddle2022", "chainalysiseuler2023", "crystalwazirx2024", "openzeppelinupgradesstorage", "saddleincidentreport2022", "zhou2023sok" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M34-pause-by-default-emergency-pause.md" }, { "id": "OAK-M35", "name": "Whitehat-Rescue Coordination", "class": "operational", "audience": [ "protocol", "designer", "vendor" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "blocksec2023euler", "chainalysis2024dprk", "chainalysiseuler2023", "elliptipeuler2023", "eulerlabs2023statement", "halborneuler2023", "hypernativeronin2024", "ronin2024postmortem", "skymavisronin2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M35-whitehat-rescue-coordination.md" }, { "id": "OAK-M36", "name": "Proof-of-Reserves Cryptographic Auditing", "class": "venue", "audience": [ "venue (CEX)", "risk-team", "regulator" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "bitfinexpostmortem2016", "chainalysis2024dprk", "mtgoxbankruptcy2014", "mtgoxtrustee2024", "wizsecmtgox2015", "wizsecmtgox2017", "wizsecmtgox2020" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M36-proof-of-reserves-cryptographic-auditing.md" }, { "id": "OAK-M37", "name": "HSM and MPC Custody Architectures", "class": "operational", "audience": [ "custody-customer", "custody-vendor", "protocol (treasury)", "risk-team" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T10.001" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023", "fbidmm2024", "halbornwintermute2022", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M37-hsm-mpc-custody.md" }, { "id": "OAK-M38", "name": "Time-Windowed Withdrawal Limits", "class": "architecture", "audience": [ "protocol", "designer", "custody-vendor" ], "maps_to_techniques": [ "OAK-T5.001", "OAK-T5.002", "OAK-T5.005", "OAK-T9.001", "OAK-T9.002", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003" ], "citations": [ "chainalysis2024dprk", "chainalysis2024lockbit", "chainalysis2025rug", "ellipticronin2022", "halbornwintermute2022" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M38-time-windowed-withdrawal-limits.md" }, { "id": "OAK-M39", "name": "Cross-Protocol Watcher Network", "class": "detection", "audience": [ "vendor", "risk-team", "protocol", "designer" ], "maps_to_techniques": [ "OAK-T9.001", "OAK-T9.002", "OAK-T9.003", "OAK-T9.004", "OAK-T9.005", "OAK-T10.001", "OAK-T10.002", "OAK-T10.003", "OAK-T10.004", "OAK-T10.005", "OAK-T11.001", "OAK-T11.002", "OAK-T11.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "blocksecparaspace2023", "blocksecronin2024", "chainalysis2024dprk", "hypernativeronin2024", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M39-cross-protocol-watcher-network.md" }, { "id": "OAK-M40", "name": "Supply-Chain Package Integrity", "class": "operational", "audience": [ "protocol (engineering staff)", "designer", "custody-customer", "custody-vendor", "wallet" ], "maps_to_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T1.003", "OAK-T4.001", "OAK-T4.002", "OAK-T4.005", "OAK-T4.006" ], "citations": [ "chainalysis2024dprk", "ellipticatomic2023", "mandiant3cx2023", "mandiantucsx2023", "unit42beavertail2023" ], "source_file": "/home/runner/work/oak/oak/mitigations/OAK-M40-supply-chain-package-integrity.md" } ], "software": [ { "id": "OAK-S01", "name": "Inferno Drainer", "type": "drainer-kit", "aliases": [ "Inferno", "Inferno DaaS", "Discord-link drainer kit\" (per affiliate-channel framing in `[checkpoint2023drainers]`)." ], "active": "sunset — Inferno publicly announced its shutdown on Telegram on November 26, 2023 (`[slowmist2024report]`). Affiliates and tooling re-emerged in successor families through 2024 (Angel Drainer / OAK-S02 absorbed a meaningful share of the Inferno affiliate base, but the November 2023 announcement is the primary-source shutdown event, not an October 2024 \"handover\"). The kit-and-affiliate-base persistence under successor branding is the structural OAK-G02 lesson; the original-branded operation was already retired by end-2023.", "first_observed": "approximately 2022, contemporaneous with broader Permit2 adoption.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "chainalysis2024dprk", "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S01-inferno-drainer.md" }, { "id": "OAK-S02", "name": "Angel Drainer", "type": "drainer-kit", "aliases": [ "Angel", "Angel DaaS", "Angel-X\" (occasional rebranding suffix observed in industry forensic posts)." ], "active": "yes — in market since approximately early 2023; received the Inferno Drainer (OAK-S01) affiliate base and infrastructure tooling in the October 19, 2024 service-layer handover (`[slowmist2024report]`); primary heir to Inferno's market share through end-of-2024.", "first_observed": "approximately early 2023.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S02-angel-drainer.md" }, { "id": "OAK-S03", "name": "Pink Drainer", "type": "drainer-kit", "aliases": [ "Pink", "Pinkdrainer", "Pink-X\" (occasional industry shorthand for the operator-of-record team behind the kit)." ], "active": "yes — in market since approximately mid-2023.", "first_observed": "approximately mid-2023.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.002", "OAK-T4.004", "OAK-T4.005", "OAK-T4.006", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "scamsniffer2024pink", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S03-pink-drainer.md" }, { "id": "OAK-S04", "name": "Monkey Drainer", "type": "drainer-kit", "aliases": [ "Monkey", "Monkey-Drainer.eth\" (one of the historically-associated naming patterns in industry forensic posts)." ], "active": "sunset — operator announced retirement in approximately March 2023, framed publicly as burn-out / \"moving on\" rather than as a transfer of operations to a successor; affiliate base is generally understood to have migrated into Inferno (OAK-S01) and other contemporaneous kits.", "first_observed": "approximately 2022.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "slowmist2024report", "zachxbtmonkey2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S04-monkey-drainer.md" }, { "id": "OAK-S05", "name": "Venom Drainer", "type": "drainer-kit", "aliases": [ "Venom", "Venom DaaS." ], "active": "yes — in market since approximately mid-2023.", "first_observed": "approximately mid-2023.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S05-venom-drainer.md" }, { "id": "OAK-S06", "name": "Vanilla Drainer", "type": "drainer-kit", "aliases": [ "Vanilla", "Vanilla DaaS." ], "active": "yes — in market since approximately 2024; newer entrant in the OAK-G02 category.", "first_observed": "approximately 2024 (industry forensic posts begin tracking the brand as a distinct kit in this period).", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "checkpoint2023drainers", "scamsniffer2024lineage", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S06-vanilla-drainer.md" }, { "id": "OAK-S07", "name": "Chick Drainer", "type": "drainer-kit", "aliases": [ "Chick", "Chick DaaS." ], "active": "yes — in market since approximately 2024; recent entrant in the OAK-G02 category cited in SlowMist's cohort tracking.", "first_observed": "approximately 2024.", "host_platforms": [], "used_by_groups": [ "OAK-G02" ], "observed_techniques": [ "OAK-T4.001", "OAK-T4.004", "OAK-T4.005", "OAK-T7.001", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "checkpoint2023drainers", "slowmist2024report" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S07-chick-drainer.md" }, { "id": "OAK-S08", "name": "TraderTraitor", "type": "malware", "aliases": [ "TraderTraitor (FBI / CISA naming for the DPRK cross-platform job-lure trojan family); naming overlaps with the broader FBI-tracked DPRK-crypto-theft operator label of the same name (the malware family and the operator-cluster nomenclature were aligned by the U.S. government in the April 2022 advisory rather than separated). Industry-side aliases for related/derived loaders include \"JS_TraderTraitor\" (npm-package-delivery variants)", "ManuscryptCrypto\" sub-family overlaps as documented by Kaspersky and Mandiant", "and \"Hidden Risk\" / \"RustBucket\" successors tracked separately by SentinelOne and Jamf for macOS evolution." ], "active": "yes", "first_observed": "2022-04 (CISA AA22-108A canonical advisory date; underlying campaign activity tracked by FBI from 2020 forward).", "host_platforms": [ "cross-platform (macOS-focused — both Intel and Apple Silicon builds documented; Windows builds also distributed via the same lure infrastructure; Linux builds reported in narrower vendor-corroborated cases)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "chainalysisdprktradertraitor", "cisaaa22108a", "fbidmm2024", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S08-tradertraitor.md" }, { "id": "OAK-S09", "name": "AppleJeus", "type": "malware", "aliases": [ "AppleJeus (Kaspersky-original 2018 naming, retained by CISA / FBI as canonical); UNC4736 (Mandiant operator-cluster designation that runs the AppleJeus toolset alongside related macOS payloads); Citrine Sleet (Microsoft, post-2023 weather-system naming convention); CryptoCore (overlapping but distinct industry naming used by F-Secure / WithSecure for related DPRK macOS activity); BLINDINGCAN", "COPPERHEDGE", "and INLETDRIFT are CISA / Mandiant naming for components and successor tooling within the broader AppleJeus toolset; \"Hidden Cobra\" is the legacy U.S.-government umbrella label that subsumes AppleJeus along with other DPRK families." ], "active": "yes (continuous evolution since 2018; Citrine Sleet / UNC4736 lineage active through 2024–2025 per Mandiant Radiant Capital attribution).", "first_observed": "2018-08 (Kaspersky's original \"Operation AppleJeus\" report, August 2018, documenting the Celas Trade Pro distribution); CISA / FBI joint advisory AA21-048A of February 17, 2021 (`[cisaaa21048a]`) is the canonical U.S.-government reference.", "host_platforms": [ "cross-platform (macOS-focused with foundational role in establishing the macOS-targeting DPRK tradecraft; Windows builds distributed in parallel through 2018–2021)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.002", "OAK-T11.001" ], "citations": [ "chainalysis2024dprk", "cisaaa21048a", "mandiantradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S09-applejeus.md" }, { "id": "OAK-S10", "name": "Manuscrypt", "type": "malware", "aliases": [ "Manuscrypt (Kaspersky-original naming, retained as the most-used industry label); KEYMARBLE (NCCIC / US-CERT 2018 catalogue naming for an overlapping component / variant); FALLCHILL (CISA / FBI naming for an earlier Lazarus Windows backdoor with documented code overlap with later Manuscrypt builds); NukeSped (alternate naming used by some CTI vendors for related Lazarus Windows tooling); Volgmer is a related-but-distinct Lazarus Windows backdoor sometimes confused with Manuscrypt in older catalogues; the Manuscrypt name is canonical for the multi-stage Windows backdoor family used by Lazarus through 2017–2024 and is anchored in external cyber-threat-intel taxonomy Software entry S0259." ], "active": "yes (continued evolution; updated builds observed in incidents through 2024 per Kaspersky, ESET, and AhnLab reporting).", "first_observed": "~2014–2015 (early variants under FALLCHILL naming); Manuscrypt naming consolidated approximately 2017 alongside the Lazarus crypto-pivot; long-running family that pre-dates the modern crypto-theft cluster but has been adapted continuously into it.", "host_platforms": [ "Windows (long-running Windows-only family; macOS and Linux-side DPRK tooling sits in the AppleJeus / RustBucket / KandyKorn lineage rather than the Manuscrypt lineage)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T10.001" ], "citations": [ "chainalysis2024dprk", "chainalysiskucoinlazarus", "mandiantcoincheck2018" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S10-manuscrypt.md" }, { "id": "OAK-S11", "name": "3CX VoIP Client Trojan", "type": "malware", "aliases": [ "3CX Desktop App trojan; \"3CX supply-chain compromise\" (incident-naming convention used by Mandiant, Volexity, SentinelOne, CrowdStrike, and Sophos in the March-April 2023 reporting cohort); UNC4736 (Mandiant operator-cluster naming for the DPRK financial-funding operator within the broader Lazarus cluster that ran the 3CX intrusion); SmoothOperator (SentinelOne campaign naming); ICONIC (CrowdStrike naming); the trojanized binaries themselves are `3CXDesktopApp` (macOS Mach-O) and `3CXDesktopApp.exe` (Windows PE) and the second-stage payloads include ICONICSTEALER (Windows infostealer) and UNC4736's macOS payload chain. The cascading X_Trader supply-chain compromise that enabled the 3CX intrusion is tracked under separate naming (Mandiant: VEILEDSIGNAL backdoor; the X_Trader package itself is the Trading Technologies trading-software family)." ], "active": "sunset (March 2023 incident; incident-specific binaries and infrastructure burned during the public response in April 2023; UNC4736 operator continues to operate under follow-on tooling — see Radiant Capital September 2024 attribution to the same cluster).", "first_observed": "2023-03-22 (initial public detection by SentinelOne and CrowdStrike; Mandiant retained as 3CX's incident-response provider; public attribution to UNC4736 / DPRK published April 11, 2023).", "host_platforms": [ "cross-platform (Windows and macOS — both `3CXDesktopApp.exe` and `3CXDesktopApp` Mach-O binaries were trojanized in the supply-chain compromise; Linux 3CX builds were not affected per public reporting)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001" ], "citations": [ "chainalysis2024dprk", "mandiant3cx2023", "mandiantradiant2024", "mandiantucsx2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S11-3cx-trojan.md" }, { "id": "OAK-S12", "name": "JADESNOW", "type": "malware", "aliases": [ "JADESNOW (Mandiant-original naming, retained as the canonical industry label per the March 2023 APT43 attribution report); related Mandiant-tracked components in the APT43 toolset that JADESNOW operates alongside include LATEOP (initial-access loader)", "BABYSHARK (PowerShell-based reconnaissance / staging family also documented in Kimsuky activity by multiple vendors)", "and QUASARRAT customisations attributed to the cluster; the broader Kimsuky / APT43 toolset is tracked under external Group ID G0094 with a software-entry list that overlaps JADESNOW's operational role." ], "active": "yes (continued use within APT43 / Kimsuky operations through 2024–2025 per Mandiant, Microsoft, and Recorded Future reporting; specific JADESNOW build-versioning is not consolidated in public reporting at the level of detail that AppleJeus or Manuscrypt enjoy).", "first_observed": "2023-03 (Mandiant March 28, 2023 APT43 attribution report public-naming date; underlying tool-development-and-deployment activity dates to earlier within Kimsuky's operational history per Mandiant's longitudinal tracking).", "host_platforms": [ "Windows (the dominant deployment target for JADESNOW within the APT43 / Kimsuky operational profile, consistent with the cluster's spear-phishing-into-Windows-victim-environment tradecraft against policy researchers, journalists, and government targets)." ], "used_by_groups": [ "OAK-G07" ], "observed_techniques": [ "OAK-T8.001" ], "citations": [ "bfvnis2023kimsuky", "chainalysis2024dprk", "mandiantapt432023", "mofakimsuky2023", "ofac2023kimsuky" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S12-jadesnow.md" }, { "id": "OAK-S13", "name": "RedLine Stealer", "type": "infostealer", "aliases": [ "RedLine", "RedLine Infostealer" ], "active": "yes (2020-present; intermittent disruption efforts but no confirmed sunset as of 2026)", "first_observed": "2020-03 (early forum advertisements; broadly distributed by mid-2020)", "host_platforms": [ "Windows (primary); cross-platform browser-data targets (Chromium-family, Gecko-family)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.002", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "opmagnus2024", "redlineflashpoint2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S13-redline-stealer.md" }, { "id": "OAK-S14", "name": "Lumma Stealer", "type": "infostealer", "aliases": [ "LummaC2", "Lumma", "Lumma C2 Stealer" ], "active": "yes (2022-present; significant disruption May 2025; partial reconstitution observed thereafter)", "first_observed": "2022-08 (early forum advertisements under the LummaC2 brand)", "host_platforms": [ "Windows (primary)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.002", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "clickfixproofpoint2024", "lummasekoia2023", "lummatakedown2025" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S14-lumma-stealer.md" }, { "id": "OAK-S15", "name": "AsyncRAT", "type": "malware (open-source remote access trojan)", "aliases": [ "Async RAT", "AsyncRAT C#" ], "active": "yes (2019-present; continuously forked and rebuilt)", "first_observed": "2019-01 (initial public release of the open-source C# project on GitHub)", "host_platforms": [ "Windows (primary; .NET Framework / .NET Core targets)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.002", "OAK-T4.004", "OAK-T4.005" ], "citations": [ "asyncratmandiant2023", "asyncratorigingithub2019" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S15-asyncrat.md" }, { "id": "OAK-S16", "name": "Profanity", "type": "tool / vanity-gen (open-source Ethereum vanity-address generator)", "aliases": [ "Profanity (johguse/profanity)" ], "active": "sunset / deprecated (2022-09; upstream archived and explicitly marked unsafe following the 1inch disclosure; some forks persist but are not treated as safe by the defender community)", "first_observed": "2017 (initial release as a GPU-accelerated Ethereum vanity-address generator)", "host_platforms": [ "Linux / Windows / macOS (GPU-accelerated, OpenCL)" ], "used_by_groups": [], "observed_techniques": [ "OAK-T11.004" ], "citations": [ "halbornwintermute2022" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S16-profanity.md" }, { "id": "OAK-S17", "name": "jaredfromsubway.eth", "type": "mev-bot", "aliases": [ "Jared", "jaredfromsubway", "Jared 2.0\" (2024 iteration tracked by EigenPhi)" ], "active": "yes (operating since 2023-02-27; continuously tracked publicly through 2024 and beyond)", "first_observed": "2023-02-27 (first publicly-tracked transactions on Ethereum mainnet)", "host_platforms": [ "Ethereum mainnet (sandwich-MEV operation); off-chain searcher infrastructure not publicly characterised" ], "used_by_groups": [], "observed_techniques": [ "OAK-T5.004" ], "citations": [ "daian2019flashboys", "eigenphijared2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S17-jaredfromsubway.md" }, { "id": "OAK-S18", "name": "Pump.fun-style Bundlers", "type": "tool / mev-bot (class)", "aliases": [ "Pump.fun bundlers", "launch bundlers", "dev-snipe bundlers", "Jito bundlers (in this context)" ], "active": "yes (2023-present; continuous activity tracking the lifecycle of Pump.fun and similar Solana token-launch venues)", "first_observed": "2023-Q4 (emergence alongside Pump.fun's launch and rapid growth in late 2023 / early 2024)", "host_platforms": [ "Solana (primary); equivalent classes have emerged on other chains' token-launch venues" ], "used_by_groups": [], "observed_techniques": [ "OAK-T3.001", "OAK-T2.001", "OAK-T13.002" ], "citations": [ "jitobundlepolicies2024", "pumpfunbundlerbubblemaps2024", "pumpfunlaunchruganalytics2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S18-pumpfun-bundlers.md" }, { "id": "OAK-S19", "name": "KandyKorn", "type": "malware", "aliases": [ "KANDYKORN (Elastic Security Labs original naming, November 2023, retained as the canonical industry label); SUGARLOADER (Elastic naming for the early-stage component within the same intrusion chain that loads the KandyKorn Mach-O backdoor); HLOADER (Elastic naming for the LaunchAgent-persistence helper observed in the same chain — sometimes catalogued separately, sometimes folded into the KandyKorn family entry depending on vendor); naming-overlap caveat: KandyKorn is operationally tracked by Mandiant within the broader UNC4736 / AppleJeus / Citrine Sleet umbrella and by Microsoft within the Citrine Sleet weather-name lineage", "so the same observed activity may be reported as \"KandyKorn detected\" or as \"Citrine Sleet macOS staging\" depending on the reporting vendor." ], "active": "yes (Elastic's original 2023 reporting characterised the family as actively-evolving; subsequent industry coverage through 2024–2025 places it within the continuing macOS DPRK lineage).", "first_observed": "2023-11 (Elastic Security Labs, \"KANDYKORN: Inside the Stash,\" November 1, 2023 — the canonical first-public-documentation date; underlying campaign activity tracked by Elastic from earlier in 2023).", "host_platforms": [ "macOS (Intel and Apple Silicon — Elastic's original reporting documented Mach-O builds for both architectures within the same campaign infrastructure, consistent with the broader DPRK macOS lineage's shift to universal-binary distribution from 2022 onward)." ], "used_by_groups": [ "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "cisaaa22108a", "elastickandykorn2023", "mandiantradiant2024", "microsoftcitrineradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S19-kandykorn.md" }, { "id": "OAK-S20", "name": "RustBucket", "type": "malware", "aliases": [ "RustBucket (Jamf Threat Labs original naming, April 2023, retained as the canonical industry label); naming overlap with the Mandiant UNC4899 / TraderTraitor sub-cluster tracking and with the Microsoft Sapphire Sleet weather-name lineage that covers BlueNoroff macOS activity through 2024; \"Hidden Risk\" is a related but operationally distinct subsequent-campaign naming used by SentinelOne / Phil Stokes for the late-2024 BlueNoroff macOS lure cohort that re-uses elements of the RustBucket toolset; the family is sometimes catalogued under the broader BlueNoroff macOS umbrella alongside ObjCShellz (OAK-S22) and SwiftLoader (OAK-S21) rather than as a wholly-distinct entry", "but Jamf's original RustBucket naming remains the canonical industry label for the Rust-language second-stage loader specifically." ], "active": "yes (Jamf's April 2023 reporting was followed by SentinelOne's continuing coverage through 2023–2024 documenting iterative variants and the RustBucket → ObjCShellz chain; the family remains in active service per multi-vendor reporting).", "first_observed": "2023-04 (Jamf Threat Labs, \"BlueNoroff Targets macOS — RustBucket,\" April 21, 2023 — the canonical first-public-documentation date; underlying campaign activity tracked by Jamf from earlier in 2023).", "host_platforms": [ "macOS (Intel-first, with Apple Silicon variants documented in subsequent Jamf and SentinelOne reporting through 2023–2024 consistent with the broader DPRK macOS lineage's shift to universal-binary distribution)." ], "used_by_groups": [ "OAK-G08", "OAK-G01" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "jamfrustbucket2023", "microsoftsapphiresleet2023", "sentinelhiddenrisk2024", "sentinelobjcshellz2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S20-rustbucket.md" }, { "id": "OAK-S21", "name": "SwiftLoader", "type": "malware", "aliases": [ "SwiftLoader (SentinelOne / Phil Stokes naming used through 2023–2024 reporting, retained as the canonical industry label for the Swift-language initial-stage downloader); naming-overlap caveat: SwiftLoader is operationally tracked alongside RustBucket (OAK-S20)", "ObjCShellz (OAK-S22)", "and the Hidden Risk campaign cohort within the broader BlueNoroff and Lazarus macOS lineages", "so the same observed activity may be reported as \"SwiftLoader detected\" or as \"BlueNoroff macOS staging\" or as \"Citrine Sleet macOS downloader\" depending on the reporting vendor; the Microsoft weather-name conventions (Sapphire Sleet for BlueNoroff, Citrine Sleet for the AppleJeus / UNC4736 cluster) cover SwiftLoader-lineage staging on both sides; some reporting catalogues SwiftLoader as a stage within the broader Hidden Risk campaign rather than as a wholly-distinct family entry." ], "active": "yes (continuing service through 2024–2025 per SentinelOne and corroborating-vendor reporting; the Swift-implementation initial-stage downloader role is one of the persistently-utilised slots in the cross-cluster DPRK macOS toolset).", "first_observed": "2023 (SentinelOne / Phil Stokes coverage through late 2023 documented the Swift-language initial-stage downloader role within observed BlueNoroff macOS chains; subsequent 2024 reporting expanded the family-level coverage); precise first-public-documentation date varies by which SentinelOne post is cited, with continuing iterative documentation through the Hidden Risk reporting cohort (`[sentinelhiddenrisk2024]`).", "host_platforms": [ "macOS (Intel and Apple Silicon — universal-binary distribution consistent with the broader DPRK macOS lineage's 2022-onward shift to universal builds)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "jamfrustbucket2023", "microsoftcitrineradiant2024", "microsoftsapphiresleet2023", "sentinelhiddenrisk2024", "sentinelobjcshellz2023", "sentinelswiftloader2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S21-swiftloader.md" }, { "id": "OAK-S22", "name": "ObjCShellz", "type": "malware", "aliases": [ "ObjCShellz (SentinelOne / Phil Stokes original naming, November 2023, retained as the canonical industry label); naming-overlap caveat: ObjCShellz is operationally tracked alongside RustBucket (OAK-S20)", "SwiftLoader (OAK-S21)", "and the Hidden Risk campaign cohort within the broader BlueNoroff and Lazarus macOS lineages; Microsoft's weather-name conventions (Sapphire Sleet for BlueNoroff, Citrine Sleet for the AppleJeus / UNC4736 cluster) cover ObjCShellz-lineage staging on both sides; some reporting catalogues ObjCShellz as a third-stage component within the broader RustBucket → ObjCShellz chain rather than as a wholly-distinct family entry", "but SentinelOne's original naming remains the canonical industry label for the Objective-C-language reverse-shell specifically." ], "active": "yes (continuing service through 2024–2025 per SentinelOne and corroborating-vendor reporting; the lightweight Objective-C reverse-shell role is one of the persistently-utilised post-loader components in the cross-cluster DPRK macOS toolset).", "first_observed": "2023-11 (SentinelOne / Phil Stokes, \"BlueNoroff Strikes Again with New macOS Malware,\" November 6, 2023 — the canonical first-public-documentation date; underlying campaign activity tracked by SentinelOne from earlier in 2023).", "host_platforms": [ "macOS (Intel and Apple Silicon — universal-binary distribution consistent with the broader DPRK macOS lineage's 2022-onward shift to universal builds)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "jamfrustbucket2023", "microsoftsapphiresleet2023", "sentinelhiddenrisk2024", "sentinelobjcshellz2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S22-objcshellz.md" }, { "id": "OAK-S23", "name": "LockBit ransomware", "type": "ransomware", "aliases": [ "LockBit (the encryptor brand maintained by the LockBitSupp / Khoroshev development line, January 2020 onward); LockBit 1.0 / \"ABCD\" ransomware (the .abcd-extension first variant from January 2020 that gave the family its earliest informal name); LockBit 2.0 / LockBit Red (June 2021, introduced StealBit data-exfiltration tooling and the \"automated\" affiliate-onboarding model); LockBit 3.0 / LockBit Black (June 2022, introduced the bug-bounty programme on the leak site and partial code reuse from the leaked BlackMatter source); LockBit Green (January 2023, a build incorporating leaked Conti v3 source code and re-released under LockBit branding); LockBit-NG-Dev (a 2024 pre-release Rust-language rewrite recovered during Operation Cronos and not field-deployed). Industry-side cross-attribution labels include the external cyber-threat-intel taxonomy ID S1180." ], "active": "degraded — Operation Cronos disruption February 19–20, 2024 (`[nca2024operationcronos]`); brand-attributable extortion volume down approximately 79% in H2 2024 versus H1 2024 per `[chainalysis2025ransomware]`; LockBit-branded leak-site activity continued at much-reduced cadence into 2025 but the operator network's operational continuity is structurally damaged. Khoroshev remained at large in Russia as of v0.1.", "first_observed": "2020-01 (LockBit 1.0 first observed in the wild; January 2020 advertisements on Russian-language criminal forums marked the brand's debut).", "host_platforms": [ "Windows (primary, all major versions); Linux (LockBit 2.0 onward, with dedicated Linux/ESXi targeting in LockBit 3.0); VMware ESXi (the dedicated ESXi-hypervisor variant from 2021 onward is one of the family's defining technical features and shaped the ESXi-targeting trend across the broader RaaS sector); cross-platform aspirations in the unreleased LockBit-NG-Dev Rust rewrite (which mirrored the BlackCat / ALPHV cross-platform-Rust design choice)." ], "used_by_groups": [ "OAK-G05", "OAK-G06" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003" ], "citations": [ "chainalysis2024khoroshev", "chainalysis2024lockbit", "chainalysis2025ransomware", "cisaaa23165a", "doj2024khoroshev", "doj2024ryzhenkov", "mandiant2022unc2165lockbit", "nca2024operationcronos", "ofac2024khoroshev", "ofac2024lockbitaffiliates", "sophos2024lockbit", "trendmicro2024lockbit", "unit42lockbit2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S23-lockbit.md" }, { "id": "OAK-S24", "name": "BlackCat / ALPHV ransomware", "type": "ransomware", "aliases": [ "ALPHV (the operator-side preferred name on Russian-language criminal forums and the leak-site branding); BlackCat (the industry / vendor naming convention adopted from the leak-site logo and the cat-iconography in the encryptor's ransom-note theming); Noberus (Symantec / Broadcom analyst naming); ALPHV/BlackCat (the conjoined form used in U.S. government advisories and in most CTI vendor reporting); external cyber-threat-intel taxonomy ID S1068." ], "active": "sunset (2024-03) — the ALPHV operators executed an exit-scam in early March 2024 after receiving an approximately $22M ransom payment from Change Healthcare / UnitedHealth Group affiliate \"Notchy,\" redirecting the payment from the affiliate to operator-controlled wallets and posting a fabricated \"FBI seizure\" banner on the leak site (the FBI itself disclaimed the takedown, distinguishing the self-exit-scam from the prior December 2023 FBI-led disruption). No genuine ALPHV-branded operations have been observed post-exit; affiliate-side migration to RansomHub, Cl0p, and other brands is documented through 2024.", "first_observed": "2021-11 (first leak-site postings November 2021; FBI Flash CU-000167-MW April 19, 2022 was the first U.S.-government public reference).", "host_platforms": [ "Windows (primary, with Windows-server enterprise targeting the dominant deployment surface); Linux (parity build released alongside Windows); VMware ESXi (a dedicated hypervisor variant, mirroring the LockBit-3.0-era sector pivot to ESXi-targeting); the Rust-language implementation produces structurally identical builds across these platforms", "which is the family's defining technical innovation and the principal reason for ALPHV's 2022–2023 affiliate-attractiveness." ], "used_by_groups": [ "OAK-G10" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003" ], "citations": [ "chainalysis2024changehealthcare", "chainalysis2025ransomware", "cisaaa23061a", "cisaaa24061a", "doj2023alphvtakedown", "fbiflashalphv2022", "mandiant2023unc3944", "microsoft2024blackcat", "symantecnoberus2022", "witty2024testimony" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S24-blackcat-alphv.md" }, { "id": "OAK-S25", "name": "Maui ransomware", "type": "ransomware", "aliases": [ "Maui (the canonical CISA / FBI naming, established by joint advisory AA22-187A on July 6, 2022); industry-side alternative naming is sparse because the family was never offered as a commodity-or-affiliate product and so does not have the parallel vendor-naming proliferation of LockBit / ALPHV / Conti; Mandiant attributes operationally to the Andariel sub-cluster of the broader Lazarus / DPRK constellation; CrowdStrike-side overlap with the Stonefly / Silent Chollima naming for the same operator cohort." ], "active": "dormant — no public Maui-attributed deployments observed post-2023 in open-source CTI; the family was always low-volume and operator-bespoke rather than commodity, and Andariel cluster activity has rotated through several subsequent ransomware families (e.g. Maui → H0lyGh0st / PLAY-affiliated activity → SiennaPurple / SiennaBlue successors per Microsoft tracking). Treat as dormant rather than confirmed-sunset because operator continuity is documented and re-emergence under the same Andariel umbrella with rebadged tooling is expected.", "first_observed": "2021-05 (the earliest deployment documented in CISA AA22-187A is May 2021 against an unnamed U.S. healthcare-sector victim; the advisory itself was published July 6, 2022).", "host_platforms": [ "Windows (the only platform observed in public reporting; CISA AA22-187A and the subsequent Mandiant / Microsoft / Stairwell technical analyses describe a Windows-only x86 implementation)." ], "used_by_groups": [ "OAK-G09", "OAK-G01" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.002" ], "citations": [ "chainalysis2024dprk", "chainalysisdprkmaui2024", "cisaaa22187a", "doj2024rimjonghyok", "mandiantandariel2022", "microsoftonyxsleet2022", "stairwell2022maui" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S25-maui.md" }, { "id": "OAK-S26", "name": "Conti ransomware", "type": "ransomware", "aliases": [ "Conti (the operator-side and leak-site-branded name, May 2020 onward); Wizard Spider (CrowdStrike's intrusion-set naming for the operator cohort, predating the Conti brand and continuing through Conti-successor-brand era); UNC1878 (Mandiant's earlier intrusion-set naming for the same cohort, partially superseded by the operator-cohort-rebranding pattern post-2022); TrickBot Group (informal industry naming linking the cohort to its earlier banker-trojan operating substrate); external cyber-threat-intel taxonomy ID S0575. Conti is operationally the successor brand to Ryuk (2018–2020) within the same operator-cohort identity", "and predecessor brand-of-record to the post-May-2022 dispersal cohort (Black Basta, Royal / BlackSuit, Karakurt, BlackByte, Quantum / Zeon, AvosLocker partial overlap, and broader Conti-diaspora affiliate placements)." ], "active": "sunset (2022-05) — operator-cluster dissolution announced internally during May 2022 following the late-February-2022 ContiLeaks insider-disclosure event in which a pro-Ukraine cluster member published approximately 60,000 internal chat-log messages, source code, and operational documents in retaliation for the operator's public alignment with the Russian state's invasion of Ukraine. The Conti-branded leak site went offline in late May / early June 2022; the operator cohort dispersed into multiple successor brands while retaining operator continuity at the personnel level. *No genuine Conti-branded operations have been observed post-mid-2022; the brand is fully sunset, but operator continuity into the successor brands is the dominant 2022–2025 ransomware-sector trajectory.*", "first_observed": "2020-05 (Conti leak-site debut May 2020; Wizard-Spider-cohort ransomware operations under earlier branding, principally Ryuk, dated to August 2018).", "host_platforms": [ "Windows (primary, all variants); Linux (a Conti-Linux variant emerged in late 2021 with VMware ESXi targeting, mirroring the broader RaaS-sector ESXi pivot; partial code reuse of the Conti-Linux variant is documented in Hive's Linux build per Mandiant); the Conti v3 Windows codebase was leaked in full during the ContiLeaks dump and has since been forked / rebadged by multiple unrelated groups (LockBit Green is the highest-profile rebadge — see OAK-S23 — but unaffiliated commodity-tier Conti-fork builds also circulate)." ], "used_by_groups": [ "OAK-G06", "OAK-G05" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "chainalysis2022conti", "chainalysis2025ransomware", "cisaaa21265a", "cisaaa22046a", "contileaks2022", "costaricaconti2022", "crowdstrikewizardspider2022", "mandiantcontileaks2022", "ofac2022garantex", "recordedfuturecontihse2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S26-conti.md" }, { "id": "OAK-S27", "name": "Black Basta ransomware", "type": "ransomware", "aliases": [ "Black Basta (the operator-side and leak-site-branded name from the brand's April 2022 debut); industry-side cross-attribution labels include UNC4393 (Mandiant intrusion-set naming for the operator cluster)", "Storm-1811 (Microsoft Threat Intelligence naming, partially overlapping the broader Conti-successor-cohort surface)", "and the informal \"Conti Team 3\" / \"Conti Black\" naming used in early 2022 industry reporting that documented the operator-cohort continuity from Conti at the personnel level. The brand is operationally the most-prominent direct-successor brand in the Conti-cohort dispersal network (see OAK-S26 Discussion for the broader Conti-successor framing). The internal-chat-leak event of February 2024 (the \"BlackBastaGPT\" / `[blackbastaleaks2024]` corpus) provides a primary-source record of the operator cohort's internal organisation comparable in evidentiary weight to the ContiLeaks corpus for Conti." ], "active": "degraded — brand-attributable extortion volume declined materially through H2 2024 and into early 2025 following the February 2024 internal-chat-leak event and subsequent affiliate migration; some affiliate-cohort members rotated onto Cactus and BlackSuit affiliate panels per Mandiant and Microsoft post-leak tracking. Brand had not been formally sunset as of v0.1 but operational-continuity is structurally damaged in the same idiom as OAK-S23 LockBit post-Cronos.", "first_observed": "2022-04 (Black Basta leak-site debut April 2022; brand emergence is read as immediately pre-Conti-dissolution, with operator personnel migration from the Conti cohort into the new brand identity documented at the internal-chat-recovered level via the February 2024 leak corpus).", "host_platforms": [ "Windows (primary, all enterprise-server variants); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged June 2022, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks established by LockBit and ALPHV). The Windows codebase is C++-authored with structural-and-stylistic similarities to Conti v3 documented by Trend Micro", "Sophos", "and Mandiant; the lineage is read as *Conti-codebase-derivative-with-rewrites* rather than a clean fork." ], "used_by_groups": [ "OAK-G11" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "blackbastaleaks2024", "chainalysis2025ransomware", "chainalysisblackbasta2024", "cisaaa24131a", "mandiantunc4393", "microsoftstorm1811", "ofac2022garantex", "sophosblackbasta2022", "trendmicroblackbasta2022" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S27-black-basta.md" }, { "id": "OAK-S28", "name": "Royal / BlackSuit ransomware", "type": "ransomware", "aliases": [ "Royal (the operator-side and leak-site-branded name from the brand's September 2022 debut through mid-2023); BlackSuit (the rebranded operator-and-encryptor identity from June 2023 onward); industry-side cross-attribution labels include DEV-0569 / Storm-0569 (early Microsoft Threat Intelligence naming for the operator cluster prior to the BlackSuit rebrand)", "the informal \"Royal/BlackSuit\" conjoined naming used in CISA AA23-061A and the November 2023 / August 2024 update advisories", "and the \"Zeon\" naming used in earlier 2022 Conti-successor-brand reporting that documented the encryptor's lineage to Conti's Zeon variant. The brand-rotation event from Royal to BlackSuit in mid-2023 is widely read by Mandiant", "Microsoft", "and CISA as a *brand-toxicity-management response to attribution-graph tracking* — an attempt to shed the Royal-name accumulation of attributable victim count and U.S.-government advisory surface (CISA AA23-061A specifically) and continue operations under a fresh brand identity. The encryptor-codebase", "leak-site infrastructure", "and operator-cohort were continuous across the rebrand at the wallet-cluster and tradecraft-fingerprint levels." ], "active": "active — BlackSuit-branded operations continued through 2024 and into 2025 with the OFAC December 2023 designation surface providing institutional pressure but not operational disruption; the brand had not been formally sunset as of v0.1 and remains an active-detection target. Brand-attributable extortion volume placed BlackSuit in the top-five ransomware brands by leak-site postings through 2024 per Recorded Future / Coveware tracking.", "first_observed": "2022-09 (Royal-branded operations debuted September 2022; the Royal encryptor was forked from Conti's Zeon variant per Mandiant and Microsoft attribution work, providing direct codebase continuity to the Conti-cohort dispersal network); brand rebrand to BlackSuit in June 2023.", "host_platforms": [ "Windows (primary, all enterprise-server variants); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in early 2023, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks). The Windows codebase's lineage to Conti's Zeon variant is the cleanest documented case of *direct Conti-codebase fork as a successor-brand encryptor* — Royal forked from Zeon rather than being a clean rewrite", "distinguishing it from the Black Basta lineage where the Conti v3 codebase was substantively rewritten before redeployment." ], "used_by_groups": [], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "chainalysis2025ransomware", "chainalysisroyalblacksuit2024", "cisaaa23061a", "cisaaa24228a", "mandiantroyalblacksuit2023", "microsoftstorm0569", "ofac2023royalblacksuit", "sophosroyalblacksuit2023", "trendmicroroyalblacksuit2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S28-royal-blacksuit.md" }, { "id": "OAK-S29", "name": "BeaverTail", "type": "malware (npm-package supply-chain malware / first-stage JavaScript loader and infostealer)", "aliases": [ "BeaverTail (the Palo Alto Unit 42 naming established in the canonical July 2023 publication that first publicly documented the family); industry-side cross-attribution labels include the broader campaign naming \"Contagious Interview\" (Unit 42 campaign-level naming for the recruiter-pretext intrusion set carrying BeaverTail and InvisibleFerret payloads) and \"Wagemole\" (an adjacent / partially-overlapping campaign naming used by Unit 42 and Mandiant for the DPRK-IT-worker-fraud surface that shares operator cohort and tooling with Contagious Interview); operator-cluster naming overlaps with the broader DPRK Lazarus / TraderTraitor / BlueNoroff intrusion set (CrowdStrike's Famous Chollima naming and Microsoft's Sapphire Sleet / Moonstone Sleet naming for related operator-cohort surfaces)." ], "active": "yes — continuous variants observed through 2024–2025 with sustained npm-registry submission cadence; Unit 42, SentinelOne, ReversingLabs, and Sonatype track ongoing variant-rotation and registry-submission patterns; the principal mitigation surface is npm-registry-side takedown of malicious packages, but operator-side rotation onto new fake-author personas and new package-name surfaces is faster than registry-side takedown response.", "first_observed": "2023-07 (Palo Alto Unit 42 canonical publication date, `[unit42beavertail2023]`; the underlying campaign activity is attributed back at least into early 2023 by retrospective registry-submission analysis).", "host_platforms": [ "cross-platform (Windows, macOS, Linux — the JavaScript implementation runs natively in the Node.js runtime that the npm-package delivery surface presupposes; this cross-platform property is itself a defining family-architectural feature, distinguishing BeaverTail from the platform-specific macOS-focused TraderTraitor / RustBucket / KandyKorn / SwiftLoader / ObjCShellz lineage at OAK-S08 / S20 / S21 / S22)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "crowdstrikefamouschollima2024", "mandiantwagemole2024", "unit42beavertail2023", "unit42contagiousinterview2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S29-beavertail.md" }, { "id": "OAK-S30", "name": "InvisibleFerret", "type": "malware (Python second-stage backdoor / credential-and-wallet-data infostealer)", "aliases": [ "InvisibleFerret (the Palo Alto Unit 42 naming established alongside the BeaverTail naming in the canonical July 2023 publication that first publicly documented both families); industry-side cross-attribution labels include the broader campaign naming \"Contagious Interview\" (Unit 42 campaign-level naming for the recruiter-pretext intrusion set carrying the BeaverTail → InvisibleFerret payload chain) and \"Wagemole\" (the adjacent DPRK-IT-worker-fraud campaign sharing operator cohort and tooling); operator-cluster naming overlaps with the broader DPRK Lazarus / TraderTraitor / BlueNoroff intrusion set under CrowdStrike's Famous Chollima naming and Microsoft's Sapphire Sleet / Moonstone Sleet naming." ], "active": "yes — continuous variants tracked through 2024–2025 with Unit 42, SentinelOne, and Mandiant documenting per-version evolution; the family operates as the persistent-second-stage backdoor in the BeaverTail-led Contagious Interview / Wagemole campaign and is paired with BeaverTail in essentially all observed campaign deployments rather than operating standalone.", "first_observed": "2023-07 (Palo Alto Unit 42 canonical publication date, paired with the BeaverTail family disclosure in `[unit42beavertail2023]`; the underlying campaign activity is attributed back at least into early 2023 by retrospective analysis).", "host_platforms": [ "cross-platform (Windows, macOS, Linux — the Python implementation runs natively in any Python-3 runtime that the BeaverTail first-stage establishes; cross-platform property mirrors BeaverTail and distinguishes the family from the platform-specific macOS-focused TraderTraitor lineage at OAK-S08)." ], "used_by_groups": [ "OAK-G01", "OAK-G08" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002" ], "citations": [ "chainalysis2024dprk", "crowdstrikefamouschollima2024", "jamfinvisibleferret2024", "mandiantwagemole2024", "sentineloneinvisibleferret2024", "unit42beavertail2023", "unit42invisibleferret2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S30-invisibleferret.md" }, { "id": "OAK-S31", "name": "TigerRAT", "type": "malware (Windows backdoor / persistent-access remote-access-trojan)", "aliases": [ "TigerRAT (the canonical KrCERT/CC + AhnLab naming established in 2022 publications and sustained across continuous Korean-side CTI reporting through 2024–2025); industry-side cross-attribution labels include the broader Andariel cluster naming surface — Silent Chollima (CrowdStrike)", "Onyx Sleet / Plutonium (Microsoft Threat Intelligence's continuous Andariel-cluster naming)", "Stonefly (Symantec / Broadcom)", "DarkSeoul-cohort historical naming for the broader DPRK destructive-and-espionage cluster from which Andariel is the contemporary financially-motivated sub-cluster", "and the external Group ID G0138 Andariel Group profile under which TigerRAT activity is documented." ], "active": "yes — continuous variants tracked through 2024–2025 by KrCERT/CC, AhnLab, Mandiant, Microsoft, and Symantec; the family is a sustained-deployment Andariel-cluster persistence-and-staging tool rather than a campaign-bounded payload, and its operational tempo is paced by Andariel's broader campaign cadence rather than by per-version-release boundaries.", "first_observed": "2022 (KrCERT/CC + AhnLab canonical publications established the family naming in 2022; underlying Andariel-cluster activity using the family is attributed back further by retrospective analysis but the public-record family-naming anchor is 2022).", "host_platforms": [ "Windows (the only platform observed in public reporting; KrCERT/CC, AhnLab, and Mandiant analyses describe a Windows-only x86 implementation; no macOS or Linux variants documented as of v0.1)." ], "used_by_groups": [ "OAK-G09" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.002" ], "citations": [ "ahnlabtigerrat2022", "chainalysisdprkmaui2024", "cisa2024andarieladvisory", "cisaaa22187a", "cisaaa22321a", "doj2024rimjonghyok", "krcerttigerrat2022", "mandiantandariel2022", "microsoftonyxsleet2022", "symantec2024stonefly" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S31-tigerrat.md" }, { "id": "OAK-S32", "name": "AppleSeed", "type": "malware (Windows backdoor / persistent-access remote-access-trojan with HWP-document-borne delivery surface)", "aliases": [ "AppleSeed (the canonical industry naming established across Cisco Talos, ESET, Mandiant, AhnLab, and KISA / KrCERT/CC publications and sustained as the dominant naming convention in continuous CTI reporting from approximately 2019 forward); industry-side cross-attribution labels include the broader Kimsuky / APT43 cluster naming surface — Kimsuky (the canonical Korean and U.S.-government naming for the operator cluster)", "Thallium (Microsoft Threat Intelligence's earlier Kimsuky naming)", "Black Banshee (CrowdStrike's Kimsuky-cluster naming)", "Velvet Chollima and the broader Chollima-family naming", "APT43 (Mandiant's March 2023 cluster-naming consolidation)", "TA406 (Proofpoint's Kimsuky naming)", "and the external Group ID G0094 Kimsuky Group profile under which AppleSeed activity is documented." ], "active": "yes — continuous variants tracked through 2024–2025 by Talos, ESET, Mandiant, AhnLab, KISA, and KrCERT/CC; the family is the primary Kimsuky persistence tool from approximately 2019 forward and the operational tempo is paced by Kimsuky's broader spear-phishing-campaign cadence rather than by per-version-release boundaries.", "first_observed": "2019 (the public-record family-naming anchor is approximately 2019 across early Kimsuky-cluster CTI reporting; underlying Kimsuky-cluster activity is attributed back further by retrospective analysis but the AppleSeed family naming and the documented HWP-document-borne delivery surface stabilised in industry reporting around 2019–2020).", "host_platforms": [ "Windows (the only platform observed in public reporting; Talos, ESET, Mandiant, AhnLab, and KISA analyses describe a Windows-only x86 implementation; no macOS or Linux variants documented as of v0.1, consistent with the family's HWP-document-borne delivery surface that presupposes a Korean-language Windows-host target population)." ], "used_by_groups": [ "OAK-G07" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.002" ], "citations": [ "ahnlabappleseed2021", "bfvnis2023kimsuky", "chainalysis2024dprk", "esetkimsuky2021", "mandiantapt43_2023", "mofakimsuky2023", "ofac2023kimsuky", "talosappleseed2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S32-appleseed.md" }, { "id": "OAK-S33", "name": "Akira ransomware", "type": "ransomware", "aliases": [ "Akira (the operator-side and leak-site-branded name from the brand's March 2023 debut, with the leak-site visual identity adopting a deliberate retro-1980s green-on-black terminal aesthetic that became the family's most-recognisable surface signature); Megazord (a short-lived Rust-language Linux/ESXi variant identifier used in mid-2023 builds before consolidation back under the Akira brand); industry-side cross-attribution labels include the informal \"Akira-Conti-derivative\" naming used in 2023 industry reporting that documented partial code-reuse signals between the Akira Windows codebase and the Conti v3 leaked source. Akira is widely read by Mandiant", "Sophos", "and Avast as a Conti-cohort-adjacent operator emergence rather than a direct Conti-cohort-continuity case in the idiom of OAK-S27 Black Basta or OAK-S28 Royal/BlackSuit; the lineage relationship is *partial-codebase-derivative-with-distinct-operator-cohort* rather than full cohort-continuity." ], "active": "active — Akira-branded operations continued through 2024 and into 2025 with sustained leak-site cadence and over 250 confirmed victim organisations through early 2024 per the April 2024 CISA / FBI / EC3 / NCSC-NL joint advisory AA24-109A (`[cisaaa24109a]`); the brand had not been subjected to a government takedown comparable to Operation Cronos (LockBit) or the December 2023 ALPHV action as of v0.1, and remains an active-detection target. Recorded Future / Coveware tracking placed Akira in the top-five ransomware brands by leak-site postings through 2024.", "first_observed": "2023-03 (Akira-branded operations debuted March 2023 with the Windows C++ encryptor; the Rust-language Linux / VMware ESXi variant followed in April–May 2023, mirroring the broader RaaS-sector pivot to Rust-implemented hypervisor variants established by ALPHV / BlackCat).", "host_platforms": [ "Windows (primary, all enterprise-server variants, C++-authored codebase with partial structural similarities to Conti v3 documented by Sophos and Avast); Linux / VMware ESXi (a Rust-language variant emerged April–May 2023 under the temporary \"Megazord\" naming before consolidation back to the Akira brand). The dual-language architecture — C++ Windows + Rust ESXi/Linux — mirrors the ALPHV-influenced sector-wide pattern of Rust-for-cross-platform-hypervisor-variants while retaining C++ for the Windows codebase", "a hybrid pattern that became more common across 2023–2024 RaaS emergences." ], "used_by_groups": [ "OAK-G16" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "avast2023akira", "chainalysis2025ransomware", "chainalysisakira2024", "cisaaa24109a", "mandiantakira2023", "ofac2022garantex", "sophosakira2023", "trendmicroakira2023" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S33-akira-ransomware.md" }, { "id": "OAK-S34", "name": "RansomHub ransomware", "type": "ransomware", "aliases": [ "RansomHub (the operator-side and leak-site-branded name from the brand's February 2024 debut on Russian-language criminal forums); industry-side cross-attribution labels include the informal \"Knight-derivative\" naming used in mid-2024 industry reporting that documented partial code-reuse signals between the RansomHub Windows codebase and the prior Knight / Cyclops-Blink-class encryptor codebase (the operator-cohort behind Knight is widely read as having sold or licensed source code to the RansomHub developer team)", "and the \"post-ALPHV-affiliate-absorber\" descriptive used across CTI-vendor reporting to characterise the brand's principal market-positioning function in 2024. RansomHub is the canonical worked example of *operator-cohort opportunism in the wake of a competitor brand's exit-scam-driven dissolution* — the brand's rapid Q2–Q4 2024 growth is widely attributed to its capacity to absorb the high-tier ALPHV affiliate diaspora following the March 2024 ALPHV exit-scam (see OAK-S24 Discussion)", "with the \"Notchy\" affiliate behind the Change Healthcare attack widely-reported as having rotated onto the RansomHub affiliate panel." ], "active": "active — RansomHub-branded operations continued through 2024 and into 2025 with sustained leak-site cadence; brand-attributable extortion volume placed RansomHub as the top-by-leak-site-postings RaaS brand in H2 2024 per Recorded Future / Coveware tracking, displacing both the post-Cronos LockBit and the post-exit-scam ALPHV from their prior market-share positions. The brand had not been subjected to a government takedown comparable to Operation Cronos or the December 2023 ALPHV action as of v0.1, and remains an active-detection target.", "first_observed": "2024-02 (RansomHub leak-site debut February 2024; advertisements on Russian-language criminal forums marked the brand's debut and the affiliate-onboarding panel was operational immediately, suggesting a substantial pre-launch development period and an operator-side cohort with prior RaaS-operational experience).", "host_platforms": [ "Windows (primary, all enterprise-server variants, with the encryptor codebase showing partial structural similarities to the prior Knight / Cyclops-class codebase per Mandiant and Microsoft attribution work); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in mid-2024); Go-language and Rust-language partial implementations have been documented in different RansomHub builds across 2024", "with the dual-language architecture mirroring the broader sector pattern of hybrid-codebase RaaS designs established by Akira (OAK-S33) and the LockBit NG-Dev rewrite." ], "used_by_groups": [ "OAK-G15" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T7.003", "OAK-T8.001" ], "citations": [ "chainalysis2025ransomware", "chainalysisransomhub2024", "cisaaa24242a", "mandiantransomhub2024", "microsoftransomhub2024", "ofac2022garantex", "recordedfutureransomhub2024", "sophosransomhub2024", "trendmicroransomhub2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S34-ransomhub-ransomware.md" }, { "id": "OAK-S35", "name": "BlackByte ransomware", "type": "ransomware", "aliases": [ "BlackByte (the operator-side and leak-site-branded name from the brand's July 2021 debut, retained continuously across the multi-language codebase rotation through 2024); industry-side cross-attribution labels include the Wizard-Spider-cohort-adjacent / Conti-cohort-partial-overlap descriptive used in 2022 industry reporting that documented operator-personnel overlap with the broader Conti-cohort dispersal network", "and the BlackByte 2.0 / NT / 3.0 version-string naming used to disambiguate the multi-language codebase rotations across .NET (2021–2022)", "Go (2022–2023)", "and C++ (2023–2025) implementations. BlackByte sits in the Conti-cohort-adjacent category alongside Akira (OAK-S33) — operator-personnel overlap with the broader post-Conti dispersal network is documented but the lineage relationship is partial-overlap rather than full cohort-continuity in the idiom of OAK-S27 Black Basta or OAK-S28 Royal/BlackSuit." ], "active": "active — BlackByte-branded operations continued through 2024 and into 2025 with sustained leak-site cadence; the brand had not been subjected to a government takedown comparable to Operation Cronos (LockBit) or the December 2023 ALPHV action as of v0.1, and remains an active-detection target. Brand-attributable extortion volume placed BlackByte as a mid-tier RaaS strain across 2022–2024 — below the top-three by leak-site postings but with sustained presence and continued multi-vertical targeting per Recorded Future / Coveware tracking.", "first_observed": "2021-07 (BlackByte-branded operations debuted July 2021 with the .NET-language Windows encryptor; subsequent codebase rotations to Go (2022) and C++ (2023+) reflect a sustained operator-side investment in encryptor-codebase modernisation across the brand's lifetime, distinguishing BlackByte from the more-typical RaaS-sector pattern of either single-language codebase persistence or single-rewrite codebase rotation).", "host_platforms": [ "Windows (primary, all enterprise-server variants, with the codebase rotated across .NET (2021–2022) → Go (2022–2023) → C++ (2023–2025) per Trustwave, Microsoft, and Sophos attribution work); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in 2022, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks established by LockBit and ALPHV). The multi-language codebase rotation is the family's defining technical history and provides a useful comparative reference for understanding the *operator-side codebase-modernisation cadence* across a long-lifetime mid-tier RaaS brand — distinct from both single-language persistence (Conti's C++-only history) and single-rewrite rotation (LockBit's NG-Dev Rust rewrite recovered pre-deployment)." ], "used_by_groups": [ "OAK-G17" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001" ], "citations": [ "chainalysis2025ransomware", "chainalysisblackbyte2024", "cisaaa22039a", "microsoftblackbyte2023", "ofac2022garantex", "sophosblackbyte2023", "trendmicroblackbyte2022", "trustwaveblackbyte2021" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S35-blackbyte-ransomware.md" }, { "id": "OAK-S36", "name": "Karakurt extortion-only kit", "type": "tool / extortion-only operation tooling", "aliases": [ "Karakurt extortion kit; Karakurt Lair (operator leak-site branding); part of the Conti-spinoff cohort tracked by Mandiant and CrowdStrike under the Wizard Spider successor-brand umbrella." ], "active": "yes (continuous May 2021 → present, with periodic operating-tempo dips). Activity tracked through 2024–2025.", "first_observed": "2021-05.", "host_platforms": [ "Cross-platform-by-tool-stack — Karakurt does not develop or deploy a custom encryptor and is not", "in the strict sense", "a \"ransomware family.\" Its operating tooling is a curated configuration of commodity post-exploitation and exfiltration utilities: Cobalt Strike (OAK-S37)", "Mimikatz", "AnyDesk", "rclone (the dominant Karakurt-fingerprint exfiltration utility)", "Filezilla / WinSCP", "Mega.io's MEGAsync", "and a custom set of automated victim-data-publication scripts running against the Karakurt Lair leak site." ], "used_by_groups": [ "OAK-G18" ], "observed_techniques": [ "OAK-T7.001", "OAK-T7.002", "OAK-T8.001", "OAK-T8.002" ], "citations": [ "chainalysis2022conti", "cisaaa22152a", "contileaks2022", "crowdstrikewizardspider2022", "mandiantcontileaks2022" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S36-karakurt-extortion-kit.md" }, { "id": "OAK-S37", "name": "Cobalt Strike", "type": "tool / commodity post-exploitation framework (legitimate red-team product, widely abused)", "aliases": [ "Cobalt Strike Beacon (the canonical implant component); CS (industry shorthand). Originally developed by Raphael Mudge (commercial release 2012); acquired by HelpSystems / Fortra in 2020. external cyber-threat-intel taxonomy ID S0154." ], "active": "yes — both legitimate licensed deployments (red-team, penetration-testing) and the much-larger cracked-and-trojaned threat-actor population. Continuous abuse since approximately 2015; remains the dominant single post-exploitation framework in OAK-relevant ransomware-and-targeted-intrusion deployments through 2025.", "first_observed": "2012 (legitimate commercial release); first widely-documented criminal abuse approximately 2015–2016; ubiquity in major-RaaS-deployment chains established by 2020.", "host_platforms": [ "Windows (primary, all variants); cross-platform Beacon variants (Linux, macOS) exist in legitimate licensed deployments and have been observed in some cracked-criminal deployments through 2024." ], "used_by_groups": [ "OAK-G05", "OAK-G09", "OAK-G10", "OAK-G11", "OAK-G14", "OAK-G15", "OAK-G16", "OAK-G17", "OAK-G18", "OAK-G06" ], "observed_techniques": [ "OAK-T11.001", "OAK-T8.001" ], "citations": [ "cisaaa22046a", "cisaaa22152a", "cisaaa24131a", "mandiant3cx2023", "mandiantradiant2024", "microsoftcitrineradiant2024" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S37-cobalt-strike.md" }, { "id": "OAK-S38", "name": "IcedID + Pikabot loaders", "type": "malware / commodity loader (initial-access broker class)", "aliases": [ "IcedID — also tracked as BokBot (CrowdStrike) and as TA551-and-derivatives (Proofpoint historical naming for some delivery cohorts). Pikabot — successor-and-overlap loader to Qakbot (OAK-S40)", "tracked by Trend Micro", "Elastic", "and Zscaler from early 2023. The two are combined into a single OAK-S entry because they share the Russian-cybercrime-ecosystem operator substrate", "the initial-access-broker operating role", "and the May 2024 Operation Endgame disruption-event scope." ], "active": "IcedID — yes (2017 → present, with reduced post-Operation-Endgame tempo). Pikabot — yes (2023 → present, with reduced post-Operation-Endgame tempo).", "first_observed": "IcedID — 2017 (originally a banking-trojan; pivoted to ransomware-loader role from approximately 2020 onward). Pikabot — early 2023 (post-Qakbot-takedown gap-filling role established by Q2 2023).", "host_platforms": [ "Windows (primary, all variants)." ], "used_by_groups": [ "OAK-G05", "OAK-G10", "OAK-G11", "OAK-G14", "OAK-G16", "OAK-G17", "OAK-G18" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T8.001" ], "citations": [ "chainalysis2024lockbit", "cisaaa24131a", "mandiantcontileaks2022", "microsoftstorm1811" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S38-icedid-pikabot.md" }, { "id": "OAK-S39", "name": "DanaBot", "type": "malware / banking trojan + commodity loader", "aliases": [ "DanaBot (the canonical industry naming since 2018); external cyber-threat-intel taxonomy ID S0634. Some early 2018 reporting tracked DanaBot under the placeholder name \"Trojan.Win32.Spy\" before family-level naming stabilised." ], "active": "yes through May 2024 (Operation Endgame target). Post-Operation-Endgame the operating-tempo has been significantly reduced; activity continues through 2025 at lower volume.", "first_observed": "2018-05.", "host_platforms": [ "Windows (primary, all variants)." ], "used_by_groups": [ "OAK-G05", "OAK-G10", "OAK-G11", "OAK-G16" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T8.001" ], "citations": [ "chainalysis2024lockbit", "cisaaa24131a", "microsoftstorm1811" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S39-danabot.md" }, { "id": "OAK-S40", "name": "Qakbot / Pinkslipbot / QBot", "type": "malware / banking trojan + commodity loader", "aliases": [ "Qakbot (the dominant industry naming since approximately 2010); QBot (CrowdStrike historical naming); Pinkslipbot (an earlier-era name from Symantec / Broadcom). external cyber-threat-intel taxonomy ID S0650. One of the longest-running individual malware families on the OAK-relevant timeline." ], "active": "sunset for original infrastructure post-August 2023 (Operation Duck Hunt). Cohort-level operating substrate persists in OAK-S38 Pikabot which is structurally a successor-and-overlap loader rebuilt by the same Russian-cybercrime-ecosystem operator cohort.", "first_observed": "approximately 2008 (initial banking-trojan operation; some pre-2008 ancestor variants are documented but the family-level naming stabilises at 2008–2010).", "host_platforms": [ "Windows (primary, all variants)." ], "used_by_groups": [ "OAK-G05", "OAK-G10", "OAK-G11", "OAK-G14" ], "observed_techniques": [ "OAK-T11.001", "OAK-T11.002", "OAK-T8.001" ], "citations": [ "chainalysis2024lockbit", "cisaaa22046a", "cisaaa24131a", "mandiantcontileaks2022", "microsoftstorm1811" ], "source_file": "/home/runner/work/oak/oak/software/OAK-S40-qakbot-pinkslipbot.md" } ], "relationships": [ { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M01", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M02", "target": "OAK-T13.001" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M03", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T2.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T3.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T3.002" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T3.003" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T8.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T8.002" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M04", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M05", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M06", "target": "OAK-T5.004" }, { "type": "mitigates", "source": "OAK-M06", "target": "OAK-T13.002" }, { "type": "mitigates", "source": "OAK-M06", "target": "OAK-T14.002" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.001" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.004" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.005" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T7.006" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T8.002" }, { "type": "mitigates", "source": "OAK-M07", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.004" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M08", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M09", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M09", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M10", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M10", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T5.001" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T5.002" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M11", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M12", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M12", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M13", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M14", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M15", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M15", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M15", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M16", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M17", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.002" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.003" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.004" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M18", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M19", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M19", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M19", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M20", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M20", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M21", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M21", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M22", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M23", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M24", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M24", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.002" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.001" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.002" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.003" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T2.004" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M25", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M26", "target": "OAK-T3.002" }, { "type": "mitigates", "source": "OAK-M26", "target": "OAK-T7.004" }, { "type": "mitigates", "source": "OAK-M26", "target": "OAK-T12.001" }, { "type": "mitigates", "source": "OAK-M27", "target": "OAK-T7.002" }, { "type": "mitigates", "source": "OAK-M27", "target": "OAK-T7.003" }, { "type": "mitigates", "source": "OAK-M27", "target": "OAK-T7.005" }, { "type": "mitigates", "source": "OAK-M28", "target": "OAK-T5.006" }, { "type": "mitigates", "source": "OAK-M29", "target": "OAK-T4.003" }, { "type": "mitigates", "source": "OAK-M30", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M30", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M30", "target": "OAK-T4.006" }, { "type": "mitigates", "source": "OAK-M31", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M31", "target": "OAK-T4.004" }, { "type": "mitigates", "source": "OAK-M31", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T1.005" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T6.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M32", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M33", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M34", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M35", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M36", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M36", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M36", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M37", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T5.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T5.002" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T5.005" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M38", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.002" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.004" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T9.005" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.002" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.004" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T10.005" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T11.003" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T8.001" }, { "type": "mitigates", "source": "OAK-M39", "target": "OAK-T8.002" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T11.001" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T11.002" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T1.003" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.001" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.002" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.005" }, { "type": "mitigates", "source": "OAK-M40", "target": "OAK-T4.006" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.002" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S01", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S01" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.002" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S02", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S02" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.002" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T4.006" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S03", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S03" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S04", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S04" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S05", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S05" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S06", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S06" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T4.001" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S07", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G02", "target": "OAK-S07" }, { "type": "uses", "source": "OAK-S08", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S08", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S08" }, { "type": "uses", "source": "OAK-S09", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S09", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S09" }, { "type": "uses", "source": "OAK-S10", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S10", "target": "OAK-T10.001" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S10" }, { "type": "uses", "source": "OAK-S11", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S11" }, { "type": "uses", "source": "OAK-S12", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G07", "target": "OAK-S12" }, { "type": "uses", "source": "OAK-S13", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S13", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S13", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S14", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S14", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S14", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S15", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S15", "target": "OAK-T4.004" }, { "type": "uses", "source": "OAK-S15", "target": "OAK-T4.005" }, { "type": "uses", "source": "OAK-S16", "target": "OAK-T11.004" }, { "type": "uses", "source": "OAK-S17", "target": "OAK-T5.004" }, { "type": "uses", "source": "OAK-S18", "target": "OAK-T3.001" }, { "type": "uses", "source": "OAK-S18", "target": "OAK-T2.001" }, { "type": "uses", "source": "OAK-S18", "target": "OAK-T13.002" }, { "type": "uses", "source": "OAK-S19", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S19", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S19" }, { "type": "uses", "source": "OAK-S20", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S20", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S20" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S20" }, { "type": "uses", "source": "OAK-S21", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S21", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S21" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S21" }, { "type": "uses", "source": "OAK-S22", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S22", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S22" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S22" }, { "type": "uses", "source": "OAK-S23", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S23", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S23", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S23" }, { "type": "uses", "source": "OAK-G06", "target": "OAK-S23" }, { "type": "uses", "source": "OAK-S24", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S24", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S24", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S24" }, { "type": "uses", "source": "OAK-S25", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S25", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S25", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G09", "target": "OAK-S25" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S25" }, { "type": "uses", "source": "OAK-S26", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S26", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S26", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G06", "target": "OAK-S26" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S26" }, { "type": "uses", "source": "OAK-S27", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S27", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S27", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S27" }, { "type": "uses", "source": "OAK-S28", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S28", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S28", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S29", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S29", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S29" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S29" }, { "type": "uses", "source": "OAK-S30", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S30", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-G01", "target": "OAK-S30" }, { "type": "uses", "source": "OAK-G08", "target": "OAK-S30" }, { "type": "uses", "source": "OAK-S31", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S31", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S31", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G09", "target": "OAK-S31" }, { "type": "uses", "source": "OAK-S32", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S32", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S32", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G07", "target": "OAK-S32" }, { "type": "uses", "source": "OAK-S33", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S33", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S33", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S33" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T7.003" }, { "type": "uses", "source": "OAK-S34", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G15", "target": "OAK-S34" }, { "type": "uses", "source": "OAK-S35", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S35", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S35", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G17", "target": "OAK-S35" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T7.001" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T7.002" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-S36", "target": "OAK-T8.002" }, { "type": "uses", "source": "OAK-G18", "target": "OAK-S36" }, { "type": "uses", "source": "OAK-S37", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S37", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G09", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G14", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G15", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G17", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G18", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-G06", "target": "OAK-S37" }, { "type": "uses", "source": "OAK-S38", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S38", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S38", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G14", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G17", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-G18", "target": "OAK-S38" }, { "type": "uses", "source": "OAK-S39", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S39", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S39", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-G16", "target": "OAK-S39" }, { "type": "uses", "source": "OAK-S40", "target": "OAK-T11.001" }, { "type": "uses", "source": "OAK-S40", "target": "OAK-T11.002" }, { "type": "uses", "source": "OAK-S40", "target": "OAK-T8.001" }, { "type": "uses", "source": "OAK-G05", "target": "OAK-S40" }, { "type": "uses", "source": "OAK-G10", "target": "OAK-S40" }, { "type": "uses", "source": "OAK-G11", "target": "OAK-S40" }, { "type": "uses", "source": "OAK-G14", "target": "OAK-S40" } ] }