Verify a decision

{"actor":"system:backfill","investigation_id":"bdfa4197-5fc8-4422-981b-576247ccc213","kind":"publish","page_slug":"stabble","published_at":"2026-05-22T16:00:29.555Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Stabble","sections":[{"content":"Stabble is a Solana-based automated market maker (AMM) DEX that positions itself as 'Solana's first frictionless liquidity and trading layer.' The protocol focuses on stablecoin trading efficiency, claiming to have captured over 50% of Solana stablecoin trading volume with significantly less liquidity than competitors. Core features include protocol-managed liquidity pools, built-in arbitrage mechanisms that return profits to liquidity providers, smart liquidity routing, and margin liquidity support. The protocol's native token is $STB, with a total supply capped at 1 billion tokens. Stabble raised a total of approximately $2.49 million across three funding rounds: a $350,000 pre-seed round in April 2023, a $700,000 seed round in January 2024, and a $1.44 million private round in May 2024. As of April 2026, TVL stood at approximately $1.75 million prior to the security incident, and token price had declined substantially from an all-time high of $0.041.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Stabble TVL, Fees, Revenue & Volume — DeFiLlama","type":"research","url":"https://defillama.com/protocol/stabble"},{"credibility":2,"name":"Stabble on Solana: Project Reviews, Token, Roadmap — Solana Compass","type":"research","url":"https://solanacompass.com/projects/stabble"},{"credibility":2,"name":"What is Stabble (STB)? Solana DEX Explained — Gate.io","type":"other","url":"https://www.gate.com/learn/articles/what-is-stabble-stb/9089"}]},{"content":"On April 7, 2026, onchain investigator ZachXBT publicly identified an individual operating under the name Keisuke Watanabe as Stabble's alleged former Chief Technology Officer, a role the individual reportedly held through 2025. ZachXBT's disclosure included the individual's full name, associated wallet addresses on Solana and Ethereum, email address (keisukew53@gmail.com), and supporting OSINT documentation. The alleged operative used multiple aliases across GitHub and social media platforms including kasky53, keisukew53, kdevdivvy, and 0xWoo. ZachXBT described the individual as an alleged North Korean DPRK IT worker, consistent with a documented pattern of operatives posing as Japanese or other foreign developers to obtain remote employment at crypto firms. The disclosure emerged publicly approximately seven hours before Stabble issued its emergency alert. ZachXBT's public statement, directed at Elemental founder 'Moo,' stated: 'Stop virtue signaling you conveniently left out the fact that you had a DPRK IT worker on payroll at Elemental for years.' The identification of Watanabe at Stabble followed from that broader disclosure.","heading":"DPRK Operative Identified as Former CTO","severity":"critical","sources":[{"credibility":2,"name":"Solana-based Stabble tells LPs to withdraw funds after identifying former North Korean employee — The Block","type":"news_article","url":"https://www.theblock.co/post/396569/solana-stabble-lps-withdraw-funds-identifying-former-north-korean-employee"},{"credibility":2,"name":"Solana DEX Stabble urges liquidity exit after alleged DPRK mole revealed — Protos","type":"news_article","url":"https://protos.com/solana-dex-stabble-urges-liquidity-exit-after-alleged-dprk-mole-revealed/"},{"credibility":2,"name":"Solana Exchange Stabble Warns Users to Pull Liquidity After North Korean Hacker Scare — Decrypt","type":"news_article","url":"https://decrypt.co/363579/solana-exchange-stabble-warns-users-north-korean-hacker-scare"},{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"},{"credibility":2,"name":"Stabble Urges Users To Withdraw Liquidity Following Discovery Of Former North Korean Developer — Metaverse Post","type":"news_article","url":"https://mpost.io/stabble-urges-users-to-withdraw-liquidity-following-discovery-of-former-north-korean-developer/"}]},{"content":"The alleged operative Keisuke Watanabe was reported to have worked at ElementalDeFi, a Solana-based DeFi infrastructure project, in addition to his alleged tenure at Stabble. ZachXBT's original public disclosure on April 7, 2026 was directed at Elemental and its founder 'Moo,' who had publicly criticized the Drift Protocol hack. ZachXBT alleged that ElementalDeFi 'employed the worker under a fake identity, despite long-running warnings about North Korean IT crews operating remotely.' ElementalDeFi's founder responded by emphasizing accountability and transparency. As of reporting, no exploit or fund breach had been confirmed at either ElementalDeFi or Stabble. ZachXBT has previously documented that DPRK IT worker cells have received at least $16.5 million in payments from crypto projects, and that operatives with up to seven years of apparent blockchain experience have been embedded across the DeFi ecosystem dating back to 'DeFi summer.' A separate Ethereum Foundation-funded investigation identified approximately 100 DPRK operatives active within Web3 firms.","heading":"Connection to ElementalDeFi and Broader DPRK IT Worker Cluster","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT: Solana DeFi App ElementalDeFi Hired DPRK IT Worker for Years — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"},{"credibility":2,"name":"Solana DeFi Alarmed as DPRK-Linked Developer Revealed to Have Worked Multiple Projects — Ainvest","type":"news_article","url":"https://www.ainvest.com/news/solana-defi-alarmed-dprk-linked-developer-revealed-worked-multiple-projects-2604/"},{"credibility":2,"name":"Ethereum Foundation-funded project exposes 100 DPRK developers operating in crypto — Crypto.news","type":"news_article","url":"https://crypto.news/ethereum-foundation-funded-project-exposes-100-dprk-developers-operating-in-crypto/"}]},{"content":"Upon becoming aware of ZachXBT's disclosure on April 7, 2026, Stabble's new management team — which had taken over the protocol approximately four weeks prior — issued an emergency alert at approximately 9:34 a.m. ET. The team's public statement read: 'EMERGENCY! guys please temporally withdraw your liquidity instantly! Better safe than sorry.' A subsequent statement clarified: 'We are not PR people, we are quants and early DeFi degens. Our primary focus is the safety of our LPs. There has been no exploit.' The protocol halted normal operations and announced that comprehensive security audits would be conducted before resuming. TVL collapsed 62% within hours of the alert, falling from approximately $1.75 million to under $663,000. The new management team emphasized that, at the time of the alert, no confirmed exploit or breach had occurred, but cited the unquantified risk of dormant backdoors, compromised key management infrastructure, or embedded malicious logic introduced during the alleged operative's prior tenure.","heading":"Protocol Response and TVL Collapse","severity":"high","sources":[{"credibility":2,"name":"Solana Exchange Stabble Warns Users to Pull Liquidity After North Korean Hacker Scare — Decrypt","type":"news_article","url":"https://decrypt.co/363579/solana-exchange-stabble-warns-users-north-korean-hacker-scare"},{"credibility":3,"name":"Solana Protocol Stabble Halts Operations Amid North Korea Employee Allegations — AllCryptoCurrencyDaily","type":"news_article","url":"https://www.allcryptocurrencydaily.com/latestnews/2026/04/08/solana-protocol-stabble-halts-operations-amid-north-korea-employee-allegations/"},{"credibility":2,"name":"Stabble Crypto Urges Liquidity Withdrawal After North Korean Hacker Scare — Yahoo Finance / CoinDesk","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/stabble-crypto-urges-liquidity-withdrawal-151100183.html"},{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"}]},{"content":"The Stabble incident occurred in the immediate aftermath of one of the largest DeFi exploits of 2026: the April 1, 2026 breach of Drift Protocol, in which approximately $285 million in user assets was drained in roughly 12 minutes. Elliptic and Drift Protocol attributed the attack with medium-to-high confidence to UNC4736, a North Korean state-sponsored hacking group also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. TRM Labs similarly attributed the hack to North Korean hackers. The Drift exploit was described as the culmination of a six-month social engineering operation beginning in fall 2025, in which operatives posing as a quantitative trading firm approached Drift contributors at crypto conferences, deposited over $1 million to establish credibility, and ultimately delivered malicious code via a compromised VS Code repository and a fraudulent Apple TestFlight wallet application. Drift Protocol linked the attack methodology to the same threat actors responsible for the October 2024 Radiant Capital hack. The Drift exploit and ZachXBT's simultaneous exposure of alleged DPRK IT workers embedded across multiple Solana protocols heightened concern that Stabble's alleged operative may be part of the same broader DPRK infrastructure. However, no direct technical link between Keisuke Watanabe and the Drift exploit has been publicly confirmed as of reporting.","heading":"Relationship to Drift Protocol $285M Exploit","severity":"high","sources":[{"credibility":1,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Elliptic flags $285 million Drift exploit as a likely North Korea-linked operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"credibility":1,"name":"Drift Protocol Hit by $285M Exploit: Crypto's Biggest Hack of 2026 Unfolds on April Fool's Day — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"}]},{"content":"As of the time of reporting, no confirmed exploit, fund breach, or malicious code artifact has been publicly identified within Stabble's smart contracts or infrastructure. The core concern articulated by security observers is the potential for dormant backdoors, compromised key management, or embedded malicious logic introduced during the alleged operative's tenure as CTO. The risk profile is heightened by the individual's senior technical role: a CTO with sufficient access could plausibly have introduced vulnerabilities into smart contract code, administrative key infrastructure, or off-chain components. Stabble's new management team announced comprehensive security audits would be conducted before operations resumed, but the scope and timeline of those audits had not been publicly disclosed as of reporting. The protocol's prior codebase audit history prior to the new management team's takeover in approximately early March 2026 was not detailed in available reporting. This unquantified backdoor risk is the primary factor suppressing confidence in the protocol's safety for liquidity providers.","heading":"Unquantified Backdoor and Code Integrity Risk","severity":"critical","sources":[{"credibility":2,"name":"Stabble Crypto Urges Liquidity Withdrawal After North Korean Hacker Scare — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/stabble-crypto-urges-liquidity-withdrawal-151100183.html"},{"credibility":2,"name":"Stabble DEX Urges Liquidity Providers to Withdraw Amid North Korean Developer Concerns — CryptoWisser","type":"news_article","url":"https://www.cryptowisser.com/news/stabble-dex-urges-liquidity-providers-to-withdraw-amid-north-korean-developer-concerns"}]},{"content":"The Stabble incident is part of a documented, multi-year pattern of DPRK-linked IT workers infiltrating crypto projects under false identities. U.S. authorities have flagged suspected North Korean workers in more than 40 DeFi platforms. ZachXBT has traced at least $16.5 million in payments flowing to such workers. A six-month Ethereum Foundation-funded investigation identified approximately 100 DPRK operatives active within Web3 firms. North Korean operatives have been documented as contributing code to DeFi protocols since at least 'DeFi summer' (2020), with some individuals presenting up to seven years of apparent blockchain development experience. The operatives typically pose as Japanese or other non-North Korean foreign developers, use rented devices and VPNs to obscure their location, and leverage AI-generated personas and stolen identities to establish professional credibility. Chainalysis has estimated that DPRK-linked theft from crypto targets totaled approximately $2.8 billion since 2024. U.S. authorities estimated DPRK IT worker fraud schemes generated approximately $800 million in 2024 alone.","heading":"DPRK IT Worker Fraud: Broader Context","severity":"high","sources":[{"credibility":1,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"Ethereum Foundation-funded project exposes 100 DPRK developers operating in crypto — Crypto.news","type":"news_article","url":"https://crypto.news/ethereum-foundation-funded-project-exposes-100-dprk-developers-operating-in-crypto/"},{"credibility":2,"name":"North Korean IT Workers: A Threat to Crypto Markets — EisnerAmper","type":"research","url":"https://www.eisneramper.com/insights/risk-compliance/north-korean-it-workers-crypto-threat-0426/"},{"credibility":1,"name":"How North Korea Infiltrated the Crypto Industry — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2024/10/02/how-north-korea-infiltrated-the-crypto-industry"}]},{"content":"As of reporting, the protocol's future remains uncertain. Stabble's new management team, which had been in control for approximately four weeks prior to the incident, stated its intention to conduct comprehensive security audits before resuming normal operations. The team's characterization of themselves as 'quants and early DeFi degens' rather than communications professionals suggests limited crisis management experience. The $STB token, which had already declined significantly from its all-time high of $0.041 to approximately $0.0014, faced additional downward pressure following the security disclosure. Total market capitalization had fallen to approximately $137,000 by the time of reporting. No regulatory action, law enforcement investigation, or sanctions designation specifically targeting Stabble had been publicly announced as of reporting. The OFAC implications of having employed an alleged DPRK operative — who would be subject to U.S. sanctions — represent a potential regulatory exposure for the project and its participants.","heading":"Protocol Future and Uncertainty","severity":"high","sources":[{"credibility":2,"name":"Stabble TVL, Fees, Revenue & Volume — DeFiLlama","type":"research","url":"https://defillama.com/protocol/stabble"},{"credibility":3,"name":"Solana Protocol Stabble Halts Operations Amid North Korea Employee Allegations — AllCryptoCurrencyDaily","type":"news_article","url":"https://www.allcryptocurrencydaily.com/latestnews/2026/04/08/solana-protocol-stabble-halts-operations-amid-north-korea-employee-allegations/"},{"credibility":2,"name":"Stabble Crypto Urges Liquidity Withdrawal After North Korea Scare — CryptoNews.com","type":"news_article","url":"https://cryptonews.com/news/stabble-solana-liquidity-withdrawal-north-korean-hacker/"}]}],"sources_used":[{"credibility":2,"name":"Solana-based Stabble tells LPs to withdraw funds after identifying former North Korean employee — The Block","type":"news_article","url":"https://www.theblock.co/post/396569/solana-stabble-lps-withdraw-funds-identifying-former-north-korean-employee"},{"credibility":2,"name":"Solana DEX Stabble urges liquidity exit after alleged DPRK mole revealed — Protos","type":"news_article","url":"https://protos.com/solana-dex-stabble-urges-liquidity-exit-after-alleged-dprk-mole-revealed/"},{"credibility":2,"name":"Solana Exchange Stabble Warns Users to Pull Liquidity After North Korean Hacker Scare — Decrypt","type":"news_article","url":"https://decrypt.co/363579/solana-exchange-stabble-warns-users-north-korean-hacker-scare"},{"credibility":2,"name":"Solana DEX Warns Liquidity Providers to Withdraw After North Korean Employee Link Surfaces — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/solana-dex-warns-liquidity-providers-to-withdraw-after-north-korean-employee-link-surfaces/"},{"credibility":3,"name":"Solana Protocol Stabble Halts Operations Amid North Korea Employee Allegations — AllCryptoCurrencyDaily","type":"news_article","url":"https://www.allcryptocurrencydaily.com/latestnews/2026/04/08/solana-protocol-stabble-halts-operations-amid-north-korea-employee-allegations/"},{"credibility":2,"name":"Stabble Urges Users To Withdraw Liquidity Following Discovery Of Former North Korean Developer — Metaverse Post","type":"news_article","url":"https://mpost.io/stabble-urges-users-to-withdraw-liquidity-following-discovery-of-former-north-korean-developer/"},{"credibility":2,"name":"Stabble Crypto Urges Liquidity Withdrawal After North Korean Hacker Scare — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/stabble-crypto-urges-liquidity-withdrawal-151100183.html"},{"credibility":2,"name":"ZachXBT: Solana DeFi App ElementalDeFi Hired DPRK IT Worker for Years — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/04/07/zachxbt-solana-defi-app-elementaldefi-hired-dprk-it-worker-for-years/"},{"credibility":1,"name":"North Korean Hackers Attack Drift Protocol In USD 285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Elliptic flags $285 million Drift exploit as a likely North Korea-linked operation — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/02/north-koreans-hackers-likely-behind-the-usd286-million-drift-protocol-exploit-elliptic"},{"credibility":1,"name":"Drift Protocol Hit by $285M Exploit — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":1,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":1,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"North Korea IT Workers: Inside the DPRK's Crypto Laundering Network — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/"},{"credibility":2,"name":"Ethereum Foundation-funded project exposes 100 DPRK developers operating in crypto — Crypto.news","type":"news_article","url":"https://crypto.news/ethereum-foundation-funded-project-exposes-100-dprk-developers-operating-in-crypto/"},{"credibility":1,"name":"How North Korea Infiltrated the Crypto Industry — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2024/10/02/how-north-korea-infiltrated-the-crypto-industry"},{"credibility":2,"name":"Stabble TVL, Fees, Revenue & Volume — DeFiLlama","type":"research","url":"https://defillama.com/protocol/stabble"},{"credibility":2,"name":"Stabble DEX Urges Liquidity Providers to Withdraw Amid North Korean Developer Concerns — CryptoWisser","type":"news_article","url":"https://www.cryptowisser.com/news/stabble-dex-urges-liquidity-providers-to-withdraw-amid-north-korean-developer-concerns"}],"summary":"Stabble is a Solana-based decentralized exchange (DEX) that specializes in stablecoin liquidity pools. On April 7, 2026, onchain investigator ZachXBT publicly identified the protocol's former CTO, operating under the name Keisuke Watanabe, as an alleged North Korean DPRK IT operative who had also worked at Solana DeFi project ElementalDeFi. Following the disclosure, Stabble's new management team issued an emergency alert urging all liquidity providers to withdraw funds immediately, citing the unquantified risk of planted backdoor code; TVL collapsed 62% within hours and the protocol halted operations pending fresh security audits.","timeline":[{"date":"2023-04-12","event":"Stabble raises $350,000 pre-seed funding round","source":"DeFiLlama / ICO Drops","source_url":"https://defillama.com/protocol/stabble"},{"date":"2024-01-12","event":"Stabble raises $700,000 seed funding round","source":"DeFiLlama / ICO Drops","source_url":"https://defillama.com/protocol/stabble"},{"date":"2024-05-19","event":"Stabble raises $1.44 million private funding round, total funding reaches $2.49 million","source":"DeFiLlama / ICO Drops","source_url":"https://defillama.com/protocol/stabble"},{"date":"2026-03-07","event":"Approximate date new management team takes over Stabble operations (approximately four weeks prior to April 7 incident)","source":"Decrypt","source_url":"https://decrypt.co/363579/solana-exchange-stabble-warns-users-north-korean-hacker-scare"},{"date":"2026-04-01","event":"Drift Protocol exploited for approximately $285 million in what TRM Labs, Elliptic, and Drift Protocol attributed with medium-to-high confidence to DPRK-linked threat actor UNC4736; attack was the culmination of a six-month social engineering operation","source":"Bloomberg / Elliptic / TRM Labs","source_url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"date":"2026-04-07","event":"ZachXBT publicly identifies Keisuke Watanabe (aliases: kasky53, keisukew53, kdevdivvy, 0xWoo) as an alleged DPRK IT operative, disclosing the individual's connection to ElementalDeFi and Stabble; disclosure includes wallet addresses, email, and OSINT documentation","source":"The Block / Protos / Decrypt","source_url":"https://protos.com/solana-dex-stabble-urges-liquidity-exit-after-alleged-dprk-mole-revealed/"},{"date":"2026-04-07","event":"Approximately seven hours after ZachXBT's disclosure, Stabble issues emergency alert at 9:34 a.m. ET urging all liquidity providers to withdraw funds immediately; TVL begins collapsing from approximately $1.75 million","source":"Decrypt / Bitcoin.com News","source_url":"https://decrypt.co/363579/solana-exchange-stabble-warns-users-north-korean-hacker-scare"},{"date":"2026-04-07","event":"Stabble TVL collapses 62% within hours, falling from approximately $1.75 million to under $663,000; protocol halts normal operations","source":"Yahoo Finance / Decrypt","source_url":"https://finance.yahoo.com/markets/crypto/articles/stabble-crypto-urges-liquidity-withdrawal-151100183.html"},{"date":"2026-04-08","event":"Stabble announces comprehensive security audits will be conducted before operations resume; no confirmed exploit disclosed","source":"AllCryptoCurrencyDaily / Metaverse Post","source_url":"https://www.allcryptocurrencydaily.com/latestnews/2026/04/08/solana-protocol-stabble-halts-operations-amid-north-korea-employee-allegations/"}]},"v":1}