fix: suppress em-dash cluster false positives, fix prose AI tells across corpus

Em-dash clusters dropped from 395 to 1 hit (99.7% reduction):
- Add filters for OAK list-entry, title-line, metadata, image-prompt, and
  numbered-list dash patterns that used em-dashes as field separators
- Constrain triple-dash regex to same-line matching to prevent cross-line
  false positives across consecutive list items
- Fix ~25 real prose em-dash issues: replace parenthetical dashes with
  colons/parentheses in techniques, examples, mitigations, actors, article
- Add Adjacent Tactics, Status, Phase N to metadata filter terms
- All changes are punctuation-level only, no content semantics altered

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: iZonex

actors/OAK-G03-russian-laundering-infrastructure.md

@@ -7,7 +7,7 @@
 
 ## Description
 
-OAK-G03 is the Russian-attributed *crypto-laundering-infrastructure* cluster: operators of services whose primary product is the off-ramping, fungibility-restoration, and sanctions-evasion layer that downstream criminal cohorts (ransomware affiliates, darknet markets, sanctions-evasion brokers, and adjacent OFAC-designated counterparties) depend on. The cluster is genuinely distinct from OAK-G01 (Lazarus / DPRK) and OAK-G02 (Drainer-as-a-Service) along three axes: (1) *role in the kill chain* — G03 is downstream-of-extraction infrastructure, not an extraction operator; (2) *attribution surface* — G03 attribution is sanctions-and-indictment-led rather than wallet-cluster-forensic-led; and (3) *geographic / operational substrate* — G03 entities are Russia-resident or Russia-aligned, and the cluster's resilience pattern is brand-and-domain rotation under continuous-operator control rather than wallet-infrastructure rotation under continuous-affiliate control.
+OAK-G03 is the Russian-attributed *crypto-laundering-infrastructure* cluster: operators of services whose primary product is the off-ramping, fungibility-restoration, and sanctions-evasion layer that downstream criminal cohorts (ransomware affiliates, darknet markets, sanctions-evasion brokers, and adjacent OFAC-designated counterparties) depend on. The cluster is genuinely distinct from OAK-G01 (Lazarus / DPRK) and OAK-G02 (Drainer-as-a-Service) along three axes: (1) *role in the kill chain*: G03 is downstream-of-extraction infrastructure, not an extraction operator; (2) *attribution surface*: G03 attribution is sanctions-and-indictment-led rather than wallet-cluster-forensic-led; and (3) *geographic / operational substrate*: G03 entities are Russia-resident or Russia-aligned, and the cluster's resilience pattern is brand-and-domain rotation under continuous-operator control rather than wallet-infrastructure rotation under continuous-affiliate control.
 
 The Garantex-Grinex-A7A5 lineage is the canonical worked example. Garantex Europe OÜ was incorporated under Estonian licensing in 2019 and operated as a high-throughput crypto-fiat exchange. Estonia's Financial Intelligence Unit revoked the license in February 2022 after AML/CFT deficiencies and confirmed wallet-overlap with criminal-use addresses. Treasury's April 5 2022 OFAC designation (`[ofac2022garantex]`), issued the same day as the Hydra Market designation, cited Garantex transactions linked to Conti ransomware (\~\$6M direct), Hydra (\~\$2.6M), and a broader \$100M+ illicit-flow surface. Garantex continued operating from Russia post-designation. Per `[treasury2025garantexnetwork]`, between April 2019 and March 2025 the exchange processed at least \$96B in total cryptocurrency volume, and post-2022 it built infrastructure intended to *prevent* downstream financial institutions from attributing wallet addresses back to Garantex — an explicit anti-attribution operational posture. The DOJ indictment unsealed February 27 2025 (`[doj2025garantex]`) named two administrators (Besciokov, Lithuanian national, primary technical administrator; Mira Serda, Russian national, co-founder and CCO). On March 6 2025 a coordinated U.S. Secret Service / German BKA / Finnish NBI action seized three Garantex domains and servers and froze \~\$26M in cryptocurrency. Besciokov was arrested in Kerala, India on March 12 2025 at U.S. request. Garantex officers created Grinex as a successor exchange immediately after the March 6 action; Treasury's August 14 2025 round designated Grinex and the A7A5 ruble-backed stablecoin network, characterising A7A5 as a sanctions-evasion vehicle processing \~\$1B daily.
 

actors/OAK-G04-dprk-it-worker-scheme.md

@@ -7,7 +7,7 @@
 
 ## Description
 
-OAK-G04 is the DPRK IT-worker placement scheme: a state-directed revenue-generation channel under which DPRK-affiliated workers obtain remote engineering and IT roles at Western firms — disproportionately at crypto, Web3, and DeFi companies — under fabricated, stolen, or synthetic identities, and then either remit salary to the regime, exfiltrate funds via insider access, or both. The scheme is operationally and conceptually distinct from OAK-G01 (Lazarus / DPRK direct cyber attacks) along three axes: (1) *vector* — G04 is a placement-and-employment-fraud scheme operating through hiring pipelines, not an intrusion campaign; (2) *attribution surface* — G04 attribution is sanctions-and-employment-fraud-led (advisories, OFAC designations of the worker-deployment entities, DOJ indictments of laptop-farm facilitators) rather than wallet-cluster-and-malware-fingerprint-led; (3) *role in the kill chain* — G04 is a sustained insider-access / revenue-skim channel; G01 is point-in-time extraction. The two Groups intersect: a worker placed via G04 may be the off-chain entry vector for a G01 extraction event, and several public cases support that pattern.
+OAK-G04 is the DPRK IT-worker placement scheme: a state-directed revenue-generation channel under which DPRK-affiliated workers obtain remote engineering and IT roles at Western firms — disproportionately at crypto, Web3, and DeFi companies — under fabricated, stolen, or synthetic identities, and then either remit salary to the regime, exfiltrate funds via insider access, or both. The scheme is operationally and conceptually distinct from OAK-G01 (Lazarus / DPRK direct cyber attacks) along three axes: (1) *vector*: G04 is a placement-and-employment-fraud scheme operating through hiring pipelines, not an intrusion campaign; (2) *attribution surface*: G04 attribution is sanctions-and-employment-fraud-led (advisories, OFAC designations of the worker-deployment entities, DOJ indictments of laptop-farm facilitators) rather than wallet-cluster-and-malware-fingerprint-led; (3) *role in the kill chain*: G04 is a sustained insider-access / revenue-skim channel; G01 is point-in-time extraction. The two Groups intersect: a worker placed via G04 may be the off-chain entry vector for a G01 extraction event, and several public cases support that pattern.
 
 The scheme's modern-public profile begins with the joint U.S. Department of State / Treasury / FBI advisory of May 16, 2022 (`[fbidprkitworker2022]`), which described in operational detail how DPRK IT workers obtain remote freelance and full-time positions, the red-flag indicators (multi-IP logins from disparate countries, payment-routing through Chinese bank accounts, requests for cryptocurrency settlement, identity inconsistencies across platforms), and the regime's revenue-extraction model. OFAC's May 23, 2023 designation of Chinyong IT Cooperation Company and its Vladivostok-based representative Kim Sang Man (`[treasurydprkitworker2023]`) was the first sanctions action specifically targeting the *worker-deployment infrastructure* rather than only the proceeds. The Christina Marie Chapman prosecution (`[dojchapmanindictment2024]`) — a U.S.-based "laptop farm" operator who hosted company-issued workstations to make remote DPRK workers appear domestic — is the canonical worked example of the U.S.-side facilitator role in the scheme; the case generated more than \$17M in illicit revenue across more than 300 U.S. companies. The Jin Sung-Il / Pak Jin-Song five-defendant indictment (Southern District of Florida, January 2025) named two North Korean nationals and three facilitators for activity from approximately April 2018 through August 2024 against at least 64 U.S. companies. A March 2026 OFAC designation round added six individuals and two entities specifically for IT-worker fraud (`[ofac2026dprkitworker]`).
 

article-assets/article-oak-intro.md

@@ -11,7 +11,7 @@
 
 ## The Babel Problem
 
-Ask three different security vendors whether they cover "the Bybit hack." One says yes — they monitor multisig contract manipulation. Another says yes — they track custody infrastructure compromise. A third says yes — they cover social-engineering of operator personnel. All three are right. None of them mean the same thing.
+Ask three different security vendors whether they cover "the Bybit hack." One says yes: they monitor multisig contract manipulation. Another says yes: they track custody infrastructure compromise. A third says yes: they cover social-engineering of operator personnel. All three are right. None of them mean the same thing.
 
 This is crypto security's Babel problem. Every investigator, detection vendor, and research team uses its own terminology to describe the same finite set of adversary behaviors. Coverage claims are not comparable across products. Academic findings rarely transfer cleanly to operational defense. And when a new exploit hits the timeline, the security community spends the first 48 hours arguing about what to call it before anyone starts discussing how to detect it.
 
@@ -189,7 +189,7 @@ OAK v0.1 is a foundation. The v0.x roadmap includes:
 
 The framework is open. The identifiers are stable. The specs are portable. The gaps are documented.
 
-If you build on-chain security tooling — use it. If you investigate on-chain incidents — cite it. If you research on-chain attacks — contribute to it. Crypto security needs a common language. OAK is one.
+If you build on-chain security tooling, use it. If you investigate on-chain incidents, cite it. If you research on-chain attacks, contribute to it. Crypto security needs a common language. OAK is one.
 
 ---
 

examples/2014-09-mintpal.md

@@ -21,7 +21,7 @@ The Kennedy criminal track is substantively separate from the MintPal incident i
 |---|---|---|
 | Pre-event (2013 → 2014) | MintPal launches as a UK-headquartered multi-asset altcoin exchange; rapid growth through 2014 on altcoin-trading demand | (operator-context) |
 | 2014-07 | Moolah (Moopay Ltd., operated by Ryan Kennedy / "Alex Green") acquires MintPal; operational consolidation begins | **Operator-context — custody transfer** |
-| 2014-07-13 → 2014-07-14 | Approximately 8M VeriCoin (VRC) — \~30% of circulating supply, \~\$2M at the at-time VRC price — drained from MintPal's VRC hot wallet | **T11 entry — multi-asset hot-wallet drain (VRC)** |
+| 2014-07-13 → 2014-07-14 | Approximately 8M VeriCoin (VRC) (\~30% of circulating supply, \~\$2M at the at-time VRC price) drained from MintPal's VRC hot wallet | **T11 entry: multi-asset hot-wallet drain (VRC)** |
 | 2014-07-14 | VeriCoin development team executes a chain-rollback hard fork to invalidate the stolen VRC balance; one of the earliest public-record uses of chain-rollback as an exchange-incident response on a non-Bitcoin asset | **Recovery — protocol-level chain rollback** |
 | 2014-09 → 2014-10 | MAID and BTC balances drained from MintPal customer accounts under Moolah custody; reports overlap hot-wallet compromise and operator misappropriation | **T11 + operator-fraud overlay — multi-asset extraction** |
 | 2014-10 | Moolah / MintPal collapse under Kennedy's control; Moopay Ltd. placed into UK insolvency proceedings; affected MintPal customers receive no recovery | **Operator collapse — insolvency proceedings** |

examples/2020-11-cred.md

@@ -127,7 +127,7 @@ For OAK's purposes, the Cred case is **a custodial-fraud / counterparty-risk ins
 
 Cred November 2020 is the **canonical T11.010 anchor** — the foundational worked example establishing the Off-chain Counterparty-Risk Insolvency Technique class in OAK. The case is documented under OAK-T11.010 with the honest framing that the failure mode is off-chain counterparty-credit-risk insolvency with on-chain components, not a primary on-chain exploit. The OAK-T11.010 Technique captures the structural pattern — custodial yield platform → concentrated re-lending to offshore counterparties → counterparty default → customer-facing solvency event → bankruptcy-claims recovery — that recurs at larger scale across Celsius, Voyager, BlockFi, Genesis, and FTX. See [`techniques/T11.010-off-chain-counterparty-risk-insolvency.md`](../techniques/T11.010-off-chain-counterparty-risk-insolvency.md).
 
-The contemporaneity with the November 2020 DeFi-attack wave is the load-bearing teaching point. Akropolis (2020-11-12), OUSD (2020-11-17), Pickle (2020-11-21) — three on-chain T9.005 + T9.002 yield-aggregator-class incidents — and Cred (2020-11-07) — an off-chain custodial-fraud / counterparty-risk insolvency — all appear within a single November 2020 month. From a customer-asset-loss perspective, all four produced material losses to depositors / users; from a Technique-classification perspective, three are on-chain DeFi failures and one is an off-chain CeFi failure. The structural lesson is that *crypto-asset-loss-pattern populations operate concurrently across DeFi and CeFi*, with structurally different attack / failure surfaces but overlapping defender-relevant lessons. The "yield-without-counterparty-due-diligence" pattern Cred exemplifies is a CeFi-side analogue of the "yield-aggregator-without-reentrancy-discipline" pattern the November 2020 DeFi cluster exemplifies; both produce comparable customer-asset losses, both reflect insufficient operator-side risk controls, and both reappear at scale in subsequent years (the 2022 CeFi-yield-platform collapse wave; the 2021 cross-chain-bridge collapse wave).
+The contemporaneity with the November 2020 DeFi-attack wave is the load-bearing teaching point. Akropolis (2020-11-12), OUSD (2020-11-17), and Pickle (2020-11-21) were three on-chain T9.005 + T9.002 yield-aggregator-class incidents, and Cred (2020-11-07) was an off-chain custodial-fraud / counterparty-risk insolvency — all within a single November 2020 month. From a customer-asset-loss perspective, all four produced material losses to depositors / users; from a Technique-classification perspective, three are on-chain DeFi failures and one is an off-chain CeFi failure. The structural lesson is that *crypto-asset-loss-pattern populations operate concurrently across DeFi and CeFi*, with structurally different attack / failure surfaces but overlapping defender-relevant lessons. The "yield-without-counterparty-due-diligence" pattern Cred exemplifies is a CeFi-side analogue of the "yield-aggregator-without-reentrancy-discipline" pattern the November 2020 DeFi cluster exemplifies; both produce comparable customer-asset losses, both reflect insufficient operator-side risk controls, and both reappear at scale in subsequent years (the 2022 CeFi-yield-platform collapse wave; the 2021 cross-chain-bridge collapse wave).
 
 The judicial-record attribution tier deserves explicit framing. Cred is one of the relatively few worked examples in the OAK corpus whose failure has been adjudicated through (a) a US Bankruptcy Court (Case No. 20-12836), (b) civil litigation against named former officers, and (c) a separate criminal indictment against a named individual former officer. This produces an attribution-strength tier substantially above the pseudonymous-attacker baseline for most DeFi-attack worked examples, and the corresponding citation discipline — citing court filings as canonical primary sources rather than press-summarised accounts — is the discipline contributors writing other judicially-adjudicated cases (Mt. Gox, FTX, Bitfinex 2016 with the 2023 Lichtenstein / Morgan pleas) should follow.
 

examples/2021-2026-influencer-amplified-non-memecoin-rug-cohort.md

@@ -22,7 +22,7 @@ The cohort spans 2021 (CryptoZoo December; Save the Kids June) through 2026 with
 
 1. **CryptoZoo (Logan Paul)** — December 2021 launch on Ethereum + Solana. Paul co-founded the project and promoted it to his \~24M-follower YouTube audience and X following. The "egg" NFTs were sold for \~\$2.5M at minimum per Coffeezilla's December 2022 three-part investigation; the in-game $ZOO token reached a market-cap peak of \~\$2B before collapsing. The promised "play-to-earn" game never materialised. Paul publicly characterised members of the dev team as "con men" in his January 2023 apology video. A class action was filed February 2023 by plaintiff Don Holland (Texas federal court); 140 investors claimed losses of \$100–\$350,000 each. Paul announced a \~\$2.3M voluntary refund program in January 2024 conditional on plaintiffs waiving legal claims against him. The class action was **dismissed October 29, 2025 by Judge Alan D. Albright** on "puffery" grounds — the judge ruled Paul's claims that CryptoZoo would be "a really fun game that makes you money" were exaggerated marketing hype rather than fraud. **Attribution: confirmed-via-legal-record** with the legal-record outcome being a *dismissal*, which is informative about the cohort's accountability landscape (see Discussion).
 
-2. **DADDY (Daddy Tate, Andrew Tate)** — June 2024 launch on Solana via Pump.fun. Bubblemaps published wallet-cluster analysis on 2024-06-12 documenting that 21 wallets bought \~30% of the DADDY supply *before* Tate's first promotional X post; 11 of those wallets bought \~20% of supply on June 9 (pre-Tate-promotion) and were funded through Binance with "nearly identical amounts at the same time." The aggregate insider position reached \$45M+ in unrealised P&L; Tate publicly stated "I will never sell what was sent to my wallet, I will only burn and buy. Forever." The downstream dump impact on retail buyers is not separately published in cumulative form at v0.1 cutoff. Tate's broader ecosystem includes claimed launches of \$RNT, the TRW (The Real World) native token, and prior promoted projects (ROOST — 90% decline post-endorsement; F-Madonna — promoted but performance poor; BOA exchange — Tate's 2018–2019 War Room introduction). **Attribution: inferred-strong** at the on-chain insider-extraction layer; **inferred-medium** at the broader-ecosystem operator layer.
+2. **DADDY (Daddy Tate, Andrew Tate)** — June 2024 launch on Solana via Pump.fun. Bubblemaps published wallet-cluster analysis on 2024-06-12 documenting that 21 wallets bought \~30% of the DADDY supply *before* Tate's first promotional X post; 11 of those wallets bought \~20% of supply on June 9 (pre-Tate-promotion) and were funded through Binance with "nearly identical amounts at the same time." The aggregate insider position reached \$45M+ in unrealised P&L; Tate publicly stated "I will never sell what was sent to my wallet, I will only burn and buy. Forever." The downstream dump impact on retail buyers is not separately published in cumulative form at v0.1 cutoff. Tate's broader ecosystem includes claimed launches of \$RNT, the TRW (The Real World) native token, and prior promoted projects (ROOST: 90% decline post-endorsement; F-Madonna: promoted but performance poor; BOA exchange: Tate's 2018–2019 War Room introduction). **Attribution: inferred-strong** at the on-chain insider-extraction layer; **inferred-medium** at the broader-ecosystem operator layer.
 
 3. **JENNER (Caitlyn Jenner, via Sahil Arora)** — May 26, 2024 launch on Solana via Pump.fun. \$113.5M trading volume within four hours of launch. Sahil Arora — Indian-born Dubai-based crypto figure (Wikipedia documents the role) — facilitated the launch as the operator while Jenner posted the launch announcement on X (the post included a photo with Donald Trump). Jenner subsequently publicly accused Arora of social-engineering her team and operating as a "middleman" without her foreknowledge of the operator-side extraction. Cointelegraph Magazine published a leaked celebrity price-list documenting Arora's offered services across multiple celebrity launches. Australian rapper Iggy Azalea publicly disowned a separate launch where Arora used her name to raise \~\$300,000 in a pre-sale. Rich the Kid publicly accused Arora as well. A class action against Jenner was **dismissed by a California federal court** on the ground that the JENNER token did not constitute a security under U.S. law — note that this dismissal does not exonerate the launch operators but resolves the celebrity-endorser's personal liability under U.S. securities law. **Attribution: inferred-strong** for the operator role (Arora's self-attribution + multiple-celebrity public allegations + Cointelegraph Magazine documentation); the celebrity-endorser's personal liability is resolved in the dismissal.