Ripple has begun sharing its internal threat intelligence on North Korean hacking operations with the crypto industry, expanding how firms respond to insider-driven attacks.
Summary
- Ripple has begun sharing internal data on North Korean threat actors with Crypto ISAC to help firms detect insider-driven attacks earlier.
- Security teams have identified a shift from smart contract exploits to long-term infiltration, where attackers gain trust and access before moving funds.
According to Crypto ISAC, the move follows incidents where attackers bypassed code vulnerabilities and instead infiltrated teams over months, a pattern highlighted in the Drift case.
Details released by Ripple and Crypto ISAC describe the Drift incident as a prolonged social engineering campaign, where North Korean-linked actors built trust with contributors before deploying malware on their systems. That access allowed attackers to compromise multisig wallets and move funds without triggering conventional alerts, as no smart contract flaw had been used.
Security teams cited in the announcement said this approach differs from the 2022 to 2024 wave of DeFi breaches, which centred on exploiting code-level vulnerabilities. In the Drift case, attackers operated from within after clearing hiring processes and establishing credibility across teams.
“The strongest security posture in crypto is a shared one,” Ripple said in a statement on X, adding that a threat actor rejected by one firm often reapplies to several others within the same week, leaving gaps when intelligence is not shared.
Ripple said it is now contributing enriched datasets to Crypto ISAC, including domains, wallet addresses, and indicators of compromise tied to active campaigns. These datasets also carry contextual identifiers such as LinkedIn profiles, email addresses, phone numbers, and location details that link individuals to coordinated operations across firms.
“Crypto ISAC’s newly updated API represents a meaningful step forward in how intelligence is shared across the ecosystem,” said Erin Plante, Director of Brand Security and Intelligence at Ripple, adding that the integration has allowed Ripple to bring “higher-quality, more actionable intelligence” directly into its security workflows.
Crypto ISAC said its new API is designed to standardise intelligence across Web2 and Web3 systems, allowing firms to act on high-confidence threat data in real time. Early adopters, including Coinbase, have started integrating the system into their operations.
“One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions,” Jeff Lunglhofer, Chief Information Security Officer at Coinbase, noted, adding that the updated data model helps preserve context and confidence while improving real-time response.
Legal disputes emerge alongside security response
At the same time, activity tied to the same threat actors has begun surfacing in U.S. legal proceedings. An attorney representing victims of North Korean terrorism has served restraining notices on Arbitrum DAO, arguing that 30,765 ETH frozen after the April Kelp exploit constitutes North Korean-linked property under U.S. enforcement law.
Aave has challenged that claim, stating in its filing that a thief does not gain lawful ownership of stolen assets and backing Arbitrum’s position on the frozen funds.
Public attribution from security firms has linked both the Drift incident and the Kelp exploit to the Lazarus Group, placing combined losses from the two events above $500M within a single month.
“For too long, information sharing was seen as optional. Today, it is the gold standard for security,” said Justine Bone, Executive Director at Crypto ISAC, describing Ripple’s contribution as a working example of how shared intelligence can be turned into an actionable defence strategy.
Crypto ISAC said the effectiveness of this model will depend on how quickly firms act on shared intelligence, as threat actors continue to operate across multiple organisations at once.
