Why Is Ripple Sharing Threat Intelligence With the Crypto Sector?
Ripple is opening its internal intelligence on North Korea-linked threat actors to the wider crypto industry, including fraud-linked domains, wallet addresses, and indicators of compromise tied to hacking campaigns.
The data will be shared through Crypto ISAC, a non-profit focused on security coordination across the crypto sector. The move follows the $280 million Drift incident, which Crypto ISAC described as a “wakeup call for the industry.”
The Drift attack did not begin with a smart contract exploit or code flaw. According to Crypto ISAC, attackers first gained the trust of Drift contributors before compromising their devices, pointing to a more targeted form of social engineering.
How Are North Korea-Linked Attacks Changing?
The latest incidents show that threat actors are moving beyond direct protocol exploits toward employee and contributor targeting. This method can bypass technical defenses by compromising trusted individuals inside crypto projects or affiliated teams.
“Companies in both crypto-native and traditional financial institutions are seeing more of this type of sophisticated operation, linked to North Korean threat actors who are working from the inside out,” Christina Spring, director of growth at Crypto ISAC, wrote.
“This is a social engineering campaign on a new level,” Spring said.
Ripple said on X that a threat actor who fails a background check at one company can quickly target another, adding: “Without shared intelligence, every company starts from zero.”
Investor Takeaway
What Does Crypto ISAC’s New API Add?
Crypto ISAC has launched a new API to support faster sharing of actionable security data between member firms. Ripple, Coinbase, and other founding members are among the first to integrate the tool into their security operations.
The API is designed to reduce response times by allowing companies to ingest threat data directly into internal workflows. That could help firms detect repeat threat actors, block known malicious domains, and screen wallet addresses linked to prior campaigns.
“As an early adopter, we’ve been working closely with Crypto ISAC to onboard and operationalize new data sources in a way that aligns with our internal workflows,” said Erin Plante, Ripple’s director of brand security and intelligence.
Investor Takeaway
How Large Is the North Korea Crypto Hacking Threat?
North Korea-linked crypto attacks have grown sharply in scale. TRM Labs reported that North Korea’s share of global crypto hack losses rose from below 10% in 2020 and 2021 to 64% in 2025.
TRM has also linked the $292 million Kelp DAO exploit to TraderTraitor, a Lazarus-affiliated operation. The findings add to concerns that North Korea-linked groups are adapting tactics across DeFi, exchanges, and crypto infrastructure providers.
North Korean authorities have denied the allegations. A Foreign Ministry spokesperson called the claims “absurd slander” and a “political tool” used by the US to support a “hostile policy,” according to KCNA.
The broader risk for crypto firms is that security failures are no longer limited to vulnerable code. They now include recruitment channels, contractor access, communications platforms, and operational trust inside distributed teams.
