Ripple to share North Korean threat intelligence with crypto firms

Ripple said April's $285 million Drift breach revealed a new pattern of long-cycle social engineering replacing traditional smart contract exploits.

What to know:

• Ripple is sharing its internal intelligence on North Korean threat actors with the Crypto ISAC to help crypto firms spot coordinated infiltration campaigns.
• Recent attacks like the Drift and Kelp exploits relied on long-term social engineering and malware, not smart contract bugs, allowing North Korean operatives to steal more than $500 million in a month.
• The Lazarus Group’s alleged role in these thefts is now influencing legal battles, including efforts to claim frozen Arbitrum-linked funds for victims of North Korean terrorism, even as it remains unclear whether industry-wide intel sharing will curb future attacks.

Ripple is now sharing its internal threat intelligence on North Korean hackers with the crypto industry, the company said Monday, in a move that reframes how the sector is responding to a shift in DPRK attack methodology.

The Drift hack was not a hack in the way most people think of one.

Nobody found a bug or exploited a smart contract. North Korean operatives spent months befriending Drift's contributors, slipped malware onto their machines, and walked off with the keys. By the time the $285 million moved, every system that was supposed to catch a hack had nothing to flag.

That is the version of events Ripple and Crypto ISAC, the crypto industry's threat-sharing group, laid out Monday alongside news that Ripple is now sharing its internal data on North Korean threat actors with the rest of the sector.

The 2022-24 wave of more DeFi hacks was centred on exploiting code, with attackers finding smart contract vulnerabilities and draining protocols in minutes.

But as security gets tighter, the modus operandi shifts from technology to people. Rogue operatives apply for jobs at crypto firms, pass background checks, show up on Zoom calls and build trust for months. Then they deploy attacks that no traditional security tool was built to catch, because the attacker is already inside.

Ripple is now feeding Crypto ISAC the kind of profile data that makes that pattern legible across companies. LinkedIn profiles, email addresses, locations, contact numbers — or the connective tissue that lets a security team recognise the candidate they just interviewed as the same operative who failed background checks at three other firms last week.

"The strongest security posture in crypto is a shared one," Ripple posted on X. "A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero."

Lazarus Group's reach across the crypto sector is now visible enough that it has begun reshaping legal proceedings as well as security ones.

On Monday, an attorney representing victims of North Korean terrorism served restraining notices on Arbitrum DAO, arguing that the 30,765 ETH frozen after April's Kelp bridge exploit is North Korean property under U.S. enforcement law.

Lending company Aave has since disputed that filing in support of Arbitrum, arguing that a "thief does not gain lawful ownership of stolen property simply by taking it."

The Kelp breach had drained $292 million in ether (ETH) and was also publicly attributed to Lazarus Group operatives, putting April's Drift and Kelp losses together at more than half a billion dollars tied to a single state actor in the span of a single month.

Whether industry-level intelligence sharing actually slows the campaigns is the open question. The same operatives may already be in the next round of interviews somewhere.

More For You

Developers and industry figures say the eCash proposal introduces user risk, uneven distribution and philosophical tension.

What to know:

• Critics say eCash is less a Bitcoin fork and more a complex airdrop that could expose users to security risks.
• Concerns focus on replay protection, custody complications and the redistribution of Satoshi-linked coins.
• Support exists but is limited, largely framing eCash as an optional experiment tied to long-standing scaling proposals.

Bitcoin crosses $81,000, ETH, SOL, DOGE steady as options desks bid on further price jump

47 minutes ago

XRP slips below $1.40 on heavy volume, tightening range puts breakout in focus

1 hour ago

Bitcoin tests $80,000 as Asia’s bid fades and Hong Kong AI IPOs surge

4 hours ago

GameStop's $55.5 billion eBay takeover bid puts its $368 million bitcoin stash in the crosshairs

10 hours ago

Hut 8 swaps Coinbase loan for cheaper FalconX deal, slashing borrowing costs as it bets big on AI

12 hours ago

Circle, Coinbase lead crypto stocks rally amid Clarity Act progress, bitcoin hitting $80,000

13 hours ago

Crypto bears got it wrong again, losing $300 million in liquidations

20 hours ago

U.S. voters don't trust Trump administration to oversee crypto sector, CoinDesk poll finds

May 3, 2026

Crypto industry backs CLARITY Act yield compromise, pushes Senate Banking for markup

May 2, 2026

Coinbase boosts Solana trading with DFlow integration

20 hours ago

Veteran trader Peter Brandt sees bitcoin hitting $250,000, but only after a bottom later this year

May 4, 2026

Laywer pops up on Arbitrum DAO forums seeking funds for victims of decades-old North Korean terrorist acts

18 hours ago