In a strategic move announced on Monday, Ripple has begun sharing its internal threat intelligence regarding North Korean hackers with other entities in the cryptocurrency sector. This initiative aims to address evolving DPRK attack strategies within the industry.
The recent Drift hack was unconventional; no software bug or smart contract flaw was exploited. Instead, North Korean operatives ingratiated themselves with Drift’s team over several months, introduced malware onto their systems, and subsequently stole access keys. By the time $285 million had been transferred, all existing security measures failed to detect any irregularities.
Ripple, in conjunction with Crypto ISAC—a threat-sharing body within the crypto industry—revealed on Monday that it is now distributing its gathered data about North Korean threats to other companies. The trend from 2022-24 saw an increase in DeFi hacks focusing on code vulnerabilities, which allowed attackers to quickly deplete protocols.
However, with enhanced security measures, these threat actors are shifting their tactics towards exploiting human elements. They infiltrate crypto firms by securing employment, clearing background checks, and cultivating trust over months before executing attacks that traditional security systems cannot detect due to their internal positioning.
Ripple is now providing Crypto ISAC with profile data that helps identify these patterns across organizations, including LinkedIn profiles, email addresses, locations, and contact numbers. This information enables security teams to recognize individuals who have repeatedly failed background checks at multiple firms within a short time frame.
“The strongest security posture in crypto is a shared one,” Ripple stated on X. “A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.”
Lazarus Group’s activities are now influencing both legal and security protocols. On Monday, an attorney representing victims of North Korean cybercrime issued restraining notices against Arbitrum DAO, claiming the 30,765 ETH frozen after April’s Kelp bridge exploit is property under U.S. enforcement law due to its ties with North Korea.
Aave has contested this claim, arguing that a “thief does not gain lawful ownership of stolen property simply by taking it.” The Kelp breach resulted in $292 million worth of ether (ETH) being stolen and was also attributed to Lazarus Group operatives. Combined with the Drift losses from April, these breaches amount to over half a billion dollars linked to a single state actor within one month.
The effectiveness of industry-wide intelligence sharing in mitigating such campaigns remains uncertain as these operatives may already be engaging in new recruitment efforts.