Through its partnership with Crypto ISAC, Ripple has begun sharing its internal threat intelligence regarding North Korean hackers with the cryptocurrency industry. This initiative was revealed on Monday by the company, emphasizing that robust security in crypto is achieved through collaboration.
Christina Spring, Director of Growth at Crypto ISAC, highlighted in a blog post that the shared data from Ripple includes domains and wallets linked to fraudulent activities as well as Indicators of Compromise (IOCs) from ongoing DPRK cyber campaigns.
“A threat actor who is rejected by one firm will likely apply to three more within the same week. Without shared intelligence, companies are left starting from zero,” stated Spring.
Ripple’s threat intelligence encompasses detailed profiles of suspected North Korean IT workers attempting to infiltrate crypto firms, featuring domains, wallets, and IOCs.
“The distinctiveness lies not only in the data but also in the contextual insights provided by a security team well-versed with the threats affecting the crypto sector,” Spring further explained.
This intelligence sharing is crucial as North Korean operatives pivot from rapid technical exploits to patient social engineering tactics. In the Drift incident, attackers spent months cultivating relationships with platform contributors before introducing malware onto their devices and stealing keys.
In a different strategy during the KelpDAO attack, perpetrators compromised two internal RPC nodes and initiated DDoS attacks on external nodes, feeding false data to LayerZero Labs DVN. A mere “handful of attributed incidents,” including those involving KelpDAO and Drift, accounted for 76% of all crypto hack value in 2026 through April, according to blockchain intelligence firm TRM Labs.
Security experts caution that North Korea’s recent cryptocurrency attacks signify a major change in threat modeling within the sector. Natalie Newson, senior blockchain security researcher at CertiK, recently pointed out that Lazarus Group’s increased activity is causing concern across the industry. “With incidents like KelpDAO, Drift, and a new macOS malware kit emerging within one month,” she observed, noting that “this isn’t random hacking; it’s a state-sponsored financial operation conducted on an institutional scale.”
The severity of attacks in April prompted immediate responses from the industry. The Arbitrum Security Council froze over 30,000 ETH belonging to attackers following the KelpDAO exploit on April 20, showcasing the ecosystem’s enhanced ability for coordinated defense.
Nevertheless, this action caused friction within the DeFi community, with Aave filing a memorandum in federal court yesterday requesting the unblocking of $71 million frozen by Arbitrum, arguing that these funds belong to users rather than hackers.
Justine Bone, Executive Director of Crypto ISAC, noted that the intelligence sharing initiative marks a significant shift towards collaborative security measures within the industry. “Previously viewed as optional, information sharing is now seen as the gold standard for security,” Bone stated, describing Ripple’s collaboration as “the definitive proof of concept.”