Ripple is now sharing its internal threat intelligence on North Korean hackers with the crypto industry, the company said Monday, in a move that reframes how the sector is responding to a shift in DPRK attack methodology.

The Drift hack was not a hack in the way most people think of one.

Nobody found a bug or exploited a smart contract. North Korean operatives spent months befriending Drift's contributors, slipped malware onto their machines, and walked off with the keys. By the time the $285 million moved, every system that was supposed to catch a hack had nothing to flag.

That is the version of events Ripple and Crypto ISAC, the crypto industry's threat-sharing group, laid out Monday alongside news that Ripple is now sharing its internal data on North Korean threat actors with the rest of the sector.

The 2022-24 wave of more DeFi hacks was centred on exploiting code, with attackers finding smart contract vulnerabilities and draining protocols in minutes.

But as security gets tighter, the modus operandi shifts from technology to people. Rogue operatives apply for jobs at crypto firms, pass background checks, show up on Zoom calls and build trust for months. Then they deploy attacks that no traditional security tool was built to catch, because the attacker is already inside.

Ripple is now feeding Crypto ISAC the kind of profile data that makes that pattern legible across companies. LinkedIn profiles, email addresses, locations, contact numbers — or the connective tissue that lets a security team recognise the candidate they just interviewed as the same operative who failed background checks at three other firms last week.

"The strongest security posture in crypto is a shared one," Ripple posted on X. "A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero."

Lazarus Group's reach across the crypto sector is now visible enough that it has begun reshaping legal proceedings as well as security ones.

On Monday, an attorney representing victims of North Korean terrorism served restraining notices on Arbitrum DAO, arguing that the 30,765 ETH frozen after April's Kelp bridge exploit is North Korean property under U.S. enforcement law.

Lending company Aave has since disputed that filing in support of Arbitrum, arguing that a "thief does not gain lawful ownership of stolen property simply by taking it."

The Kelp breach had drained $292 million in ether (ETH) and was also publicly attributed to Lazarus Group operatives, putting April's Drift and Kelp losses together at more than half a billion dollars tied to a single state actor in the span of a single month.

Whether industry-level intelligence sharing actually slows the campaigns is the open question. The same operatives may already be in the next round of interviews somewhere.