Ripple is now sharing its internal threat intelligence on North Korean hackers with the crypto industry through Crypto ISAC, the company announced Monday, arguing that, “the strongest security posture in crypto is a shared one.”

Christina Spring, Director of Growth at not-for-profit cybersecurity organization Crypto ISAC, wrote in a blog announcing the news that the data shared by Ripple, “ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns.”

Ripple's threat intelligence includes enriched profiles of suspected North Korean IT workers trying to embed themselves inside crypto firms, covering domains, wallets, and indicators of compromise.

“What makes this different from a typical threat feed isn't just the data, it's the contextual enrichment from a security team with deep expertise of the threat actors impacting the crypto ecosystem,” Spring added.

The intelligence sharing comes as North Korean operatives shift tactics from quick technical exploits to patient social engineering campaigns. In the Drift hack, attackers spent months befriending the platform's contributors before slipping malware onto their machines and stealing the keys.



The KelpDAO attackers employed a different approach, compromising two internal RPC nodes and launching DDoS attacks against external nodes to feed false data to LayerZero Labs DVN. Just a “handful of attributed incidents” including the KelpDAO and Drift hacks accounted for 76% of all crypto hack value in 2026 through April, according to blockchain intelligence firm TRM Labs.

Security experts warn that North Korea's recent crypto attacks represent a fundamental shift in threat modeling across the crypto space. Natalie Newson, senior blockchain security researcher at CertiK, last month noted that Lazarus Group’s elevated activity level is raising concerns among the industry. "KelpDAO, Drift, and now a new macOS malware kit, all within the same month,” she said, adding that, “This isn't random hacking; it's a state-directed financial operation running at a scale and speed typical of institutions."

The severity of the April attacks triggered immediate industry responses. The Arbitrum Security Council froze over 30,000 ETH of the attacker's downstream funds after the KelpDAO exploit on April 20, demonstrating the ecosystem's growing ability to coordinate defensive measures.

However, the response has caused some friction in the DeFi community, with Aave yesterday filing a memorandum in federal court asking for the $71 million in funds frozen by Arbitrum to be unblocked, arguing that the money belongs to its users rather than the hackers.

The intelligence sharing initiative reflects a broader industry shift toward collaborative security measures, Justine Bone, Executive Director of Crypto ISAC, said. “For too long, information sharing was seen as optional. Today, it is the gold standard for security," Bone noted, calling Ripple’s collaboration, “the definitive proof of concept.”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。