Ripple to Share North Korean Threat Intelligence With Crypto Industry
The move follows two nine-figure exploits of DeFi protocols Drift and KelpDAO in April, as DPRK hackers shift to social engineering tactics.
By Decrypt AgentEdited by Stephen GravesMay 5, 2026May 5, 20263 min read
In brief
- Ripple is sharing internal threat intelligence on North Korean hackers with the crypto industry.
- North Korean hackers have stolen $577 million in cryptocurrency so far in 2026, representing 76% of all crypto hack losses this year from just a “handful” of attacks.
- April’s Drift exploit saw DPRK hackers make away with $285 million following a months-long social engineering campaign targeting company employees
Ripple is now sharing its internal threat intelligence on North Korean hackers with the crypto industry through Crypto ISAC, the company announced Monday, arguing that, “the strongest security posture in crypto is a shared one.”
Christina Spring, Director of Growth at not-for-profit cybersecurity organization Crypto ISAC, wrote in a blog announcing the news that the data shared by Ripple, “ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns.”
The strongest security posture in crypto is a shared one.
A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.
Ripple is now contributing exclusive DPRK threat… https://t.co/ZiXD25iOBx
— Ripple (@Ripple) May 4, 2026
Ripple's threat intelligence includes enriched profiles of suspected North Korean IT workers trying to embed themselves inside crypto firms, covering domains, wallets, and indicators of compromise.
“What makes this different from a typical threat feed isn't just the data, it's the contextual enrichment from a security team with deep expertise of the threat actors impacting the crypto ecosystem,” Spring added.
The intelligence sharing comes as North Korean operatives shift tactics from quick technical exploits to patient social engineering campaigns. In the Drift hack, attackers spent months befriending the platform's contributors before slipping malware onto their machines and stealing the keys.
The KelpDAO attackers employed a different approach, compromising two internal RPC nodes and launching DDoS attacks against external nodes to feed false data to LayerZero Labs DVN. Just a “handful of attributed incidents” including the KelpDAO and Drift hacks accounted for 76% of all crypto hack value in 2026 through April, according to blockchain intelligence firm TRM Labs.
Security experts warn that North Korea's recent crypto attacks represent a fundamental shift in threat modeling across the crypto space. Natalie Newson, senior blockchain security researcher at CertiK, last month noted that Lazarus Group’s elevated activity level is raising concerns among the industry. "KelpDAO, Drift, and now a new macOS malware kit, all within the same month,” she said, adding that, “This isn't random hacking; it's a state-directed financial operation running at a scale and speed typical of institutions."
The severity of the April attacks triggered immediate industry responses. The Arbitrum Security Council froze over 30,000 ETH of the attacker's downstream funds after the KelpDAO exploit on April 20, demonstrating the ecosystem's growing ability to coordinate defensive measures.
However, the response has caused some friction in the DeFi community, with Aave yesterday filing a memorandum in federal court asking for the $71 million in funds frozen by Arbitrum to be unblocked, arguing that the money belongs to its users rather than the hackers.
The intelligence sharing initiative reflects a broader industry shift toward collaborative security measures, Justine Bone, Executive Director of Crypto ISAC, said. “For too long, information sharing was seen as optional. Today, it is the gold standard for security," Bone noted, calling Ripple’s collaboration, “the definitive proof of concept.”
