Ripple Shares DPRK Threat Intel as Crypto Security Shifts to Insider Attacks

Ripple is sharing internal threat intelligence with Crypto ISAC to help crypto firms spot North Korean-linked attacks earlier, as the industry’s biggest security headaches keep shifting from code bugs to human compromise.

• Ripple is contributing DPRK threat intel to Crypto ISAC
• Attacks are moving from smart contract exploits to infiltration and social engineering
• Drift and Kelp show how insider-style attacks work
• Coinbase is integrating Crypto ISAC’s updated API
• Frozen ETH disputes are now landing in U.S. legal proceedings

The move is a pretty sane response to an ugly reality: crypto crime is no longer just about finding a juicy bug and draining a contract before breakfast. North Korean-linked threat actors, including groups publicly tied to Lazarus, have been playing the long game — applying for jobs, earning trust, compromising contributor systems, and slipping into wallet workflows from the inside. That’s not a code problem. That’s a people problem. And crypto, for all its obsession with audits and “trustless” systems, still has very trust-heavy humans glued to keyboards all over the place.

According to Ripple, the company is now sharing enriched threat data with Crypto ISAC, including domains, wallet addresses, indicators of compromise, LinkedIn profiles, email addresses, phone numbers, and location details. In plain English, indicators of compromise are warning signs that something may be hacked or malicious — suspicious domains, devices, wallet behavior, or account data that help security teams connect the dots before funds disappear.

Ripple said, “The strongest security posture in crypto is a shared one,” and it’s hard to argue with that when attackers are coordinating like a disciplined syndicate while defenders often act like isolated islands with good intentions and terrible timing.

Crypto ISAC, or Crypto Information Sharing and Analysis Center, exists to standardize how firms exchange security intelligence. That matters because a lot of threat data is useless if it sits in a spreadsheet, a Slack thread, or a half-read alert dashboard. Crypto ISAC’s newly updated API is designed to make this sharing more structured across Web2 and Web3 systems. An API, for readers who don’t spend their weekends reading infrastructure docs, is basically a software bridge that lets systems talk to each other and exchange data automatically.

Erin Plante, Ripple’s director of brand security and intelligence, said the updated API represents a meaningful step forward in how intelligence is shared across the ecosystem, enabling “higher-quality, more actionable intelligence.” That’s the key phrase. Raw signals are fine, but action is what stops theft. A warning that gets buried is just expensive decoration.

Crypto security teams are dealing with a shift in attacker behavior that should be getting far more attention. Years ago, the loudest losses often came from smart contract exploits — bugs in code that let attackers drain funds directly. That still happens. But the nastier trend now is long-term infiltration: attackers building trust for months, embedding themselves in teams, compromising contributor systems with malware, and then using that access to move funds without tripping the usual alarms.

That is why security scanning alone is no longer enough. If the weakness is in the human layer, the code can be perfectly audited and still get wrecked by a bad hire, a compromised laptop, or a social engineering campaign with patience and a pulse.

The Drift incident has become one of the clearest examples of this playbook. Attackers allegedly spent months building trust, deployed malware on contributor systems, accessed multisig wallets, and moved funds without triggering normal alerts. A multisig wallet, for the uninitiated, is a wallet that requires multiple approvals before funds can be moved. It’s meant to reduce single-point failure risk. But if the attacker gets enough access to people, devices, or approvals, even multisig can be bent into a theft machine.

That’s what makes these attacks so annoying and so dangerous: no clean contract bug is required. Traditional smart contract monitoring can miss the whole thing because the exploit isn’t in the code. It’s in the workflow, the access, the trust chain, and the assumption that “someone would have noticed.” Spoiler: sometimes nobody does.

Ripple also said threat actors often apply to multiple firms after being rejected by one. That should make every crypto company rethink hiring, onboarding, access controls, and contributor vetting. In a sector where remote work, pseudonyms, and global teams are normal, a weak screening process can become a wide-open side door. If attackers are treating job applications like reconnaissance, then hiring can’t be treated like admin busywork.

Justine Bone, executive director at Crypto ISAC, put the industry mood into one blunt line:

“For too long, information sharing was seen as optional. Today, it is the gold standard for security.”

She’s not wrong. North Korea-linked hackers have become some of the most persistent crypto thieves in the game, and the sector keeps relearning the same lesson: no single company has enough visibility on its own. Shared intelligence can help firms block known wallet addresses, flag suspicious domains, identify reused email patterns, spot malicious applicant behavior, and correlate breach indicators across platforms before the damage spreads.

Coinbase is among the early adopters integrating Crypto ISAC’s updated API, and Coinbase CISO Jeff Lunglhofer said, “One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions.” That’s the real test. A feed full of warnings is nice, but if nobody can convert it into a block, an alert, or an access denial in time, it’s just fancy noise.

The legal fallout is getting messy too, because once stolen funds are frozen on-chain, the question becomes who actually has the better claim to them. An attorney representing victims of North Korean terrorism issued restraining notices on Arbitrum DAO over 30,765 ETH frozen after the April Kelp exploit. Aave has challenged that claim in its filing, which shows how quickly crypto theft spills into legal warfare when sanctions, attribution, and ownership collide.

Security firms have publicly linked both the Drift incident and the Kelp exploit to the Lazarus Group, the North Korean-linked hacking outfit that has become a byword for industrial-scale crypto theft. Combined losses from the two incidents reportedly topped $500 million in a single month. That is not a bad week. That is a brutal reminder that state-linked cybercrime is not just some abstract threat intel slide deck. It is a direct drain on capital, confidence, and user trust.

The legal angle matters because it highlights a deeper tension in decentralized finance: if funds are frozen, stolen, or blacklisted, what happens when courts, protocols, and governance systems disagree on who owns what? Decentralization was never going to make law disappear. It just made the legal questions harder, stranger, and a lot more expensive.

There’s also a useful counterpoint here. Intelligence sharing is clearly better than hoarding data like a dragon sitting on a pile of compliance theater, but it is not magic. Shared threat intel won’t fix bad internal access management, sloppy contributor screening, weak endpoint security, or a culture that treats operational security as optional until after the theft. The grown-up version of crypto security is boring in the best possible way: verify access, reduce trust, segment systems, monitor behavior, and share credible threat data fast.

That’s the real significance of Ripple joining this effort. It’s a sign that crypto companies are starting to treat security less like a solo sport and more like an industry-wide defense problem. That’s overdue. If attackers cooperate, defenders better stop acting like rivals guarding separate castles with broken drawbridges.

What is Ripple trying to solve?

Ripple is helping crypto firms detect North Korean-linked attacks earlier by sharing internal threat intelligence through Crypto ISAC.

Why does this matter for crypto security?

Because the threat has shifted from obvious smart contract bugs toward infiltration, insider access, and social engineering attacks that target people and processes.

What happened in the Drift incident?

Attackers allegedly spent months building trust, used malware on contributor systems, accessed multisig wallets, and moved funds without triggering normal alerts.

Why are multisig wallets important?

Multisig wallets require multiple approvals to move funds, so compromise usually means the attacker got access to people, systems, or workflows — not just code.

What does Crypto ISAC do?

Crypto ISAC helps firms share and standardize security intelligence so threats can be identified and acted on faster across the industry.

Why are Coinbase and Ripple involved?

Ripple is contributing intelligence data, and Coinbase is one of the early adopters integrating Crypto ISAC’s updated API into its security operations.

What role does the Lazarus Group play?

Security firms have publicly linked both the Drift and Kelp incidents to Lazarus Group, a North Korean-linked hacking operation tied to major crypto thefts.

What is the legal issue around the frozen ETH?

An attorney for victims of North Korean terrorism says frozen ETH from the Kelp exploit should be treated as North Korean-linked property, while Aave disputes that claim.

What’s the bigger lesson here?

Crypto security now depends on shared intelligence, stronger hiring and onboarding controls, better operational discipline, and less faith in the idea that audits alone can save the day.

If crypto wants to stay ahead of North Korean threat actors and the Lazarus-style crews behind these campaigns, it needs to stop keeping security data in silos and start treating intelligence sharing like the baseline it should have been years ago. Because when the adversary is patient, organized, and already inside the tent, pretending otherwise is how people get robbed.