North Korean Hackers Are Infiltrating Crypto Companies. Ripple and Crypto ISAC are Sharing the Intelligence to Help Stop Them

written by: Christina Spring, Director of Growth, Crypto ISAC

The Drift hack incident – a major wakeup call for the industry – didn’t start with a smart contract exploit or a “Zero day.” Instead, it began with malicious actors gaining the trust of Drift contributors over months of engagement, ultimately compromising their devices through malicious software, bypassing traditional indicators of compromise (IOCs). This manipulation of individuals was used to compromise multisig wallets and steal funds. Companies in both crypto-native and traditional financial institutions are seeing more of this type of sophisticated operation, linked to North Korean threat actors who are working from the inside out. This is a social engineering campaign on a new level. This leaves security teams with one key question: How do you catch someone who looks like a trusted partner from the inside? 

One answer starts with shared intelligence and subsequent action.

Ripple Is Now Sharing DPRK Threat Data with the Crypto Industry

Today, Ripple is leaning into supporting the crypto and digital asset industry by sharing exclusive threat intelligence, developed via sophisticated AI-enhanced detection workflows, with other members of the crypto industry’s information sharing and analysis center, Crypto ISAC.

Data like this has not been shared externally amongst members yet.  Now, the data Ripple is contributing ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns. What makes this different from a typical threat feed isn't just the data, it's the contextual enrichment from a security team with deep expertise of the threat actors impacting the crypto ecosystem. A DPRK IT worker profile shared through Crypto ISAC doesn't just include a name. It includes a LinkedIn profile, an email address, a location, a contact number, and the correlated signals that connect that individual to a broader campaign. That context transforms a standard data point into something a security team can truly act on, across companies.

The Infrastructure Behind the Sharing

At Crypto ISAC, we’re proud to have launched a new API designed specifically to express contextually rich, high-confidence, crypto data. It enables fast, actionable data sharing that is required for crypto defense. Ripple, Coinbase, and other Founding Members are among the first member companies to leverage this new API that normalizes intelligence across Web2 and Web3 threat indicators and delivers it in a format built for direct integration into their security operations.

“Crypto ISAC’s newly updated API represents a meaningful step forward in how intelligence is shared across the ecosystem. As an early adopter, we’ve been working closely with Crypto ISAC to onboard and operationalize new data sources in a way that aligns with our internal workflows. The result is higher-quality, more actionable intelligence that we can integrate directly into our security operations,” said Erin Plante, Director of Brand Security and Intelligence, Ripple.

Catching DPRK Threats: Why Defense Takes a Village

The Drift hack represents the new, fear-inducing way that threat actors have evolved. They’re patient, wolves in sheep’s clothing who launch sophisticated attacks that are meant to evade any single system, and that’s why today it’s incumbent on the crypto industry to work together to stop these attacks. A threat actor might fail a background check at one company and apply to three others the same week. Without shared intelligence, each company is starting from zero.

That's the gap Crypto ISAC was built to close. When one member detects a sophisticated threat actor, whether they are attempting to infiltrate as an applicant or a third-party contractor,  enriched profile data flows to every other member. That means as soon as this threat actor applies to more companies, those companies are already armed with real-time data.

This concept is exactly what we discussed in our recent blog post,Actionability as the Core Function of Crypto Threat Intelligence. Crypto ISAC’s Technical Director, Tiago Assumpcao, outlined the idea that intelligence only creates value when it can change an outcome. Ripple's contribution is that principle applied directly to one of the most active threat vectors in crypto right now.

“For too long, information sharing was seen as optional. Today, it is the gold standard for security and Ripple’s action through Crypto ISAC is the definitive proof of concept, showing how to turn shared data into an actionable defense strategy that the entire industry can build upon,” said Justine Bone, Executive Director, Crypto ISAC.

“One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions. Working with Crypto ISAC on developing their updated API allowed us to help shape a data model that preserves context and confidence - not just indicators - and supports both Web2 and Web3 use cases. As an early adopter, we’ve already seen how this improves our ability to act on intelligence in real time,” said Jeff Lunglhofer, Chief Information Security Officer, Coinbase.

The Bottom Line

The crypto industry may not foresee every new North Korean hacking campaign, but we can and should strive to outmaneuver them by establishing collective defense as the new gold standard for security. Every enriched profile shared, every DPRK-linked wallet reported, and every brand impersonation domain shared is the building block to a collective defense that no single company can build alone. It takes a village to succeed. Ripple's decision to share this intelligence is a powerful signal and the definitive proof of concept that we hope others will follow.

To learn more about Crypto ISAC membership and how your organization can both contribute to and benefit from this intelligence, visit www.cryptoisac.org.

About Crypto ISAC

The Crypto ISAC is a member-driven, not-for-profit organization that works together to curb malicious actors, address vulnerabilities, share intelligence, and move security forward to protect the crypto ecosystem. We are founded by leading crypto organizations and designed for cryptosecurity experts to address the security and trust challenges that face crypto today and shape the crypto ecosystem of tomorrow.