Ripple Shares Threat Intelligence on North Korean Crypto Hackers to Combat Insider Attacks

Ripple has begun sharing its internal threat intelligence on North Korean hackers with the wider crypto industry, signaling a major shift in how firms respond to increasingly sophisticated cyber threats. The move, announced alongside Crypto ISAC, highlights a growing concern: modern crypto attacks are no longer driven solely by technical vulnerabilities but by human infiltration.

Recent incidents, including the $285 million Drift exploit, demonstrate this evolution clearly. Unlike traditional DeFi hacks that rely on smart contract flaws, the Drift case involved North Korean operatives embedding themselves within the organization. Over several months, attackers built trust with contributors, deployed malware, and ultimately gained access to sensitive credentials. By the time funds were transferred, no conventional security systems flagged suspicious activity because the breach came from within.

Between 2022 and 2024, most crypto hacks targeted weaknesses in code, allowing attackers to drain funds rapidly. However, as blockchain security improves, threat actors are shifting their strategies. North Korean groups, including the infamous Lazarus Group, are now focusing on social engineering tactics. These operatives apply for jobs, pass background checks, attend virtual meetings, and establish credibility before launching attacks that bypass traditional cybersecurity defenses.

Ripple’s collaboration with Crypto ISAC aims to counter this trend by sharing critical data such as LinkedIn profiles, email addresses, phone numbers, and geographic patterns. This intelligence helps crypto companies identify suspicious applicants and detect coordinated infiltration attempts across multiple organizations. Without shared data, each firm faces these threats independently, increasing overall risk.

The growing influence of Lazarus Group is also impacting legal frameworks within the crypto space. In a recent development, attorneys representing victims of North Korean terrorism filed claims over frozen assets linked to the Kelp bridge exploit, which resulted in a $292 million loss. Combined with the Drift incident, over $500 million in crypto assets have been tied to North Korean operations in just one month.

While industry-wide intelligence sharing is a step forward, its effectiveness remains uncertain. As security improves, attackers continue to adapt, often staying one step ahead.