Ripple has started sharing its internal threat intelligence on North Korean-linked cyber operations with the broader crypto industry, aiming to strengthen defenses against increasingly sophisticated insider-style attacks.
Summary
Ripple is sharing threat data with Crypto ISAC to help firms detect infiltration-based attacks earlier.
Security experts note a shift from smart contract exploits to long-term insider infiltration strategies.
Recent incidents, including the Drift case, highlight how attackers gain trust over time before executing fund movements.
Shift toward insider-driven attacks
According to disclosures from Ripple and Crypto ISAC, recent attacks show a clear evolution in tactics. Instead of exploiting code vulnerabilities, threat actors are now focusing on social engineering and long-term infiltration.
In the Drift incident, attackers reportedly spent months building trust within teams before deploying malware. This access enabled them to compromise multisignature wallets and move funds without triggering traditional security alerts, as no smart contract vulnerability was involved.
Security teams say this marks a departure from the 2022–2024 wave of DeFi hacks, which largely relied on exploiting technical flaws. In contrast, these newer attacks operate from within organizations after gaining legitimate access.
Intelligence sharing to close gaps
Ripple emphasized that collaboration is critical in countering such threats. The company noted that attackers rejected by one firm often attempt to join others, creating vulnerabilities when information is not shared.
To address this, Ripple is contributing enriched datasets to Crypto ISAC, including wallet addresses, domains, and other indicators of compromise. These datasets also contain contextual details—such as email IDs, phone numbers, and professional profiles—that help link coordinated campaigns across multiple organizations.
The updated Crypto ISAC API is designed to standardize threat intelligence across Web2 and Web3 systems, enabling faster and more effective responses. Early adopters like Coinbase have already begun integrating the system into their security workflows.
Growing link to legal disputes
At the same time, activity linked to these threat actors is appearing in U.S. legal proceedings. Claims have emerged that funds frozen after the Kelp exploit may be tied to North Korea, prompting legal actions involving Aave and Arbitrum DAO.
Aave has pushed back, arguing that stolen assets do not become the lawful property of attackers, reinforcing the position that such funds should be returned to affected users.
Industry-wide implications
Security firms have attributed both the Drift incident and the Kelp exploit to the Lazarus Group, with combined losses reportedly exceeding $500 million within a single month.
Experts say the effectiveness of this new intelligence-sharing model will depend on how quickly firms act on shared data. As attackers increasingly operate across multiple organizations simultaneously, coordinated defense efforts are becoming essential.
