Ripple Shares North Korea-Linked Threat Intelligence With Crypto Firms Through Crypto ISAC

Ripple has begun sharing internal threat intelligence about North Korean hackers with cryptocurrency companies through Crypto ISAC, aiming to help firms detect coordinated infiltration campaigns earlier.

“Ripple to share North Korean threat intelligence with crypto firms Ripple said April's $285 million Drift breach revealed a new pattern of long-cycle social engineering replacing traditional smart contract exploits”

@coindesk

Multiple outlets describe the initiative as a response to a shift toward long-cycle social engineering rather than traditional smart contract exploits.

@coindesk

CoinDesk says Ripple is sharing “its internal intelligence about North Korean threat actors with Crypto ISAC” and frames the Drift incident as a pattern where operatives spent months cultivating relationships with collaborators before installing malware and taking keys.

CoinCentral likewise reports that Ripple confirmed the move “on Monday alongside Crypto ISAC” and says Ripple will provide Crypto ISAC “detailed profiles linked to North Korean operatives.”

Decrypt adds that Ripple is sharing internal threat intelligence “through Crypto ISAC,” and quotes Crypto ISAC’s Christina Spring saying the data “ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns.”

Across the coverage, Ripple’s stated rationale is consistent: “the strongest security posture in crypto is a shared one,” and the company emphasizes that a threat actor rejected by one firm can apply to multiple others within the same week.

The reporting ties Ripple’s sharing decision to specific April incidents, especially the Drift breach and the Kelp exploit, which multiple outlets describe as state-linked operations attributed to Lazarus Group.

CoinDesk says Ripple’s internal account of Drift is that “No one found a flaw or exploited a smart contract,” and that North Korean operatives “spent months cultivating relationships with Drift collaborators, installed malware on their machines, and took the keys.”

Bitcoin News

CoinCentral adds that Ripple said “internal systems failed to detect the Drift breach because attackers already had trusted access,” and it describes the outcome as attackers compromising multisig wallets and transferring funds “without triggering conventional alerts.”

CoinCentral also quantifies the April losses, stating that “The combined April losses from Drift and Kelp exceed $500 million,” and it specifies that the Kelp exploit drained “$292 million in ETH.”

Decrypt provides a different but related figure for the same Drift event, saying “April’s Drift exploit saw DPRK hackers make away with $285 million,” and it adds that “Just a “handful of attributed incidents” including the KelpDAO and Drift hacks accounted for 76% of all crypto hack value in 2026 through April.”

Crypto Briefing, meanwhile, states that “In 2025, North Korean groups stole $2.02 billion in crypto assets,” and it frames the evolving threat as a reason for coordinated defense.

The initiative is presented not only as a technical data-sharing program but also as a governance and operational shift, with named leaders and security figures quoted across outlets.

“Bitget App Trade smarter Open [](https://www”

Bitget

CoinDesk reports that Ripple wrote on X: “The most robust security posture in the crypto space is a shared posture,” and it repeats the company’s line that “An actor who fails a background check at one company will apply to three more that same week.”

Crypto ISAC’s Justine Bone is quoted by Decrypt and crypto.news, with Decrypt saying Bone called the collaboration “the gold standard for security,” and crypto.news quoting Bone: “For too long, information sharing was seen as optional. Today, it is the gold standard for security.”

Crypto ISAC’s Christina Spring is quoted by Decrypt, describing the shared data as “ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns.”

Coinbase’s Jeff Lunglhofer is quoted by crypto.news, saying: “One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions,” and it adds that the updated data model helps preserve “context and confidence while improving real-time response.”

In the same ecosystem, CoinSpeaker’s coverage emphasizes Ripple’s “proactive threat intelligence initiative” and states that the program will distribute “actionable indicators of compromise,” including “DPRK-linked wallet addresses” and “malicious domains,” while also emphasizing a “unified defensive front” against “most prominently the Lazarus Group.”

While the core claim—Ripple sharing DPRK-linked threat intelligence with Crypto ISAC—appears consistently, the outlets diverge in emphasis, numbers, and the surrounding narrative they attach to the same initiative.

CoinSpeaker foregrounds a broader macro framing and describes Ripple’s plan to distribute “actionable indicators of compromise, including DPRK-linked wallet addresses, malicious domains, and documented tactics, techniques, and procedures,” while also asserting that Lazarus Group operations have “extracted an estimated $577 million from the crypto sector in the first months of 2026 alone.”

CoinDesk

Crypto Briefing, by contrast, embeds the story inside a “Market Snapshot” and focuses on prediction-market style metrics, stating “XRP price predictions for May 5 remain at 99.9% YES” and “Bitcoin price predictions for May 9 are at 99.6% YES,” while also claiming “Markets suggest continued high-impact hacks could push the total crypto hack value above the $1.2B threshold this year.”

CoinCentral emphasizes the operational details of what is shared, saying Ripple will provide “detailed profiles” including “LinkedIn accounts, email addresses, phone numbers, and location records,” and it also stresses that attackers “apply to several firms within days.”

Decrypt highlights the contextual enrichment and quotes Christina Spring, while also tying the initiative to a specific long-cycle infiltration description: “In the Drift hack, attackers spent months befriending the platform's contributors before slipping malware onto their machines and stealing the keys.”

CoinDesk frames the Drift incident as a departure from the 2022–24 DeFi hack wave, stating that the earlier wave “focused on code exploitation,” while Ripple says the new pattern shifts “from technology to people.”

The threat-intelligence sharing is unfolding alongside legal disputes tied to the same DPRK-attributed incidents, with outlets describing restraining notices, frozen assets, and court filings.

“Ripple to share threat intelligence about North Korea threats with cryptocurrency companies Ripple said that the $285 million Drift breach in April revealed a new long‑cycle social engineering pattern that replaces traditional smart contract breaches”

CoinDesk

CoinDesk reports that “a lawyer representing victims of North Korean terrorism filed restraining notices against Arbitrum DAO,” arguing that “the 30,765 ETH Frozen after the Kelp bridge exploit in April are the property of North Korea under U.S. law.”

CoinGape

CoinDesk adds that “The lending company Aave has since challenged that filing in support of Arbitrum,” and it quotes Aave’s position that “a ‘thief does not acquire legal title to stolen property simply by taking it.’”

crypto.news similarly describes the restraining notices and states that “Aave has challenged that claim,” while also noting that “Public attribution from security firms has linked both the Drift incident and the Kelp exploit to the Lazarus Group,” and that “combined losses from the two events above $500M” were tied to a single state actor within a single month.

Decrypt adds that “The severity of the April attacks triggered immediate industry responses,” including that “The Arbitrum Security Council froze over 30,000 ETH of the attacker's downstream funds after the KelpDAO exploit on April 20.”

In parallel, the crypto.news and CoinSpeaker coverage both emphasize that the effectiveness of shared intelligence depends on speed and adoption, with crypto.news stating that Crypto ISAC said “the effectiveness of this model will depend on how quickly firms act on shared intelligence,” and CoinSpeaker describing Crypto_ISAC’s updated API launched on “May 4, 2026” with “Coinbase was the first institution to adopt the updated Crypto_ISAC API.”