Ripple is feeding North Korea–linked threat intelligence into Crypto ISAC, hoping shared context on DPRK operatives and DeFi exploits can blunt a 2026 hack wave led by Drift and KelpDAO.
Summary
- Ripple is contributing exclusive North Korea–linked threat intelligence to the Crypto ISAC information-sharing platform, arguing that “the strongest security posture in crypto is a shared one.”
- DPRK hackers have stolen about $577 million in crypto so far in 2026—76% of all hack losses year-to-date—largely via two DeFi exploits on Drift Protocol and KelpDAO.
- The intelligence covers enriched profiles of suspected North Korean IT operatives and detailed indicators of compromise (IOCs), as attackers pivot from pure technical exploits to long, social engineering–driven campaigns.
Ripple said it has begun sharing internal threat intelligence on North Korean hacking activity with members of Crypto ISAC, a not-for-profit cyber collective focused on the digital asset sector.
In a joint blog, Crypto ISAC growth director Christina Spring wrote that the data “ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns.”
Ripple’s threat feeds go to Crypto ISAC
She stressed that what differentiates Ripple’s feeds is not just raw indicators but “contextual enrichment from a security team with deep expertise of the threat actors impacting the crypto ecosystem,” giving defenders more actionable context than a typical IOC list.
Ripple’s own announcement on X argued that “the strongest security posture in crypto is a shared one,” adding that “a threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.”
The intelligence reportedly includes enriched profiles of suspected North Korean IT workers attempting to embed themselves inside crypto and fintech firms, tying together email addresses, domains, on-chain wallets, and malware infrastructure used across multiple campaigns.
Drift and KelpDAO show a shift to social engineering
Ripple’s move comes in response to a wave of DPRK-linked attacks that have targeted DeFi in 2026, most notably the hacks on Solana-based Drift Protocol and re-staking platform KelpDAO.
TRM Labs estimates that those two incidents alone netted North Korean groups about $577 million—$285 million from Drift and roughly $292 million from KelpDAO—accounting for 76% of all crypto hack value through April.
Chainalysis and TRM note that North Korea–linked actors stole more than $2 billion in 2025, bringing their cumulative haul above $6.7 billion, and that DPRK’s share of global crypto hack losses climbed from under 10% in 2020 to 64% by 2025.
The April 1 Drift exploit followed what The Hacker News and Chainalysis describe as a six‑month social engineering campaign that began in late 2025, during which North Korean proxies held in‑person meetings with Drift contributors and used that trust to convince signers to pre‑authorize withdrawals via Solana’s “durable nonce” feature.
Attackers then executed 31 pre‑signed transactions in about 12 minutes, draining $285 million in assets before bridging most of the funds to Ethereum; TRM says the stolen ETH has largely remained dormant, indicating a cautious, long‑horizon laundering plan.
The April 18 KelpDAO exploit used a different playbook: DPRK-linked actors compromised two internal RPC nodes, DDoS’d external nodes, and fed false data into LayerZero Labs’ DVN to mint 116,500 unbacked rsETH, then used that collateral to borrow about $196 million in ETH on Aave.
Subsequent analysis from TRM and others shows that while the Arbitrum Security Council froze roughly $71.5 million in downstream ETH, the attackers quickly pivoted to swap remaining funds into BTC via THORChain and Chinese intermediaries, underscoring the sophistication and adaptability of their laundering operations.
In response, Aave-led coalition DeFi United has raised more than $300 million in a recovery plan for KelpDAO, while Arbitrum’s emergency freeze and the rapid formation of cross‑protocol recovery task forces highlight a growing willingness to coordinate defensive measures at the ecosystem level.
A recent Decrypt feature and Ripple’s own messaging frame the new data‑sharing initiative as an attempt to get ahead of this evolution in tactics—moving the industry from fragmented awareness to shared, real‑time intelligence against what security researcher Natalie Newson at CertiK calls “a state-directed financial operation running at institutional scale and speed.”
Leave feedback about this