Ripple Shares North Korean Threat Intelligence With Crypto Industry Through New API

Ripple is sharing internal data on North Korean hackers with the crypto industry, signaling a shift in response to increasingly sophisticated attacks.

 

The San Francisco-based company announced Monday that it is now sharing its internal threat intelligence on North Korean hackers with the broader crypto industry. 

The data is being routed through Crypto ISAC, a nonprofit that helps crypto companies share security information and defend against cyber threats targeting digital assets.

The announcement comes as North Korean operatives have shifted away from exploiting code and toward infiltrating companies from the inside. 

The 2022–24 wave of DeFi hacks centred on finding smart contract vulnerabilities and draining protocols in minutes. Now, the attack surface has moved from technology to people.

The Drift Hack Changed Everything

The Drift hack is a stark example of how the threat has evolved. 

On April 1, 2026, the Solana-based decentralised exchange lost approximately $285 million after a six-month social engineering campaign that had begun in autumn 2025.

Nobody found a bug or exploited a smart contract. North Korean operatives spent months befriending Drift’s contributors, slipped malware onto their machines, and walked off with the keys. 

By the time the $285 million moved, every system that was supposed to catch a hack had nothing to flag.

The Drift incident was not isolated. According to TRM Labs, North Korean hackers often linked to groups like Lazarus, also known as TraderTraitor stole almost $577 million across the Drift Protocol and KelpDAO hacks alone, accounting for 76% of all crypto hack losses in the period. 

Total DPRK crypto theft has now surpassed $6.7 billion, according to Chainalysis data.

What Ripple Is Sharing

The data shared by Ripple includes domains and wallets linked to fraudulent activity, as well as indicators of compromise from active DPRK hacking campaigns. 

The intelligence is developed through AI-enhanced detection workflows and is contextually enriched.

A DPRK IT worker profile shared through the system, for example, includes a name, LinkedIn profile, email address, location, contact number, and correlated signals linking that individual to a broader campaign. 

That level of detail is designed to help security teams spot a suspicious job applicant before they gain access not after.

Erin Plante, Director of Brand Security and Intelligence at Ripple, described how the integration works in practice. 

“As an early adopter, we’ve been working closely with Crypto ISAC to onboard and operationalize new data sources in a way that aligns with our internal workflows. 

The result is higher-quality, more actionable intelligence that we can integrate directly into our security operations,” she said.

A New API at the Centre of It All

Crypto ISAC has launched a new API to distribute the shared intelligence. 

The API allows companies to integrate threat data directly into their internal security systems, enabling faster detection and response coordination across platforms.

The API normalises indicators, preserves context, assigns confidence levels, and maintains links between related signals so member organisations can see how a domain, wallet, or identity fits a larger pattern.

Coinbase has already adopted the updated API for operational use. Jeff Lunglhofer, Coinbase’s Chief Information Security Officer, explained what the system offers that raw data feeds cannot. 

“One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions. 

As an early adopter, we’ve already seen how this improves our ability to act on intelligence in real time,” he said.

The Case for Collective Defence

Ripple‘s core argument is that isolated security efforts are no longer sufficient. The company posted on X: “The strongest security posture in crypto is a shared one. 

A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.”

Crypto ISAC’s Executive Director Justine Bone echoed that position. “For too long, information sharing was seen as optional. 

Today, it is the gold standard for security,” she said.

The initiative is also beginning to have legal consequences. 

On Monday, an attorney representing victims of North Korean terrorism served restraining notices on Arbitrum DAO, arguing that 30,765 ETH frozen after April’s Kelp bridge exploit is North Korean property under US enforcement law.

Whether the intelligence-sharing model can keep pace with the threat remains an open question. 

The same operatives may already be in the next round of job interviews somewhere. 

Whether the system outpaces incidents like the Kraken infiltration attempt will depend on how many firms adopt it.