Ripple is now sharing its internal threat intelligence from North Korean hackers with the crypto industry, the company announced Monday, in a move that reframes how the industry responds to a shift in attack methodology in the DPRK.
The Drift hack was not a hack in the sense that most people think of it.
No one found a bug or exploited a smart contract. North Korean agents spent months befriending Drift contributors, planting malware on their machines, and leaving with the keys. By the time the $285 million was transferred, all of the systems that were supposed to be detected by a hack had nothing left to report.
This is the version of events that Ripple and Crypto ISAC, the crypto industry’s threat sharing group, presented on Monday, alongside news that Ripple is now sharing its internal data on North Korean threat actors with the rest of the industry.
The wave of DeFi hacks from 2022 to 2024 focused on code exploitation, with attackers finding vulnerabilities in smart contracts and gutting protocols in minutes.
But as security becomes stronger, the modus operandi shifts from technology to people. Dishonest agents apply for jobs at crypto companies, pass background checks, show up on Zoom calls, and build trust for months. They then deploy attacks that no traditional security tool was designed to detect because the attacker is already inside.
Ripple now provides Crypto ISAC with the kind of profile data that makes this model readable across businesses. LinkedIn profiles, email addresses, locations, contact numbers – or the connective tissue that allows a security team to recognize the candidate they just interviewed as the same agent who failed background checks at three other companies last week.
“The strongest security posture in crypto is shared,” Ripple posted on
The Lazarus Group’s reach in the crypto industry is now visible enough that it has begun to reshape legal as well as security procedures.
On Monday, a lawyer representing victims of North Korean terrorism served cease-and-desist notices to Arbitrum DAO, arguing that the 30,765 ETH frozen after the Kelp Bridge mining in April is North Korean property under US law.
Lending company Aave has since challenged that filing in support of arbitration, arguing that a “thief does not acquire legal ownership of stolen property simply by taking it.”
The Kelp breach drained $292 million worth of ether (ETH) and was also publicly attributed to Lazarus Group operatives, bringing Drift and Kelp’s April losses to over half a billion dollars linked to a single state actor in the span of a single month.
It remains an open question whether industry-level intelligence sharing actually slows down campaigns. The same agents may already be somewhere in the next round of interviews.
