Ripple is sharing its intelligence on North Korea-linked threat actors with the broader crypto sector, as recent attacks have showcased a shift toward more sophisticated social engineering tactics.
Crypto ISAC, a non-profit focused on tackling crypto security challenges, announced Tuesday that Ripple is contributing its internal data, including fraud-associated domains, wallet addresses, and indicators of compromise tied to North Korean hacking campaigns.
The move follows the recent $280 million Drift incident, which Crypto ISAC said has served as a "wakeup call for the industry," as the attack didn't start with a smart contract exploit or a bug. Instead, it began by gaining the trust of Drift contributors and ultimately compromising their devices.
"Companies in both crypto-native and traditional financial institutions are seeing more of this type of sophisticated operation, linked to North Korean threat actors who are working from the inside out," Christina Spring, director of growth at Crypto ISAC, wrote.
"This is a social engineering campaign on a new level," said Spring.
Ripple also said on X that a threat actor who fails a background check at one company could quickly target others. "Without shared intelligence, every company starts from zero," the firm said, adding that shared intelligence now allows the industry to "act on threats in real-time."
As part of the initiative, Crypto ISAC said it has launched a new API designed to enable fast, actionable data sharing.
The organization noted that Ripple, Coinbase, and other founding members are among the first to integrate the tool into their security operations.
"As an early adopter, we've been working closely with Crypto ISAC to onboard and operationalize new data sources in a way that aligns with our internal workflows," Erin Plante, Ripple's director of brand security and intelligence, said in the blog post.
Crypto attacks attributed to North Korean hacking groups continue to rise. According to a report from blockchain intelligence firm TRM Labs, North Korea's share of global crypto hack losses surged from below 10% in 2020 and 2021 to 64% in 2025.
TRM has also linked the $292 million Kelp DAO exploit to TraderTraitor, a North Korean Lazarus-affiliated operation.
North Korean authorities have denied such allegations. A Foreign Ministry spokesperson described the claims as "absurd slander" and a "political tool" used by the U.S. to facilitate a "hostile policy," according to state news agency KCNA.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
