Ripple Shares DPRK Threat Intelligence With Crypto ISAC

Ripple announced Monday it will share internal threat intelligence on suspected North Korean hackers with members of the nonprofit Crypto ISAC. The company said the feed includes domains, wallet addresses, indicators of compromise and enriched profiles of individuals and infrastructure linked to DPRK campaigns.

The contribution will be available to Crypto ISAC members and is intended to help firms block malicious domains and wallets, detect account activity consistent with DPRK tactics, and strengthen hiring and access controls against social-engineering attempts.

Security firms attribute $577 million in stolen cryptocurrency to DPRK-linked groups through April 2026, a total that represents about 76% of reported crypto hack losses this year. The April Drift exploit is estimated at roughly $285 million after what investigators describe as a months-long social engineering campaign targeting platform contributors.

Analysts say attackers are increasingly combining patient, human-focused campaigns with technical intrusion. In the Drift incident, operators cultivated relationships with contributors over months before installing malware and extracting private keys. In the KelpDAO case, operators compromised internal RPC nodes and applied distributed-denial-of-service pressure on external nodes to feed false data into LayerZero Labs’ DVN.

Christina Spring, director of growth at Crypto ISAC, wrote that Ripple’s data “ranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns,” and that the feed includes contextualized profiles from Ripple’s operational work.

Natalie Newson, senior blockchain security researcher at CertiK, pointed to recent coordinated attacks and the appearance of a macOS malware kit, describing the activity as a state-directed financial operation at institutional scale.

Industry responses have included fund freezes and litigation. The Arbitrum Security Council froze more than 30,000 ETH linked to attackers after the KelpDAO exploit. Aave has filed in U.S. federal court in New York seeking to unfreeze about $71 million that was frozen on Arbitrum, arguing those assets belong to its users rather than entities tied to North Korea.

Justine Bone, executive director of Crypto ISAC, described Ripple’s contribution as a proof of concept for coordinated defenses and urged that information sharing become a routine practice across crypto firms.

Ripple and Crypto ISAC said the shared feed aims to reduce duplicate background checks and repeated investigations by giving member organizations a starting set of known malicious indicators.