Ripple shares North Korean threat intelligence with the cryptocurrency industry, aiming to bolster defenses against increasingly sophisticated state-sponsored hacking groups. The U.S. blockchain payments company has initiated a program to disseminate its internal threat intelligence on North Korean hackers to the Crypto Information Sharing and Analysis Center (Crypto ISAC), a crucial threat-sharing group for the digital asset sector. This strategic move is designed to equip crypto firms with the necessary insights to identify and combat elaborate social engineering campaigns orchestrated by notorious entities like the Lazarus Group and its subgroups, including BlueNoroff, TraderTraitor, and Citrine Sleet (also known as AppleJeus or UNC4736).
This proactive stance by Ripple directly addresses a significant evolution in North Korean hacking methodologies. These groups have notably shifted their focus from exploiting technical code vulnerabilities to mastering human infiltration through intricate social engineering schemes. Their tactics often involve cultivating trust with individuals over several months, frequently by impersonating recruiters or legitimate entities, before deploying malware or manipulating victims into granting access to sensitive information and funds.
North Korea’s Evolving Cyber Warfare Tactics
The effectiveness of these new human-centric tactics was starkly illustrated by two nine-figure exploits in April 2026. These incidents underscore the urgent need for enhanced industry-wide threat intelligence sharing and robust defensive strategies.
- Drift Protocol Hack (April 1, 2026): The decentralized perpetual futures exchange on the Solana blockchain experienced a security breach resulting in the theft of approximately $285 million (with some reports indicating $286 million or $295 million) in digital assets. This was not a conventional smart-contract exploit but a highly coordinated “structured intelligence operation.” It involved months of social engineering, including in-person meetings at crypto conferences, technical engagement, and the distribution of malicious software to Drift contributors. Attackers manipulated two members of Drift’s “Security Council” into unknowingly pre-signing transactions, thereby transferring administrative control of the platform. This operation is widely attributed to a North Korean state-affiliated group, likely UNC4736 (Citrine Sleet/AppleJeus).
- KelpDAO Exploit (April 18, 2026): This liquid restaking protocol built on Ethereum suffered an exploit where approximately $292 million (some sources cite nearly $300 million or $293.7 million) in rsETH was illicitly minted. These unbacked tokens were then used as collateral to borrow WETH. The vulnerability stemmed from a single-verifier flaw in a LayerZero bridge, which permitted a forged signature to release the unbacked tokens. This incident is also linked to North Korean hackers, specifically the TraderTraitor subgroup of the Lazarus Group.
Collectively, these two attacks alone accounted for a staggering $577 million in losses, representing 76% of all crypto hack losses through April 2026. This occurred despite these incidents constituting only 3% of the total incident count. North Korean hacking groups have consistently increased their share of total crypto theft, surging from under 10% in 2020-2021 to a dominant 76% in 2026 year-to-date. The U.S. Treasury has explicitly stated that the funds acquired through these illicit schemes directly finance North Korea’s weapons of mass destruction and ballistic missile programs.
Ripple Shares North Korean Threat Intelligence to Fortify Defenses
Ripple’s shared intelligence is comprehensive, including critical data such as LinkedIn profiles, email addresses, locations, and phone numbers of suspected North Korean operatives. It also provides details on fraudulent domains, wallets, and vital indicators of compromise. This invaluable data, seamlessly integrated through Crypto ISAC’s new API, aims to establish a shared warning system for crypto firms. This system will enable them to quickly spot repeat applicants or personas linked to broader North Korean campaigns, significantly enhancing their security operations. Coinbase is among the founding members already leveraging this intelligence to strengthen its defenses.
“The proactive sharing of detailed threat intelligence is paramount in combating the evolving and sophisticated tactics employed by state-sponsored hacking groups.”
By openly sharing its internal findings, Ripple is taking a crucial step in fostering a more secure and resilient cryptocurrency ecosystem. This collaborative approach to threat intelligence is essential for protecting digital assets and preventing funds from financing dangerous state-sponsored activities, ultimately safeguarding the integrity and future of the crypto industry.




