<\/p>\n
Ripple is feeding North Korea\u2013linked threat intelligence into Crypto ISAC, hoping shared context on DPRK operatives and DeFi exploits can blunt a 2026 hack wave led by Drift and KelpDAO.<\/p>\n
<\/p>\n
Ripple said it has begun sharing internal threat intelligence on North Korean hacking activity with members of Crypto ISAC, a not-for-profit cyber collective focused on the digital asset sector.<\/p>\n
In a joint\u00a0blog<\/a>, Crypto ISAC growth director Christina Spring wrote that the data \u201cranges from domains and wallets known to be associated with fraud, to Indicators of Compromise (IOCs) from active DPRK hack campaigns.\u201d<\/p>\n She stressed that what differentiates Ripple\u2019s feeds is not just raw indicators but \u201ccontextual enrichment from a security team with deep expertise of the threat actors impacting the crypto ecosystem,\u201d giving defenders more actionable context than a typical IOC list.<\/p>\n Ripple\u2019s own announcement on X argued that \u201cthe strongest security posture in crypto is a shared one,\u201d adding that \u201ca threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.\u201d<\/a><\/p>\n The intelligence reportedly includes enriched profiles of suspected North Korean IT workers attempting to embed themselves inside crypto and fintech firms, tying together email addresses, domains, on-chain wallets, and malware infrastructure used across multiple campaigns.<\/p>\n Ripple\u2019s move comes in response to a wave of DPRK-linked attacks that have targeted DeFi in 2026, most notably the hacks on Solana-based Drift Protocol and re-staking platform KelpDAO.<\/p>\n TRM Labs estimates that those two incidents alone netted North Korean groups about $577 million\u2014$285 million from Drift and roughly $292 million from KelpDAO\u2014accounting for 76% of all crypto hack value through April.<\/p>\n Chainalysis and TRM note that North Korea\u2013linked actors stole more than $2 billion in 2025, bringing their cumulative haul above $6.7 billion, and that DPRK\u2019s share of global crypto hack losses climbed from under 10% in 2020 to 64% by 2025.<\/p>\n The April 1 Drift exploit followed what The Hacker News and Chainalysis describe as a six\u2011month social engineering campaign that began in late 2025, during which North Korean proxies held in\u2011person meetings with Drift contributors and used that trust to convince signers to pre\u2011authorize withdrawals via Solana\u2019s \u201cdurable nonce\u201d feature.<\/p>\n Attackers then executed 31 pre\u2011signed transactions in about 12 minutes, draining $285 million in assets before bridging most of the funds to Ethereum; TRM says the stolen ETH has largely remained dormant, indicating a cautious, long\u2011horizon laundering plan.<\/p>\n The April 18 KelpDAO exploit used a different playbook: DPRK-linked actors compromised two internal RPC nodes, DDoS\u2019d external nodes, and fed false data into LayerZero Labs\u2019 DVN to mint 116,500 unbacked rsETH, then used that collateral to borrow about $196 million in ETH on Aave.<\/p>\n <\/p>\n Subsequent analysis from TRM and others shows that while the Arbitrum Security Council froze roughly $71.5 million in downstream ETH, the attackers quickly pivoted to swap remaining funds into BTC via THORChain and Chinese intermediaries, underscoring the sophistication and adaptability of their laundering operations.<\/p>\n In response, Aave-led coalition DeFi United has raised more than $300 million in a recovery plan for KelpDAO, while Arbitrum\u2019s emergency freeze and the rapid formation of cross\u2011protocol recovery task forces highlight a growing willingness to coordinate defensive measures at the ecosystem level.<\/p>\nRipple\u2019s threat feeds go to Crypto ISAC<\/h2>\n
Drift and KelpDAO show a shift to social engineering<\/h2>\n