North Korean Hackers Are Now Inside Crypto Firms — Ripple Is Fighting Back

North Korea’s cyber operatives have changed tactics. They are no longer primarily hunting smart contract bugs or zero-day exploits. They are applying for jobs, building trust for months, and walking through the front door. Ripple announced Monday it is now contributing exclusive DPRK threat intelligence to Crypto ISAC so the rest of the industry can act in real time rather than rebuild from scratch every time the same operative resurfaces at a different firm.

The shift in methodology is not theoretical. The Drift protocol breach did not begin with code. According to Crypto ISAC’s account of the incident, North Korean actors spent months embedding themselves among Drift contributors, earned their trust, deployed malware to their machines, and then compromised multisig wallets to move funds. Every traditional indicator of compromise had nothing to flag. The breach was already inside.

When the Threat Actor Looks Like a Trusted Hire

Ripple posted on X that the strongest security posture in crypto is a shared one, adding that a threat actor who fails a background check at one company will apply to three more that same week. Without shared data flowing between firms, each company meets that same operative with zero prior knowledge.

That is exactly the gap the Crypto ISAC intelligence contribution is built to close. As Crypto ISAC posted on X, Ripple is now contributing high-confidence DPRK threat data through the network, helping security teams move from awareness to actual action. The latest wave of attacks is shifting away from technical exploits toward something harder to detect — trusted access gained through social engineering, recruitment, and long-term deception.

What Ripple is feeding into Crypto ISAC goes further than a basic threat list. Each DPRK IT worker profile in the system contains a LinkedIn account, an email address, a phone number, a location, and the correlated signals that tie that individual to a broader coordinated campaign. That depth is what allows a security team at one firm to recognize, mid-interview, the same operative who failed vetting at three others last week.

The data is built using AI-enhanced detection workflows, according to Ripple’s Director of Brand Security and Intelligence, Erin Plante. In a statement, Plante said the newly updated API produces higher-quality intelligence that can be integrated directly into security operations rather than sitting in a report nobody reads in time.

The API Behind the Defense Network

Crypto ISAC launched a new API specifically to move this kind of enriched, high-confidence data. Ripple, Coinbase, and other founding members of the network are among the first companies to connect through it. The API normalizes intelligence across both Web2 and Web3 threat indicators and delivers it in a format built for direct integration into live security workflows.

Jeff Lunglhofer, Chief Information Security Officer at Coinbase, said the data model that emerged from working with Crypto ISAC preserves context and confidence alongside raw indicators, not just one without the other. He noted that earlier adoption let Coinbase shape the data model to work with its internal processes. The result, in his words, gives security teams the ability to act on intelligence rather than simply receive it.

Justine Bone, Executive Director of Crypto ISAC, put it plainly: intelligence sharing was treated as optional for too long. Ripple’s move through the platform, she said, is the clearest demonstration yet of how shared data becomes an actionable defense strategy the whole industry can build on.

North Korea Stole Over $1.5 Billion From Bybit Alone

The scale behind this shift matters. North Korean-linked groups, including Lazarus, have been tied to the $1.5 billion theft from Bybit, the $290 million-plus Kelp bridge exploit, and the Drift breach. These are not isolated incidents. They reflect a sustained, coordinated campaign that has evolved in parallel with the industry’s improving code security.

As code-level defenses got tighter, the attack surface shifted to people. Hiring pipelines, contractor relationships, and remote work arrangements all create entry points that no firewall was designed to catch. Exchanges and protocols that lack dedicated security teams — common among smaller firms in Africa and other emerging markets building on Web3 infrastructure — have no practical way to identify the same DPRK operative across separate hiring processes without a network like Crypto ISAC doing the cross-referencing.

Christina Spring, Director of Growth at Crypto ISAC, described this as social engineering on a new level in the organization’s published blog post. The central question, as she framed it, is how to catch someone who looks like a trusted partner from the inside. Shared intelligence, she argued, is one of the few answers that actually scales.

Crypto ISAC is a member-driven, not-for-profit organization. Companies looking to contribute to or access the intelligence network can find membership details at cryptoisac.org.