Ripple is now sharing its internal threat intelligence about North Korean hackers with the crypto industry, the company said on Monday, in a move that reframes how the sector responds to a shift in DPRK attack methodology.
The drift hack was not a hack in the way most people think of it.
No one found a bug or exploited a smart contract. North Korean operators spent months befriending Drift’s contributors, slipping malware onto their machines and walking away with the keys. By the time the $285 million moved, every system that was supposed to catch a hack had nothing to flag.
That’s the version of events that Ripple and Crypto ISAC, the crypto industry’s threat sharing group, laid out on Monday along with the news that Ripple is now sharing its internal data on North Korean threat actors with the rest of the sector.
The 2022-2024 wave of several DeFi hacks centered on exploiting code where attackers found smart contract vulnerabilities and drained protocols in minutes.
But as security tightens, the modus operandi shifts from technology to people. Rogue operators apply for jobs at crypto firms, pass background checks, show up on Zoom calls and build trust over months. Then they deploy attacks that no traditional security tool was built to catch because the attacker is already inside.
Ripple is now feeding Crypto ISAC the kind of profile data that makes that pattern readable across companies. LinkedIn profiles, email addresses, locations, contact numbers — or the connective tissue that lets a security team recognize the candidate they just interviewed as the same operator who failed background checks at three other companies last week.
“The strongest security position in crypto is a shared one,” Ripple wrote on X. “A threat actor who fails a background check on one company will apply for three more in the same week. Without shared intelligence, every company starts from scratch.”
Lazarus Group’s reach across the crypto sector is now visible enough that it has begun to reshape litigation as well as security procedures.
On Monday, a lawyer representing victims of North Korean terrorism issued a ban on Arbitrum DAO, claiming that the 30,765 ETH frozen after April’s Kelp Bridge exploit is North Korean property under US enforcement law.
Låneselskabet Aave has since disputed this application in support of Arbitrum, arguing that a “thief does not acquire legal title to stolen property simply by taking it.”
The Kelp breach had drained $292 million in ether (ETH) and was also publicly attributed to Lazarus Group employees, bringing April’s Drift and Kelp losses combined to more than half a billion dollars tied to a single state actor in a single month.
Whether industry-level intelligence sharing actually slows down the campaigns is an open question. The same operators may already be in the next round of interviews somewhere.
