Ripple is now sharing its insider threat intelligence on North Korean hackers with the crypto industry, the company said on Monday, in a move that reframes how the sector is responding to a change in the DPRK’s attack methodology.
Drift’s trick wasn’t a trick in the way most people think one is.
No one found a bug or took advantage of a smart contract. North Korean agents spent months befriending Drift contributors, introducing malware to their machines, and taking the keys. When the $285 million was moved, every system that was supposed to detect an attack had nothing to point to.
That’s the version of events that Ripple and Crypto ISAC, the crypto industry threat exchange group, presented on Monday alongside the news that Ripple is now sharing its internal data on North Korean threat actors with the rest of the sector.
The wave of further DeFi hacks from 2022 to 2024 focused on code exploitation, with attackers finding smart contract vulnerabilities and exhausting protocols in minutes.
But as security becomes tighter, the modus operandi shifts from technology to people. Dishonest agents apply for jobs at crypto companies, pass background checks, appear on Zoom calls, and build trust for months. They then deploy attacks that no traditional security tool was designed to detect, because the attacker is already inside.
Ripple is now feeding Crypto ISAC the kind of profile data that makes that pattern readable across companies. LinkedIn profiles, email addresses, locations, contact numbers… or the connective tissue that allows a security team to recognize the candidate they just interviewed as the same agent who failed background checks at three other companies last week.
“The strongest security posture in crypto is shared,” Ripple posted on
Lazarus Group’s reach in the cryptocurrency sector is now visible enough that it has begun to reshape legal and security procedures.
On Monday, a lawyer representing victims of North Korean terrorism served restriction notices on Arbitrum DAO, arguing that the 30,765 ETH frozen after the Kelp Bridge exploitation in April is property of North Korea under US enforcement law.
Lending company Aave has since disputed that filing in support of Arbitrum, arguing that a “thief does not gain legal ownership of stolen property simply by taking it.”
The Kelp breach had drained $292 million worth of ether (ETH) and was also publicly attributed to agents of the Lazarus Group, bringing April’s Drift and Kelp losses to over $500 million tied to a single state actor in the span of a single month.
The open question is whether industry-level intelligence sharing actually slows down campaigns. The same agents may already be in the next round of interviews somewhere.
