Ripple Shares DPRK Threat Data After Drift Attack Exposes Insider Crypto Breach

Highlights:

• Ripple will share DPRK threat data after the Drift case exposed insider attacks in crypto firms.
• Hackers are targeting employees, gaining their trust, and accessing wallets instead of exploiting smart contracts.
• Crypto firms will use the shared intelligence to track repeat attackers and improve response speed.

Ripple has begun sharing internal DPRK threat intelligence with Crypto ISAC after insider-driven attacks hit crypto firms. The collaboration will help to protect the industry from the recent wave of attacks. Attackers have recently been infiltrating teams rather than exploiting code in their attacks.

Advertisement

🚨Ripple is moving beyond payments and into critical infrastructure security—now contributing high-confidence DPRK (North Korea–linked) threat intelligence through Crypto ISAC.

When infrastructure matures, adoption follows. pic.twitter.com/pgTnAywI3Y

— Ledger Man 🎩 (@strivex_) May 4, 2026

In the Drift case, attackers secured roles by passing hiring checks and joining contributor teams. They attended meetings, completed assigned tasks, and built trust over several months. The attackers deployed malware on employee devices to control internal systems after gaining access. They accessed multisig wallets and transferred funds using compromised internal credentials.

Security systems failed because they treated the activity as trusted internal operations. No smart contract vulnerability was involved in the breach. Attackers executed the transfers from inside the system using valid access.

This method differs from the earlier DeFi exploits that relied on code flaws. During the earlier period, hackers targeted vulnerabilities in smart contracts and drained funds quickly. Improved auditing tools reduced those opportunities across major protocols. Attackers then shifted focus to employees and internal workflows inside firms. They now apply for roles, gain trust, and execute attacks using internal access.

Ripple described how DPRK threat actors move across firms during hiring cycles. The company stated, “The strongest security posture in crypto is a shared one. A threat actor who fails a background check at one company will apply to several others within days. Without shared intelligence, every firm starts from zero.”

The strongest security posture in crypto is a shared one.

A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.

Ripple is now contributing exclusive DPRK threat… https://t.co/ZiXD25iOBx

— Ripple (@Ripple) May 4, 2026

Ripple Shared Intelligence Helps Firms Track Threats Faster

Ripple now provides enriched datasets to Crypto ISAC to aid in cross-company threat detection. The datasets contain malicious domains, wallet addresses, and indicators of compromise due to ongoing campaigns. Ripple will also offer LinkedIn profiles, email addresses, phone numbers, and location information associated with suspected actors.

Erin Plante, Director of Brand Security and Intelligence at Ripple, explained the integration. She said, “Crypto ISAC’s updated API marks a step forward for intelligence sharing. It helps deliver more actionable data directly into our security workflows. This allows teams to detect and respond to threats with higher confidence.”

Crypto ISAC designed its updated API to standardize DPRK threat data across Web2 and Web3 systems. The model preserves context and confidence levels within shared intelligence. Coinbase integrated the API into its security operations to improve detection speed.

Crypto ISAC reported that DPRK attackers often target multiple firms during the same period. Security teams must act immediately after receiving shared intelligence to block repeat access attempts.

DPRK Threat Shapes Legal Cases and Industry Risk

Legal action has followed activity linked to the same DPRK threat actors. An attorney representing victims of North Korean terrorism served restraining notices on Arbitrum DAO. The notices target 30,765 ETH frozen after the April Kelp exploit. The attorney argued that the funds qualify as North Korean-linked property under U.S. enforcement law.

However, Aave challenged this claim in its filing. The company stated that stolen assets do not grant lawful ownership to attackers. It supported Arbitrum’s decision to hold the frozen funds under dispute.

Aave LLC has filed an emergency motion to vacate a restraining notice served on Arbitrum DAO on May 1, 2026 that attempts to seize approximately $71 million in ETH belonging to victims of the April 18 exploit.

A thief does not gain lawful ownership of stolen property simply by… pic.twitter.com/NwgKIdU1L7

— Aave (@aave) May 4, 2026

Security firms linked the Drift incident and the Kelp exploit to the Lazarus Group. The two incidents resulted in combined losses exceeding $500 million within one month. Authorities have also connected previous large-scale crypto thefts to the same group.

Advertisement