Ripple says it is expanding the sharing of internal threat intelligence about North Korean hacking activity with other crypto firms, partnering with the industry threat-sharing group Crypto ISAC. The move comes as high-profile breaches highlight an evolution in attack methods—from rapid smart-contract exploits toward long-cycle social engineering and insider-style compromises.

Ripple pointed to the April breach at Drift, described as an operation in which threat actors allegedly spent months building trust with contributors, deploying malware, and ultimately taking control of keys—bypassing many conventional “hack detection” systems that are designed to spot on-chain exploits or anomalous contract calls.

In this model, the initial compromise happens off-chain: job applications, Zoom calls, and extended relationship-building become the attack surface. That makes it harder for individual companies to detect repeat operators, because each firm sees only a slice of the overall campaign.

Ripple says sharing indicators—such as profiles, email addresses, locations, and other connective identifiers—can help security teams spot patterns across organizations and prevent the same operatives from cycling through multiple hiring pipelines undetected.

Why it matters

- The largest crypto losses can increasingly stem from key theft and operational compromise, not just code bugs.

- Threat intelligence sharing can reduce “starting from zero” for each firm and may improve collective defense.

- The policy and legal consequences of DPRK-linked theft are growing, as courts and claimants pursue recovered assets tied to alleged state actors.

Practical implications for firms

Security teams may increase screening for social engineering risks, expand device hygiene requirements for contributors, and adopt shared intel feeds to identify repeat adversary infrastructure and personas.