Ripple is now sharing its internal intelligence on North Korean threat actors with Crypto ISAC, the industry's threat-sharing group, after April's $285 million Drift breach exposed a shift in attacker methodology away from smart-contract exploits toward long-cycle social engineering. Combined with the $292 million Kelp bridge exploit also attributed to Lazarus Group, April losses tied to North Korean operatives crossed $577 million in a single month — and in both cases, no on-chain exploit was involved.
Why it matters
The 2022–2024 wave of DeFi theft centred on code: attackers found smart-contract bugs and drained protocols in minutes. The current wave centres on people. Operatives apply for jobs at crypto firms, pass background checks, show up on Zoom calls, and build trust for months before deploying malware that walks off with private keys. By the time the funds move, every traditional security control has nothing to flag — because the attacker was already inside, credentialed as a contractor.
Ripple's contribution to Crypto ISAC is the connective tissue that makes that pattern legible across companies: LinkedIn profiles, email addresses, locations, and contact numbers that let a security team recognise the candidate they just interviewed as the same operative who failed background checks at three other firms the same week. "The strongest security posture in crypto is a shared one," Ripple posted on X. "A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero."
Market impact
Lazarus Group's reach is now visible enough to reshape legal proceedings. On Monday, an attorney representing victims of North Korean terrorism served restraining notices on Arbitrum DAO, arguing that the 30,765 ETH frozen after the Kelp bridge exploit is North Korean property under US enforcement law. Lending protocol Aave countered in support of Arbitrum, arguing that "a thief does not gain lawful ownership of stolen property simply by taking it."
Whether industry-level intel sharing actually slows the campaigns is the open question.
Frequently asked questions
-
Will industry-level threat intelligence sharing actually slow Lazarus Group?
The question is open. Shared profile data may help firms reject operatives faster, but the same operatives could already be in interviews elsewhere — and April's losses suggest the cost of failure is now hundreds of millions per incident.
CoinDesk