Ripple announced it’s contributing exclusive North Korean threat intelligence to the Crypto Information Sharing and Analysis Center, addressing a pattern that’s become impossible to ignore: threat actors who fail a background check at one company apply to three more the same week. Without shared intelligence, every security team starts from zero.
The intelligence covers domains, wallets tied to fraud, and Indicators of Compromise from active DPRK campaigns. The contextual layer is what matters: a flagged IT worker profile includes LinkedIn, email, location, contact number, and the correlated signals tying that individual to a broader campaign. Ripple is an early adopter of Crypto ISAC’s new API designed for crypto-specific threat data.
Infiltration Over Exploits
Crypto ISAC said the latest wave of North Korean operations is shifting away from traditional exploits and toward something harder to detect: trusted access gained through social engineering, recruitment, and long-term deception. Many hacks didn’t start with a smart contract exploit. They started with months of social engineering by DPRK operatives gaining trust as contributors, then compromising devices and multisig wallets from the inside.
The initiative lands as DeFi exploit losses cross $1 billion in 2026, with Drift Protocol ($285M), KelpDAO ($293M), and Sweat Economy ($2.5M) all tied to social engineering or insider access vectors.
Real-Time Defense, Shared Posture
Ripple framed the move as a shift from isolated defense to coordinated industry response. “The strongest security posture in crypto is a shared one,” the company said. A threat actor cycling through multiple firms isn’t a theoretical risk, it’s the norm. Traditional indicators aren’t enough to catch operators who embed themselves as legitimate contributors over months.
No single company can see the full picture alone. Ripple’s contribution is high-confidence DPRK threat data, enriched and contextualized, allowing security teams to move from awareness to action. The industry is fortifying, not just growing. Real money demands real security, and the approach now is collaborative detection rather than siloed vigilance. North Korean actors aren’t just attacking crypto, they’re infiltrating it, and the response is shifting to match.
