Ripple has begun sharing internal threat intelligence on North Korean hackers with the wider crypto industry, as firms confront a shift from code exploits to human infiltration.
The company disclosed the move Monday alongside Crypto ISAC, an industry threat-sharing group. It described a campaign style that relies less on software flaws and more on long-term deception. Additionally, attackers now target employees directly rather than protocols.
The recent Drift incident illustrates that change. Investigators said no smart contract bug triggered the loss. Instead, North Korean operatives spent months building trust with contributors. They then deployed malware and extracted private keys without tripping alarms.
Consequently, about USD$285 million moved without detection. Systems designed to catch technical exploits found nothing unusual. Furthermore, the attackers already operated inside trusted environments when they executed the theft.
From 2022 through 2024, most major DeFi breaches exploited code vulnerabilities. Attackers scanned contracts, found weaknesses, and drained funds within minutes. However, tighter security has reduced those openings.
As a result, adversaries shifted toward social engineering. They apply for jobs, pass screenings, and attend video interviews. Additionally, they maintain consistent identities across platforms to appear legitimate.
Over time, they gain access to internal systems and sensitive credentials. Subsequently, they execute attacks that resemble normal user behaviour. Traditional monitoring tools struggle to distinguish those actions from routine work.
Ripple said it now shares internal data on suspected operatives with Crypto ISAC members. That data includes LinkedIn profiles, email addresses, phone numbers, and geographic indicators. In addition, it maps connections between identities used across multiple applications.
Read more: Kraken sticks with IPO plans despite USD$6.7B valuation drop
Read more: Canada moves to ban crypto ATMs after CAD$704M fraud losses in 2025
The Lazarus Group sits at the centre of these campaigns
Security teams can then flag repeat applicants who failed checks elsewhere. Consequently, companies avoid evaluating the same threat actors in isolation. Ripple said shared intelligence strengthens collective defence across the sector.
The Lazarus Group, widely linked to North Korea, sits at the centre of these campaigns. Its operations now affect both security practices and legal responses. Meanwhile, recent court actions reflect growing efforts to trace and freeze stolen assets.
An attorney for victims of North Korean terrorism filed restraining notices against Arbitrum DAO on Monday. The filing targets 30,765 ether frozen after April’s Kelp bridge exploit. It argues those assets qualify as North Korean property under U.S. enforcement law.
However, lending platform Aave disputed that claim in support of Arbitrum. It argued that theft does not grant legal ownership of assets. Additionally, the dispute raises questions about how courts treat decentralized entities.
The Kelp breach drained roughly USD$292 million in ether. Investigators also attributed that attack to Lazarus operatives. Combined with the Drift incident, April losses exceeded USD$500 million tied to a single state actor.
Furthermore, the scale and speed of these campaigns concern industry participants. Intelligence sharing may improve detection, but results remain uncertain. Attackers often operate multiple identities simultaneously across firms.
Consequently, some operatives may already sit inside new organizations. The industry now faces a threat model where trust, not code, becomes the primary vulnerability.
.
