Ripple to share North Korean threat intelligence with crypto firms
Ripple said April’s $285 million Drift breach revealed a new pattern of long-cycle social engineering replacing traditional smart contract exploits.
What to know:
- Ripple is sharing its internal intelligence on North Korean threat actors with the Crypto ISAC to help crypto firms spot coordinated infiltration campaigns.
- Recent attacks like the Drift and Kelp exploits relied on long-term social engineering and malware, not smart contract bugs, allowing North Korean operatives to steal more than $500 million in a month.
- The Lazarus Group’s alleged role in these thefts is now influencing legal battles, including efforts to claim frozen Arbitrum-linked funds for victims of North Korean terrorism, even as it remains unclear whether industry-wide intel sharing will curb future attacks.
Nobody found a bug or exploited a smart contract. North Korean operatives spent months befriending Drift’s contributors, slipped malware onto their machines, and walked off with the keys. By the time the $285 million moved, every system that was supposed to catch a hack had nothing to flag.
That is the version of events Ripple and Crypto ISAC, the crypto industry’s threat-sharing group, laid out Monday alongside news that Ripple is now sharing its internal data on North Korean threat actors with the rest of the sector.
The 2022-24 wave of more DeFi hacks was centred on exploiting code, with attackers finding smart contract vulnerabilities and draining protocols in minutes.
But as security gets tighter, the modus operandi shifts from technology to people. Rogue operatives apply for jobs at crypto firms, pass background checks, show up on Zoom calls and build trust for months. Then they deploy attacks that no traditional security tool was built to catch, because the attacker is already inside.
