Ripple is handing over exclusive North Korean cyber threat intelligence to the Crypto ISAC — including fraudulent domains, wallet addresses, and indicators of compromise — as the industry grapples with a string of sophisticated social engineering attacks. The intelligence includes enriched profiles of suspected North Korean IT workers, complete with LinkedIn accounts, emails, locations, and contact numbers tied to broader cyber campaigns. The move comes weeks after the Drift hack demonstrated how attackers can build trust over months to compromise multisig wallets, bypassing traditional security measures.
Inside the intel dump
Ripple's contribution covers more than raw data. The material includes profiles of suspected DPRK-linked IT workers that firms can cross-check during hiring and vendor due diligence. Crypto ISAC's executive director said shared intelligence has transitioned from optional to the 'gold standard' for security in the crypto industry. The organization warns that threat actors who fail background checks at one firm often apply to three others the same week — making shared data a practical necessity, not a nice-to-have.
The Drift case study
The Drift hack wasn't a quick smash-and-grab. Attackers spent months building trust with the target before exploiting multisig wallet controls. Traditional perimeter defenses — firewalls, antivirus, standard endpoint monitoring — didn't catch the long con. That's the kind of threat that benefits most from shared intelligence: spotting patterns across firms that no single company would see alone.
How the sharing works
Ripple, Coinbase, and other Crypto ISAC founding members are integrating their threat data through a new API that normalizes indicators across both Web2 and Web3 environments for security operations. The API lets member companies pull enriched threat profiles directly into their SIEMs and incident response workflows, cutting the lag between spotting a bad actor and blocking them across the network.
The Crypto ISAC expects more members to plug into the API over the coming months. For now, the focus is on getting the DPRK data into the hands of firms most likely to be targeted — exchanges, custodians, and DeFi protocols. The Drift playbook shows that attackers are patient; the industry's answer has to be just as persistent.
