Ripple is handing over threat intelligence linked to North Korea's cyber operations to the Crypto ISAC, a nonprofit information-sharing group for the crypto industry. The data — covering fraud domains, wallet addresses, and compromise indicators from active DPRK campaigns — is meant to help crypto firms screen applicants, contractors, and vendors for potential infiltration.
What's in the intel
The shared intelligence is pulled from Ripple's own monitoring of DPRK-linked activity. It includes domains used in phishing and social-engineering attacks, wallets that have been tied to North Korean theft operations, and technical indicators of compromise. These are the kinds of signals that could flag a fake contractor resume or a supplier with hidden ties to state-backed hackers.
North Korean cyber groups have been targeting crypto companies for years — draining exchanges, planting insiders, and running long-term credential-harvesting operations. The threat intelligence gives smaller firms, which might not have dedicated threat-hunting teams, a ready-made blacklist to check against new hires and business partners. It's a practical move, not a theoretical one.
The partnership
Crypto ISAC will act as the distribution hub, getting the data to its member companies. The organization was formed to facilitate exactly this kind of cross-industry sharing — something that's been slow to take off in crypto compared to traditional finance. Ripple is one of the first major protocols to contribute raw intelligence at this scale.
The timing isn't accidental. North Korea-linked attacks on crypto firms have picked up this year, and the industry has been under pressure from regulators to show it's taking cybersecurity seriously. Sharing threat data is one concrete way to do that.
