Ripple said this week it will share its internal threat intelligence on North Korean hacking groups with crypto exchanges, DeFi platforms, and custodians. The announcement, made on May 9, 2026, comes as the industry reels from two nine-figure exploits last month and as security researchers track a shift in DPRK tactics toward social engineering.
The April exploits
Two DeFi protocols — Drift and KelpDAO — each lost more than $100 million in separate attacks during April. Combined, the breaches cost the industry over $200 million. The scale of the losses has pushed firms to rethink how they defend against state-backed adversaries. Ripple’s decision to pool intelligence is a direct response to that pressure.
Social engineering shift
North Korean-linked hackers have long relied on phishing emails and malware-laced documents. But security teams say the groups are now deploying more elaborate social engineering schemes — impersonating investors, recruiters, or even technical support to gain access to internal systems. This shift makes code audits and automated monitoring less effective. By sharing indicators of compromise and known attack patterns, Ripple aims to give the industry an early-warning system that can flag suspicious behavior before a breach happens.
What’s being shared
Ripple said it will provide access to its internal threat feeds, which include data on North Korean cyber infrastructure, wallet addresses, and operational patterns. The intelligence is expected to be available to exchanges, DeFi projects, and custodians. Ripple hasn’t disclosed whether the sharing will use an existing platform like FS-ISAC or a private channel. The lack of detail leaves open questions about how quickly the data can be operationalized — a critical factor when attacks unfold in hours.
With the pace of exploits accelerating, the industry is racing to catch up. Whether Ripple’s intelligence-sharing model can scale fast enough to stop the next attack is the test that matters.
