Ripple Shares North Korea-Linked Threat Data via Crypto ISAC

Crypto ISAC announced Tuesday that Ripple shared internal intelligence on fraud-associated domains, wallet addresses and other indicators of compromise linked to North Korea-affiliated threat actors. The nonprofit said the data will help member firms detect and respond to campaigns that target people rather than code.

The organization described the contribution as including the signals security teams use to block fraud and trace illicit funds. Crypto ISAC also launched a new API to speed data sharing among members. Ripple, Coinbase and other founding members have begun integrating the feed into security operations so the information can be pushed into existing workflows and automated responses.

Crypto ISAC pointed to the $280 million incident affecting Drift as an example of the changing tactic set, where attackers gained trust from contributors and compromised their devices instead of exploiting a smart contract vulnerability. Christina Spring, director of growth at Crypto ISAC, wrote that companies in both crypto-native and traditional financial institutions are confronting a higher level of social-engineering operations and described the Drift case as “a social engineering campaign on a new level.”

Ripple emphasized the cross-company risk of personnel-based attacks in a post on X, warning that a threat actor who fails a background check at one firm can quickly target others and adding, “Without shared intelligence, every company starts from zero.” Erin Plante, Ripple's director of brand security and intelligence, wrote that the company has been working with Crypto ISAC to onboard and operationalize new data sources in ways that fit internal workflows.

Industry analysis shows an increase in crypto thefts linked to North Korea-affiliated groups. One report found North Korea's share of global crypto hack losses rose from under 10% in 2020–21 to 64% in 2025. Investigators have tied several large thefts to operations associated with the Lazarus group, including a $292 million exploit of Kelp DAO attributed to an actor known as TraderTraitor. North Korean authorities deny involvement; a Foreign Ministry spokesperson described the claims as “absurd slander” and called them a “political tool” used by the United States, according to state media.

Crypto ISAC said the shared datasets can be used to block transactions, flag accounts and trace funds. The API is intended to make those signals machine-readable so security teams can reduce the time between detection and action. The nonprofit named some founding members as early integrators but did not publish a full participant list.

Security teams say social-engineering campaigns pose different challenges from software exploits because they exploit human trust and can leave fewer on-chain clues until funds move. Crypto ISAC said it will expand the data available through the API and urged other firms to join the information-sharing network. Ripple and other members plan to add more internal intelligence to the system as they identify new indicators tied to nation-state affiliated operations and criminal campaigns.