Ripple Will Share North Korean Threat Intelligence With Crypto Firms
Ripple said it will distribute North Korean cyber threat intelligence to other cryptocurrency firms, citing April’s $285 million breach of decentralized exchange Drift as evidence of a new attack pattern that the broader industry needs to collectively defend against. Ripple said the Drift incident showed North Korean state-affiliated hackers shifting from smart contract exploits to long-cycle social engineering campaigns targeting individual employees.
The threat-sharing program marks one of the first formalized attempts by a major cryptocurrency company to act as an intelligence distributor across the sector.
What Ripple’s Threat-Sharing Program Covers
CoinDesk reported on May 5 that Ripple identified the Drift breach as a turning point in North Korean tactics. Rather than finding and exploiting a flaw in on-chain code, the attackers used sustained social engineering, building fake professional relationships with Drift employees over weeks or months before extracting credentials or access.
Ripple said it will package the indicators of compromise and behavioral patterns from that campaign and share them with other firms in the cryptocurrency space.
Smart contract exploits, which involve finding and abusing bugs in the code that governs decentralized finance protocols, were the dominant North Korean attack vector through 2022 and 2023. The shift to social engineering, which requires no technical vulnerability in the protocol itself, makes the attack harder to prevent through code audits alone.
It places the burden of defense on employee security training and identity verification procedures.
Also Read: Bitcoin Breaks Above $81,000 for First Time Since Late January
Background
North Korean hacking groups, primarily the Lazarus Group and affiliated clusters tracked by cybersecurity researchers, have stolen an estimated $3 billion in cryptocurrency between 2017 and 2023 according to United Nations panel reports. The funds are believed to support North Korea’s weapons programs.
Cryptocurrency theft became a significant focus for these groups after traditional financial system sanctions limited other revenue options.
The $285 million Drift breach in April 2026 was one of the largest single cryptocurrency hacks in recent history. Drift is a decentralized perpetual futures exchange, a platform where traders use leveraged contracts with no expiration date to bet on cryptocurrency price movements.
The scale of the theft drew attention from multiple cybersecurity firms and prompted U.S. government advisories about the social engineering approach now being employed.
Ripple itself, which operates the XRP (XRP) Ledger and a suite of cross-border payment products, has not disclosed whether it was directly targeted in the same campaign. The company’s decision to lead the threat-sharing effort suggests it has gathered intelligence beyond what was publicly disclosed about the Drift attack.
Also Read: Vodafone Franchise Legal Battle
Why This Matters for the Broader Industry
Cryptocurrency companies operate largely without the formal threat-sharing infrastructure that exists in traditional finance, where organizations like the Financial Services Information Sharing and Analysis Center distribute threat data across banks and payment processors.
No equivalent body exists specifically for cryptocurrency firms. Ripple’s program, if it gains participation, could become a template for sector-wide cyber coordination.
The effectiveness of the program will depend on how many firms actually receive and act on the intelligence.
Large exchanges and custodians have security teams capable of operationalizing threat indicators. Smaller protocols and DeFi platforms, which often lack dedicated security staff, are precisely the targets that North Korean groups have found easiest to breach.
Distributing intelligence without a mechanism to ensure smaller firms can act on it leaves a meaningful gap.
Also Read: Pendle’s Yield-Trading Protocol Trends as DeFi Investors Seek Fixed-Rate Exposure
What Comes Next
Watch for other major cryptocurrency companies to announce participation in Ripple’s sharing program or to launch competing initiatives. The U.S.
Cybersecurity and Infrastructure Security Agency has previously issued advisories about North Korean cryptocurrency theft; formal coordination between that agency and Ripple’s program would significantly increase the reach of the intelligence. Any further large-scale breach attributed to the same social engineering pattern would accelerate industry pressure on firms to join structured threat-sharing arrangements.
Read Next: Australia’s Central Bank Raises Rates to 4.35%, Flags Higher-for-Longer Inflation
