Ripple is feeding its North Korea–linked threat intelligence into Crypto ISAC as the crypto industry scrambles to blunt a wave of 2026 DeFi attacks that have already hauled in hundreds of millions.
What Ripple is sharing
- Ripple has begun delivering internal threat feeds to Crypto ISAC, the industry non‑profit that aggregates cyber threat data for the digital-asset sector.
- The feeds include domains, wallets and Indicators of Compromise (IOCs) tied to DPRK-related campaigns — but crucially, Ripple says it’s adding “contextual enrichment”: linked email addresses, on‑chain wallets, malware infrastructure and profiles of suspected North Korean IT operatives attempting to embed in crypto and fintech firms.
- Christina Spring, Crypto ISAC’s growth director, says the added context makes the intelligence more actionable than a bare IOC list. Ripple’s post on X framed the effort bluntly: “the strongest security posture in crypto is a shared one,” noting attackers often hit multiple firms in short order.
Why now: a costly 2026 spike
The move follows two high-profile Solana-era exploits in April that security firms say were tied to DPRK actors — attacks that together account for the lion’s share of hack losses so far this year.
- Drift Protocol (April 1): According to Chainalysis and The Hacker News, a six‑month social‑engineering campaign beginning in late 2025 culminated in attackers convincing signers to pre‑authorize withdrawals using Solana’s “durable nonce” feature. The adversaries executed 31 pre‑signed transactions in roughly 12 minutes, draining $285 million and bridging most funds to Ethereum. TRM Labs says much of the stolen ETH has since remained dormant, suggesting a patient laundering strategy.
- KelpDAO (April 18): Attackers reportedly compromised two internal RPC nodes, DDoS’d external nodes and fed false data into LayerZero Labs’ DVN to mint 116,500 unbacked rsETH. They then used that synthetic collateral to borrow roughly $196 million in ETH on Aave. While the Arbitrum Security Council froze about $71.5 million downstream, remaining funds were swapped into BTC via THORChain and Chinese intermediaries, illustrating a flexible, multi‑protocol laundering playbook.
TRM Labs estimates the Drift and KelpDAO incidents netted about $577 million for DPRK‑linked groups ($285M and ~$292M respectively), representing roughly 76% of all crypto hack value through April. Chainalysis and TRM report DPRK actors stole over $2 billion in 2025 alone, pushing their cumulative takings above $6.7 billion; their share of global crypto‑theft reportedly jumped from under 10% in 2020 to 64% by 2025.
Industry response and the way forward
The attacks prompted fast, collective action: Arbitrum’s emergency freezes, a rapid formation of cross‑protocol recovery task forces, and a fundraising push led by an Aave coalition called DeFi United that has raised more than $300 million toward a KelpDAO recovery plan.
Ripple and Crypto ISAC hope their real‑time, enriched intelligence will help firms move from siloed awareness to coordinated defense — a necessary shift against what CertiK researcher Natalie Newson has described as “a state‑directed financial operation running at institutional scale and speed.”
Bottom line
The DPRK‑linked campaigns of 2025–26 demonstrate both evolving tradecraft and the benefits of industry cooperation. Sharing enriched threat context — not just lists of compromised wallets — aims to make front‑line defenders faster and more precise in spotting social engineering, infiltration attempts and cross‑protocol laundering chains. But the sophistication shown in the Drift and KelpDAO cases also makes clear that attackers are adapting quickly, and that coordinated intelligence and emergency response will be critical to limiting future damage.
Read more AI-generated news on: undefined/news
