Ripple has started sharing its internal threat intelligence about North Korean hacker groups with the wider crypto industry. The goal is simple: help other companies spot and stop insider-style attacks earlier.
According to Ripple and Crypto ISAC, the way attacks are happening is changing. Instead of directly hacking smart contracts like before, attackers are now playing a longer game. They try to get inside companies first. They build trust, sometimes over months, and only later start stealing funds.
One example mentioned is the Drift incident. In that case, attackers didn’t break smart contract code. Instead, they used social engineering. They slowly gained trust inside teams, then installed malware on systems. Once inside, they were able to access multisig wallets and move funds without raising normal security alerts.
Security teams say this is very different from what happened between 2022 and 2024, when most crypto hacks were about finding bugs in code. Now, the focus has shifted to people and processes, not just software.
Ripple said that attackers often apply to many companies at once. If one rejects them, they quickly try another. That’s why sharing information across companies is becoming important.
To support this, Ripple is now sending detailed threat data to Crypto ISAC. This includes things like wallet addresses, suspicious domains, and other warning signs linked to ongoing attacks. In some cases, it also includes extra context like emails, phone numbers, and online profiles tied to the attackers.
Crypto ISAC says its updated system is built to help companies act faster on this kind of information. Some big firms, including Coinbase, have already started using it.
Security experts also pointed out that legal actions are now mixing with these cases. Some lawsuits are trying to connect frozen crypto funds to North Korean-linked hacks, while other companies are arguing over who actually owns those assets after theft.
Overall, the message from Ripple and others is clear: crypto security is no longer something companies can handle alone. The more they share what they see, the better chance they have of stopping attacks early.
