Ripple is sharing information about North Korean hacking threats with Crypto ISAC, a cybersecurity group. They hope that by working together and understanding the tactics of North Korean hackers and their attacks on decentralized finance (DeFi), they can prevent a predicted increase in hacking attempts in 2026, potentially led by groups like Drift and KelpDAO.
Summary
- Ripple is contributing exclusive North Korea–linked threat intelligence to the Crypto ISAC information-sharing platform, arguing that “the strongest security posture in crypto is a shared one.”
- DPRK hackers have stolen about $577 million in crypto so far in 2026—76% of all hack losses year-to-date—largely via two DeFi exploits on Drift Protocol and KelpDAO.
- The intelligence covers enriched profiles of suspected North Korean IT operatives and detailed indicators of compromise (IOCs), as attackers pivot from pure technical exploits to long, social engineering–driven campaigns.
As an analyst, I’m following the news that Ripple is now proactively sharing information about North Korean hacking attempts with members of Crypto ISAC. Crypto ISAC is a non-profit group dedicated to cybersecurity within the cryptocurrency industry, and this move will help bolster collective defenses against these threats.
According to a recent blog post, the shared data includes information on fraudulent websites and digital wallets, as well as clues about ongoing hacking attempts linked to North Korea.
Ripple’s threat feeds go to Crypto ISAC
She emphasized that Ripple’s threat feeds stand out because they don’t just provide basic threat data. They also include detailed analysis from security experts who deeply understand the groups targeting the cryptocurrency world. This gives security teams more useful information than a standard list of indicators of compromise.
Ripple recently stated on X (formerly Twitter) that the best way to keep cryptocurrency secure is through collaboration. They explained that someone with malicious intent who is blocked by one company will likely try others, and that without sharing information about potential threats, each company has to start its security efforts from scratch.
Investigators have gathered detailed information about North Korean IT workers believed to be trying to get jobs at cryptocurrency and financial technology companies. This information links their email addresses, online activity, digital wallets, and the malicious software they use in various hacking efforts.
Drift and KelpDAO show a shift to social engineering
Ripple is responding to a recent surge in cyberattacks connected to North Korea, which have specifically targeted decentralized finance (DeFi) platforms in 2026. Notable examples include breaches of the Drift Protocol, built on Solana, and the KelpDAO re-staking platform.
TRM Labs believes two recent hacks brought in around $577 million for North Korean hacking groups – $285 million from Drift and about $292 million from KelpDAO. This represents 76% of the total value stolen in crypto hacks up to April.
In my research, I’ve found that North Korean-linked hackers stole over $2 billion in cryptocurrency in 2025 alone. This brings the total amount they’ve stolen to over $6.7 billion. What’s particularly striking is how their share of all crypto hacking losses has grown – from less than 10% in 2020 to a massive 64% by 2025.
The April 1 Drift exploit was the result of a six-month-long scheme, as reported by The Hacker News and Chainalysis, starting in late 2025. North Korean operatives built trust with Drift team members through face-to-face meetings and then persuaded them to approve withdrawals in advance using a Solana feature called “durable nonce.”
The attackers quickly carried out 31 authorized transactions over 12 minutes, stealing $285 million worth of assets. They then moved most of the stolen funds to Ethereum. According to TRM, the stolen Ethereum hasn’t been actively used, suggesting the attackers are carefully planning to convert it into untraceable funds over a long period.
As a crypto investor, the KelpDAO hack on April 18th really shook me up. It wasn’t your typical flash loan attack. Apparently, hackers linked to North Korea managed to break into two of KelpDAO’s internal systems, overwhelmed the public ones with a denial-of-service attack, and then manipulated data within LayerZero Labs’ network. This allowed them to create over 116,000 rsETH tokens out of thin air. They then used this fake collateral to borrow around $196 million worth of ETH from Aave. It was a complex, multi-stage attack and a scary reminder of the risks out there.
Further investigation by TRM and others revealed that after the Arbitrum Security Council froze about $71.5 million in Ethereum, the attackers rapidly changed tactics. They converted the remaining stolen funds into Bitcoin using THORChain and through Chinese financial services, demonstrating a high level of skill and flexibility in laundering the money.
Following the recent issues, a group led by Aave, called DeFi United, has gathered over $300 million to help KelpDAO recover. Additionally, Arbitrum quickly froze funds and teams formed rapidly to address the problem across different platforms, showing a stronger push for collaboration and protection within the broader DeFi ecosystem.
A recent article in Decrypt and statements from Ripple describe their new data-sharing plan as a proactive step to combat evolving cyber threats. They aim to move beyond scattered knowledge and create a system for sharing real-time information about what security researcher Natalie Newson of CertiK calls a large-scale, state-sponsored financial operation happening quickly and efficiently.
Read More
- CNY JPY PREDICTION
- USD JPY PREDICTION
- SUI PREDICTION. SUI cryptocurrency
- Ethereum to $24K? Jolly Good Show, What?
- USD HKD PREDICTION
- GBP USD PREDICTION
- Hong Kong’s Strict Stablecoin Rules: Only 2 Licenses Out of 36 Applications Approved!
- USD IDR PREDICTION
- USD RUB PREDICTION
- Gold Rate Forecast
2026-05-05 20:02