Quick Summary
Ripple has begun sharing detailed intelligence on North Korean hacking groups with the Crypto ISAC, a cybersecurity information-sharing platform for the crypto sector. This initiative aims to enhance collective defenses against a surge of DeFi exploits in 2026, notably attacks on Drift Protocol and KelpDAO that have resulted in losses exceeding $577 million. The shared data includes enriched profiles of suspected DPRK operatives and indicators of compromise, reflecting a shift toward sophisticated social engineering tactics.
Key Points
- Ripple contributes exclusive threat intelligence linked to North Korean hackers to Crypto ISAC, emphasizing the importance of shared security in crypto.
- DPRK-affiliated groups have been responsible for approximately $577 million in DeFi thefts in 2026, representing 76% of total crypto hack losses year-to-date.
- The intelligence includes comprehensive profiles connecting email addresses, domains, wallets, and malware infrastructure used in multiple campaigns.
- Recent high-profile attacks on Solana-based Drift Protocol and KelpDAO illustrate a shift from purely technical exploits to extended social engineering efforts.
- Industry responses include coordinated recovery efforts and emergency freezes, highlighting increased ecosystem-level collaboration.
Context
North Korean cybercriminal groups have significantly increased their presence in the cryptocurrency space over recent years. According to reports from TRM Labs and Chainalysis, DPRK-linked actors stole over $2 billion in 2025 alone, pushing their cumulative crypto thefts beyond $6.7 billion. Their share of global crypto hack losses rose sharply from under 10% in 2020 to 64% by 2025.
The 2026 attacks on Drift and KelpDAO demonstrate evolving tactics. The Drift hack involved a six-month social engineering campaign where attackers built trust with protocol contributors to pre-authorize transactions, allowing the theft of $285 million in under 12 minutes. The KelpDAO incident combined node compromises, DDoS attacks, and manipulation of LayerZero Labs’ DVN to mint unbacked tokens, facilitating the borrowing of approximately $196 million in ETH.
Following these breaches, entities like the Aave-led DeFi United coalition have mobilized recovery funds exceeding $300 million. Emergency measures, such as Arbitrum’s freezing of stolen assets and cross-protocol task forces, indicate a growing trend toward collective defense mechanisms within the crypto ecosystem.
My Take
Ripple’s decision to share enriched threat intelligence marks a notable step toward fostering collaboration in a sector often criticized for fragmented security efforts. By providing context-rich data rather than raw indicators, Ripple enables more informed and proactive defenses. However, given the dynamic nature of cyber threats and the adaptability of DPRK-linked groups, it remains uncertain how effective these measures will be in fully mitigating future attacks.
It is also worth noting that social engineering campaigns, which rely heavily on human factors, present persistent challenges that technical solutions alone cannot address. The crypto industry’s increasing willingness to share information and coordinate responses is encouraging, but continuous vigilance and adaptive strategies will be necessary.
What to Watch Next
- Monitoring the impact of shared intelligence on reducing successful DPRK-linked attacks across DeFi platforms.
- Developments in cross-protocol collaboration and the formation of additional recovery coalitions.
- Emerging trends in social engineering tactics targeting crypto firms and how defenses evolve accordingly.
- Regulatory responses or industry standards that may arise to support collective cybersecurity efforts.