Ripple is sharing its internal threat intelligence on North Korean hackers with the broader crypto industry, a move that highlights a major shift in attack methods.
The $285 million Drift breach in April wasn't a classic hack. No smart contract exploit. Instead, North Korean operatives spent months befriending Drift's contributors, slipped malware onto their machines, and stole the private keys. Every security system designed to catch a hack had nothing to flag.
Ripple is now feeding Crypto ISAC - the industry's threat-sharing group - profile data including LinkedIn accounts, email addresses, and phone numbers. This allows companies to recognize operatives who failed background checks at one firm and are applying at others.
“The strongest security posture in crypto is a shared one,” Ripple posted. “A threat actor who fails a background check at one company will apply to three more that same week.”
The shift from code exploits to people-based infiltration marks a new era for crypto security. In April alone, losses from North Korean-linked hacks at Drift and Kelp exceeded half a billion dollars.