Ripple And Crypto ISAC Pool Data On North Korean Crypto Hackers

• Ripple pooled its data on North Korean crypto hackers with Crypto ISAC, including their profiles, methods, wallets, and social media activity.

North Korean hackers have become a growing pain in the digital asset sector. Chainalysis estimates that state-sponsored outfits like the Lazarus Group have already stolen approximately $6.75 billion in crypto funds in 2025.

The $280 million to $285 million Drift Protocol hacking incident in April served as another wake-up call for the industry about the evolving tactics of these malicious actors sponsored by the Asian “Hermit Kingdom.” In response to the rapidly escalating threats posed by Democratic People’s Republic of Korea (DPRK)-sponsored cyberattacks, Ripple and the Crypto ISAC (Information Sharing and Analysis Center) pooled the intelligence and data they had gathered on these activities.

Ripple and Crypto ISAC Data Sharing

The information Ripple shared with Crypto ISAC includes the perpetrators’ personal and social media profiles, as well as the wallets linked to them. Additionally, it contained the attack indicators and patterns they typically employ.

Ripple, together with Coinbase, is among the founding members of Crypto ISAC, a non-profit, member-driven organization that focuses on ensuring the trust, integrity, and security of the blockchain and crypto industry. Using the pooled data, the alliance has launched a new API (Application Programming Interface) that enables fast, actionable data sharing among members to prevent bad actors from hopping from one platform to another.

Now, a red flag detected by one member of the alliance will immediately trigger an alarm in the entire organization.

A Look Back at the Drift Protocol Exploit

What makes the Drift Protocol incident very alarming is how the culprits systematically penetrated its network. It went beyond the usual smart contract exploit or a “zero day.”

Instead, the attackers actively engaged with the protocol, gaining the trust of a Drift contributor for several months. From there, it gradually installed malicious software in their devices.

The step-by-step attack involved a series of pre-signed, durable, once transactions to delay executions and a chain of multisig signer approvals. The perpetrators tricked members of the Drift Security Council through social engineering into signing what they believed were routine administrative updates. Then, they exploited Solana’s (SOL) durable nonces to delay the expiration of the validity of transactions beyond the 90-day window. It allowed them to pile up the authorized permissions over time.

Ultimately, the slow-drip approach enabled the hackers to bypass real-time security monitoring and execute mass pre-signed approvals for the heist. Proceeds from borrowed assets from legitimate liquidity pools, including USDC and SOL, were immediately bridged to obfuscated wallets for eventual laundering.

Ripple and Crypto ISAC’s efforts underscore the need for the crypto industry for cooperation in dismantling the sophisticated infrastructure of state-sponsored groups. Through a collective defense model, participants in the sector could close intelligence gaps that allow malicious actors to thrive, especially those who employ social engineering techniques to defraud the system.

The post Ripple And Crypto ISAC Pool Data On North Korean Crypto Hackers appeared first on Blockzeit.