North Korean-linked hackers are increasingly targeting crypto companies using advanced social engineering. These attackers now prioritize gaining organizational trust to infiltrate from within, rather than exploiting technical code.
According to a press release by Crypto ISAC, a non-profit Crypto Information Sharing and Analysis Center launched in 2024 for the digital asset industry, this new wave of attacks has prompted Ripple to begin sharing exclusive threat intelligence with fellow members. The move represents a significant step toward developing a unified, industry-wide defense strategy against increasingly coordinated cyber campaigns linked to the Democratic People’s Republic of Korea (DPRK).
Trust as the attack vector
Unlike traditional breaches that rely on smart contract exposures or zero-day exploits, recent incidents show attackers are now infiltrating organizations by building trust over time.
The Drift hack stands as a stark example. On April 1, 2026, the Solana-based decentralized exchange (DEX) lost approximately $285 million, after a six-month social engineering campaign that began in fall 2025. Instead of exploiting code, malicious actors spent months engaging with contributors, eventually gaining access to internal systems through compromised devices. This allowed them to bypass standard security indicators and ultimately target multisignature wallets, leading to significant fund losses within minutes.
Drift, with support from the SEAL 911 security team, attributed the operation with medium-high confidence to UNC4736 — also tracked as AppleJeus, Citrine Sleet, Golden Chollima, or Gleaming Pisces — the same North Korean state-affiliated group linked to the October 2024 Radiant Capital hack. Mandiant’s formal attribution is still pending.
These tactics, widely linked to North Korean threat actors, represent a shift toward “inside-out” attacks—where the weakest point is no longer the code, but human trust.
Exclusive DPRK threat intelligence
To counter this growing threat, Ripple is now actively sharing enriched intelligence data with Crypto ISAC members—marking a major step toward industry-wide collaboration.
The shared data goes beyond basic indicators. It includes wallets and domains linked to fraudulent activity, active Indicators of Compromise (IOCs), and detailed profiles of suspected DPRK operatives.
These profiles are not limited to names—they include LinkedIn accounts, email addresses, phone numbers, locations, and behavioral patterns. This contextual depth enables security teams to identify and act on threats before damage occurs.
Erin Plante, Director of Brand Security and Threat Intelligence at Ripple, emphasized the impact of this initiative: “Crypto ISAC’s newly updated API represents a meaningful step forward in how intelligence is shared across the ecosystem. The result is higher-quality, more actionable intelligence that we can integrate directly into our security operations.”
API powers real-time, actionable defense
At the core of this collaboration is Crypto ISAC’s newly launched API, designed to standardize and distribute high-confidence threat intelligence across both Web2 and Web3 environments. The API normalizes indicators, preserves context, assigns confidence levels, and maintains the links between related signals, so that member organizations can see how a domain, wallet, or identity fits a larger pattern.
Early adopters include Coinbase, which expanded its own integration with Crypto ISAC earlier in 2026, and is already using the system in its security workflows.
Jeff Lunglhofer, Chief Information Security Officer at Coinbase, highlighted its value: “One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions. As an early adopter, we’ve already seen how this improves our ability to act on intelligence in real time.”
Collective defense
The rise of these stealthy infiltration tactics has exposed a critical weakness—companies operating in isolation. A threat actor rejected by one firm can easily approach another, unless intelligence is shared.
Crypto ISAC aims to close this gap by enabling real-time data exchange among members. Once a threat is identified, enriched intelligence is distributed across the network, ensuring others are immediately alerted.
Justine Bone, Executive Director of Crypto ISAC, underscored the importance of this shift, “For too long, information sharing was seen as optional. Today, it is the gold standard for security… showing how to turn shared data into an actionable defense strategy.”
The bottom line
With North Korean hackers accounting for 76% of all crypto hack losses in the first half of 2026, the industry is moving toward a “defend-as-one” philosophy. The Ripple-Crypto ISAC partnership represents the first major attempt to treat human trust as an attack surface that requires its own set of decentralized, shared protocols.
While no system can fully anticipate every attack, collective defense may be the industry’s strongest weapon yet.
Also read: Upbit Teams Up With Optimism for New L2 Network GIWA Chain
