--- title: "Ripple Shares DPRK Hacker Intel After $577M Crypto Hacks" date: 2026-05-05 author: "Kathleen Kinder" featured_image: "https://coinlaw.io/wp-content/uploads/2026/05/ripple-shares-dprk-hacker-intel-after-577m-crypto-hacks.jpg" categories: - name: "Cryptocurrency" url: "/crypto.md" tags: - name: "News" url: "/tag/news.md" --- # Ripple Shares DPRK Hacker Intel After $577M Crypto Hacks Ripple is sharing North Korea linked threat intelligence with the crypto industry after a surge in DeFi attacks tied to DPRK hackers. ## Key Takeaways - Ripple is now sharing North Korea linked threat intelligence through Crypto ISAC to strengthen industry defenses. - DPRK hackers stole $577 million in 2026, making up 76 percent of total crypto hack losses so far. - Major attacks on Drift Protocol and KelpDAO highlight a shift toward social engineering tactics. - Security experts warn these attacks reflect a state driven, highly coordinated operation. ## What Happened? Ripple announced it has begun sharing internal threat intelligence on **North Korean cyber activity** with members of Crypto ISAC. The move comes after a series of high profile DeFi hacks in April that exposed evolving tactics used by DPRK linked groups. The company said the goal is to help crypto firms detect threats earlier by sharing detailed data such as hacker profiles, wallet addresses, and indicators of compromise. > Big News! 📣 [@Ripple](https://twitter.com/Ripple?ref_src=twsrc%5Etfw) is now contributing high-confidence DPRK threat data through Crypto ISAC helping security teams move from awareness to action. > > The reality is North Korean threat actors aren’t just attacking crypto, they’re infiltrating it. > > The latest wave of attacks is… [pic.twitter.com/DwdMziEIC1](https://t.co/DwdMziEIC1) > > — Crypto ISAC (@Crypto\_ISAC) [May 4, 2026](https://twitter.com/Crypto_ISAC/status/2051313416875249833?ref_src=twsrc%5Etfw) ## Ripple Expands Industry Defense With Shared Intelligence Ripple has taken a collaborative approach by feeding its internal threat intelligence into Crypto ISAC, a not for profit [cybersecurity group focused on digital assets](https://coinlaw.io/cybersecurity-in-cryptocurrency-statistics/). The data includes domains, wallets, and indicators of compromise linked to active North Korean hacking campaigns. According to Christina Spring, Director of Growth at Crypto ISAC, the intelligence stands out because of its **contextual depth**. It connects data points such as email addresses, infrastructure, and malware activity, allowing companies to better understand attacker behavior rather than just react to isolated alerts. Ripple emphasized that security cannot work in silos. The company noted that threat actors often apply to multiple crypto firms after failing background checks at one, making shared intelligence critical to stopping repeat infiltration attempts. ## $577 Million in Hacks Signals Growing Threat Blockchain intelligence firm TRM Labs estimates that North Korean linked hackers have already stolen about **$577 million in 2026**, accounting for **76 percent of total crypto hack losses** so far this year. Two incidents drove the majority of losses: - [**Drift Protocol hack resulted in about $285 million stolen**.](https://coinlaw.io/drift-150m-tether-usdt-recovery/) - [**KelpDAO exploit led to roughly $292 million in losses**.](https://coinlaw.io/defi-united-300m-consensys-circle-aave-recovery/) These attacks add to a growing pattern. Reports from Chainalysis and TRM Labs show DPRK linked groups stole more than **$2 billion in 2025**, bringing their total haul above **$6.7 billion** over the years. ## Shift From Code Exploits to Human Targeting Security experts say the most significant change is not the scale of attacks, but the method. The Drift incident revealed a long cycle social engineering strategy. Attackers spent months building trust with contributors, attended meetings, and eventually deployed malware to gain access to private keys. When funds were moved, traditional security systems failed to detect anything unusual because the attackers were already inside. This marks a clear shift from earlier [DeFi hacks](https://coinlaw.io/crypto-exchange-hacks-and-security-statistics/) that focused on exploiting smart contract vulnerabilities. Now, attackers are targeting people instead of code, making detection significantly harder. Ripple’s shared intelligence includes profiles of suspected North Korean operatives attempting to infiltrate crypto firms. These profiles link identities across multiple companies, helping teams identify repeat actors during hiring processes. ## KelpDAO Attack Shows Advanced Coordination The KelpDAO exploit demonstrated a different but equally complex strategy. Attackers compromised internal systems, disrupted external nodes, and manipulated data feeds to mint unbacked assets. They then used these assets to borrow large amounts of ETH, moving funds quickly across chains. While part of the stolen [funds was frozen by the Arbitrum Security Council](https://coinlaw.io/kelp-dao-hack-eth-frozen-us-court/), attackers managed to shift remaining assets into Bitcoin using cross chain tools and intermediaries. The response was swift. Industry participants including [Aave](https://coinlaw.io/aave-statistics/) supported recovery efforts, while cross protocol coordination helped limit further damage. Legal disputes have also emerged over frozen funds, highlighting the broader impact of these attacks beyond technology. ## Experts Warn of State Backed Operations Security researchers believe these attacks are not random. Natalie Newson, a senior blockchain security researcher at CertiK, said: “ KelpDAO, Drift, and now a new macOS malware kit, all within the same month. This isn’t random hacking; it’s a state directed financial operation running at a scale and speed typical of institutions. Natalie NewsonSenior Blockchain Security Researcher – CertiK The growing activity of groups like Lazarus is raising concerns across the industry, especially as tactics become more sophisticated and persistent. ## CoinLaw’s Takeaway I believe this moment is a turning point for crypto security. In my experience, most companies focus heavily on code audits, but this wave of attacks proves that humans are now the weakest link. What stands out to me is how patient and organized these campaigns have become. I found Ripple’s decision to share intelligence across the industry not just useful, but necessary. Without collaboration, every company is fighting the same battle alone, and clearly losing. If this model of shared defense works, it could reshape how crypto handles security going forward. Definition of Blockchain. Link to full glossary entry follows the description.**Blockchain**A distributed digital ledger that records transactions across a network, with each block cryptographically linked to the previous one for security. [Read more](https://coinlaw.io/glossary/blockchain/) Definition of Smart Contract. Link to full glossary entry follows the description.**Smart Contract**A smart contract is a self-executing program stored on a blockchain that automatically enforces agreement terms when predefined conditions are met, without intermediaries. [Read more](https://coinlaw.io/glossary/smart-contract/) Definition of DeFi. Link to full glossary entry follows the description.**DeFi**Decentralized finance leverages blockchain protocols and [smart contracts](https://coinlaw.io/glossary/smart-contract/) to enable lending, trading, and borrowing without banks or traditional intermediaries. [Read more](https://coinlaw.io/glossary/defi/) Definition of Cross-Chain. Link to full glossary entry follows the description.**Cross-Chain**Cross-chain is the ability to move data or assets between separate blockchains via bridges, messaging protocols, or interoperability networks. [Read more](https://coinlaw.io/glossary/cross-chain/)