Ripple said on Monday it is now sharing insider threat intelligence on North Korean hackers with the cryptocurrency industry, a move that redefines how the industry responds to a shift in North Korean attack methods.
Drift hacking is not what most people think of as hacking.
No one discovered the bug or exploited the smart contract. North Korean agents spent months befriending Drift contributors, planting malware on their computers, then walking away with the keys. When the $285 million was transferred, every system that was supposed to catch the hackers had nothing to flag.
This is the version of events revealed by Ripple and crypto industry threat sharing group Crypto ISAC on Monday, along with news that Ripple is now sharing internal data on North Korean threat actors with other members of the industry.
More waves of DeFi hacks in 2022-24 center around code exploits, with attackers discovering smart contract vulnerabilities and exhausting protocols in minutes.
But as security measures become more stringent, the modus operandi shifts from technology to people. Rogue agents apply for jobs at cryptocurrency companies, pass background checks, show up on Zoom calls and build trust for months. They then deploy attacks that traditional security tools cannot catch because the attackers are already on the inside.
Ripple is now providing profile data to Crypto ISAC, making the pattern clearly visible across companies. A LinkedIn profile, email address, location, contact number — or the connective tissue that allows security teams to identify the candidate they just interviewed as the same staff member who failed background checks at three other companies last week.
Ripple posted on
Lazarus Group’s influence in the cryptocurrency space is now evident enough that it has begun to reshape legal processes and security procedures.
On Monday, a lawyer representing victims of North Korean terrorism issued a restriction notice to the Arbitrum DAO, saying that 30,765 ETH frozen after the Kelp Bridge breach in April was North Korean property under U.S. law enforcement laws.
Lending company Aave has since disputed the document in support of Arbitrum, saying “thieves do not acquire legal title to stolen property simply by taking it.”
The Kelp breach resulted in the loss of $292 million in ether (ETH) and was also publicly blamed on operatives of the Lazarus Group. Combined, the Drift and Kelp losses in April amounted to more than $500 million in losses tied to a single state actor in one month.
Whether industry-level intelligence sharing actually slows down attack activity is an open question. The same agents may already be there for the next round of interviews somewhere.
