Overview
- Ripple began sharing its internal North Korea–linked threat data with the crypto sector on Monday through Crypto ISAC, which rolled out an updated API that Coinbase has started integrating.
- The feeds include flagged wallet addresses, malicious domains, and active indicators of compromise, plus enriched profiles with LinkedIn accounts, emails, phone numbers, locations, and behavior patterns to help spot repeat operatives.
- Security teams say attackers have shifted from quick code exploits to long infiltration, a pattern Ripple and Crypto ISAC highlighted in the Drift case where months of relationship-building and malware on contributor devices let thieves take multisig keys and move $285 million without tripping contract alarms.
- Public attributions tie April’s Drift and Kelp breaches to the Lazarus Group, with Kelp losing $292 million in ETH, and the fallout now includes restraining notices served on Arbitrum DAO over 30,765 ETH that was frozen, which Aave has challenged in court.
- Crypto ISAC says the impact will hinge on how fast firms adopt the feeds, and reporters note open questions about the full list of recipients and the technical provenance of Ripple’s intelligence.