As North Korean hacking shifts from exploiting \"code\" to targeting \"people,\" Ripple has begun sharing internal threat intelligence with the crypto industry. The shift from technical vulnerabilities to human infiltration has put the market on edge.
On the 5th (local time), Ripple said its security team began providing internal information about North Korean hackers to the crypto sector. The effort, coordinated with the crypto security information‑sharing group Crypto ISAC, is intended to address recent changes in adversary tradecraft.
'Not hacking but infiltration'…How the Drift incident changed perceptions
The recent Drift attack did not follow the typical exploit model. Rather than taking advantage of a vulnerable smart contract, the suspected North Korean group spent months cultivating trust with insiders, then planted malware. The attackers ultimately seized wallet access and made off with roughly 420 billion KRW (approximately $315 million).
Conventional defenses raised no alarms because the activity appeared to come from legitimate internal users instead of external intruders.
From 2022 through 2024, most DeFi incidents centered on code exploits. As platforms hardened, adversaries have shifted toward social‑engineering and other people‑centric tactics.
Posing as fake applicants: Hackers infiltrating companies
Some North Korean hacking groups have begun targeting crypto firms through their hiring pipelines. Operatives pose as legitimate candidates, pass interviews, build rapport over video calls and then use those relationships to obtain internal access.
To help spot these patterns, Ripple has shared a range of indicators with Crypto ISAC, including LinkedIn profiles, email addresses, location data and phone numbers that can aid attribution and detection.
Ripple said, \"The strongest defense in crypto security is sharing.\" The company warned that a threat actor rejected by one firm often applies to another within the same week. Without information sharing, each company would frequently be responding from scratch.
Expansion of Lazarus Group's influence... spilling into legal disputes
The North Korean‑linked Lazarus Group's reach is extending beyond technical intrusions into legal and asset‑recovery battles.
A lawyer recently asked the Arbitrum (ARB) DAO to freeze funds, alleging that 30,765 ETH—frozen after the April Kelp Bridge attack—are tied to North Korean actors. That cache is worth roughly 55.5 billion KRW (approximately $41.6 million).
Aave pushed back, saying, \"You cannot establish legal ownership over assets stolen by thieves.\"
The Kelp incident resulted in about 431 billion KRW (approximately $323.3 million) in losses and has also been attributed to Lazarus. Combined with Drift, the two attacks exceeded 740 billion KRW (approximately $555 million) in stolen assets in a single month.
Security paradigm shift... can 'information sharing' be the solution?
The crypto sector is moving its focus from purely technical defenses to managing human risk. But whether intelligence sharing will materially reduce attacks remains uncertain.
There is no guarantee the same actor hasn't already infiltrated other companies through hiring processes.
Ripple's move underscores the need for industry‑level coordination. Still, as adversaries continuously adapt their methods, defenders will need more flexible, multilayered security strategies.
🔎 Market takeaway
North Korean hacking is shifting from targeting code to exploiting people, forcing a change in the security paradigm.
Ripple's intelligence sharing signals a move from isolated corporate defenses to industry‑wide collective defense.
The Lazarus Group's expanding activity elevates market risk by linking cyberattacks to legal disputes and asset‑freeze issues.
💡 Strategic points
Hardening hiring practices and internal access controls has become a top security priority.
A collective‑defense approach—sharing suspicious accounts, applicant data and communication patterns—is increasingly necessary.
Investment is required not only in technical controls but also in insider‑threat detection and identity‑verification processes.
📘 Glossary
Lazarus Group: A high‑profile hacking group reportedly linked to North Korea's Reconnaissance General Bureau
Crypto ISAC: An industry body that shares security intelligence within the crypto sector
Social engineering attack: An attack that exploits human trust rather than technical vulnerabilities
DeFi: Decentralized finance — blockchain‑based financial services without central intermediaries
