Ripple shares DPRK threat data with Crypto ISAC

Ripple provided exclusive DPRK cyber threat intelligence to Crypto ISAC in early May 2026. The feed includes fraudulent domains, wallet addresses, indicators of compromise and enriched profiles of suspected North Korean IT workers. Each profile lists LinkedIn accounts, email addresses, locations and phone numbers tied to intrusion activity.

Crypto ISAC founding members, including Coinbase, are integrating the data through a new API that normalizes signals across Web2 and Web3 environments and delivers them directly into member security operations. The API maps domains, wallets and profiles so incident response platforms and security operations centers can ingest alerts with linked attribution intact.

The feed is intended to flag actors who cultivate trust inside organizations and to provide context that links individual profiles to coordinated campaigns rather than treating each alert in isolation.

The contribution follows several incidents in which intruders spent months building relationships with contributors and employees, then deployed malware to compromise devices, bypass conventional indicators and take control of multisignature wallets. Crypto ISAC described those attacks as “social engineering at a new level” and noted North Korean groups increasingly operate from within firms instead of relying mainly on smart contract exploits.

Profiles in the feed capture signals that tie suspected DPRK IT workers to broader operations, offering security teams public social profiles, contact details and transactional identifiers for verification. Members noted that sharing contextualized data can prevent a threat actor who fails a background check at one company from applying successfully to multiple firms.

Justine Bone, executive director of Crypto ISAC, called information sharing “the gold standard for security.”

Jeff Lunglhofer, Coinbase’s chief information security officer, described the data model as emphasizing context and confidence over isolated indicators, which preserves investigative value when alerts are consumed by different tools and teams.

Officials said adoption must scale to more exchanges, protocols and custodians to keep pace with adaptive campaigns. They warned that a single actor rejected by one firm may apply to several others within days, creating short windows of exposure unless defenders share actionable intelligence quickly.

Ripple has increased security investments in recent years and provided the DPRK-focused feed as part of broader industry cooperation. Members will monitor the feed’s impact on insider operations and losses from social-engineered intrusions in the months ahead.