Ripple feeds DPRK cyber intelligence into Crypto ISAC API

Ripple has begun providing exclusive threat intelligence on actors linked to the Democratic People’s Republic of Korea to Crypto ISAC. The data set includes fraudulent domains, wallet addresses, technical indicators of compromise and enriched profiles of suspected DPRK IT workers. Coinbase and other founding members are integrating the feed through Crypto ISAC’s new API so the information can be ingested into existing security systems.

The intelligence covers active DPRK campaigns and includes forensic artifacts captured during intrusions. Each profile of a suspected worker contains a LinkedIn account, an email address, a reported location, a contact number and signals that tie that individual to wider activity. Crypto ISAC’s API normalizes indicators across traditional internet services and blockchain data and can deliver contextual alerts directly into member security operations.

The effort follows several high-profile compromises in the crypto industry, including the Drift incident. In that case, attackers spent months building trust with contributors, later deployed malware that compromised devices, bypassed traditional indicators and manipulated individuals into transferring control of multisig wallets. Crypto ISAC described the pattern as social engineering at a new level. Security teams report that some DPRK-linked groups increasingly try to embed personnel or partners inside organizations rather than rely only on smart-contract exploits.

Crypto ISAC intends the shared feed to prevent a threat actor who is rejected at one firm from reappearing at others. Justine Bone, executive director of Crypto ISAC, called information sharing ‘the gold standard for security.’ Jeff Lunglhofer, Coinbase chief information security officer, emphasized that the data model preserves context and confidence rather than supplying raw indicators alone, and that richer context helps distinguish legitimate partners from persistent impostors.

Crypto ISAC and members acknowledge limits on the feed’s value until it is adopted more widely and scaled across many firms. The usefulness of the intelligence for hiring, vendor screening and routine security operations will depend on how quickly exchanges, protocols and other firms integrate the API. Ripple’s contributions are part of the company’s broader security work, and the consortium expects additional organizations to evaluate joining the information-sharing network in the coming months.