Ripple said it will share North Korea-linked threat intelligence with Crypto ISAC to help member companies strengthen hiring reviews, contractor checks, and vendor screening. The shared intelligence includes scam-related domains, wallet addresses, and indicators of compromise tied to active campaigns, with the goal of helping crypto firms identify identity-based threats before granting access.
High-confidence intelligence with added context
According to the announcement, the program gives Crypto ISAC members access to Ripple’s high-confidence intelligence related to activity associated with the Democratic People’s Republic of Korea. Beyond technical indicators, the shared data also includes additional context, such as identity signals and details that can connect suspected actors to broader operations. That added layer is intended to help security teams assess applicants, contractors, and outside partners more effectively before they become trusted insiders.
Ripple said on X that the strongest security posture in crypto is a shared one. The company argued that a threat actor rejected during a background check at one firm may apply to several others in the same week, and without shared intelligence, each company is forced to start from scratch.
Crypto ISAC API aims at identity-based risk
The intelligence will be distributed through Crypto ISAC’s updated API, which is designed to standardize both Web2 and Web3 indicators so members can integrate the data into their security operations. Ripple and Coinbase were identified as among the early companies using the API.
The approach is meant to go beyond static threat alerts by preserving context, confidence levels, and links between separate signals. That distinction matters when attackers do not begin with a visible exploit. The report referenced the Drift incident, where malicious actors reportedly spent months building trust with participants before deploying harmful software and gaining access to multisignature wallets.
Testing a collective security model for crypto
The move is also a broader test of whether crypto firms can respond collectively to threats that move from one company to another. If one member identifies a suspicious actor, enriched profile data can be passed to others before the same individual or group attempts another route of entry.
Crypto ISAC Executive Director Justin Bohn said intelligence sharing was long treated as optional, but is now the gold standard in security. In his view, Ripple’s action through Crypto ISAC offers a concrete proof of concept for turning shared data into an actionable defense strategy that the wider industry can build on.
Overall, Ripple’s contribution highlights how shared threat intelligence is increasingly being positioned as a practical defensive layer for an industry facing coordinated infiltration attempts.

