Ripple Shares DPRK Threat Data on Fraud Domains, Wallets, Campaigns

Key Takeaways:

• Ripple will provide Crypto ISAC members intelligence on DPRK-linked fraud domains, wallets, and campaigns.
• Security teams can use enriched identity signals to assess applicants, contractors, and vendors.
• Crypto ISAC’s API will distribute shared data with context, confidence levels, and linked indicators.

Ripple Threat Intelligence Expands Crypto Defense

Ripple shared on May 4, 2026, that it will provide North Korea-linked threat intelligence to the Crypto Information Sharing and Analysis Center ( Crypto ISAC). The move puts hiring, vendor screening, and identity-based risk at the center of crypto defense as attackers increasingly seek access through people, not only software flaws.

The program gives Crypto ISAC members access to Ripple’s high-confidence intelligence on the Democratic People’s Republic of Korea (DPRK)-linked activity. The shared data covers fraud-related domains, wallets, and indicators of compromise tied to active campaigns. Its value comes from added context, including identity details and signals that connect suspected actors to wider operations. That can help security teams assess applicants, contractors, and outside partners before access is granted. Ripple stated on X:

“The strongest security posture in crypto is a shared one. A threat actor who fails a background check at one company will apply to three more that same week. Without shared intelligence, every company starts from zero.”

Crypto ISAC API Targets Identity-Based Risk

Crypto ISAC’s updated API provides the infrastructure for distributing the intelligence. The system is built to normalize Web2 and Web3 indicators so members can integrate the data into security operations. Ripple and Coinbase (Nasdaq: COIN) are among the early companies using the API. The model is intended to move beyond static threat alerts by preserving context, confidence levels, and links between separate signals. That distinction matters when attackers do not begin with a visible exploit. In the Drift incident, malicious actors spent months building trust with contributors before installing harmful software and reaching multisig wallets.

The outcome is a broader test of whether crypto firms can respond collectively to threats that move across companies. Once one member identifies a suspicious actor, enriched profile data can reach others before the same person or group tries another entry point. Justine Bone, Executive Director of Crypto ISAC, said:

“For too long, information sharing was seen as optional. Today, it is the gold standard for security and Ripple’s action through Crypto ISAC is the definitive proof of concept, showing how to turn shared data into an actionable defense strategy that the entire industry can build upon.”

Ripple’s contribution positions shared intelligence as a practical defense layer for an industry facing coordinated infiltration attempts.