North Korea–Linked Actors Pivot to Social Engineering, Ripple Reports

North Korea-linked hackers shift to social engineering, pushing crypto firms toward faster intelligence sharing and defense.

With the growth of cyber threats, crypto firms are pushing to re-strategize security beyond code vulnerabilities. Recent incidents show attackers now rely more on human manipulation than technical flaws. Industry participants are beginning to coordinate intelligence-sharing to respond more quickly. New data suggests state-linked groups are central to this shift.

Ripple Expands Threat Data Sharing as Attackers Target People Over Protocols

Ripple has begun sharing internal threat intelligence tied to North Korea-linked actors with the broader crypto sector. The effort runs through Crypto ISAC, a nonprofit focused on industry-wide security coordination. Shared data includes suspicious domains, wallet addresses, and indicators of compromise connected to past campaigns.

The move follows a $280 million breach involving Drift, which exposed a different attack pattern. Instead of exploiting smart contracts, attackers gained trust from contributors and compromised their devices. That approach marks a shift toward social engineering tactics that target people rather than code.

Christina Spring, director of growth at Crypto ISAC, described the trend as increasingly complex. She noted that both crypto firms and traditional financial institutions are facing similar threats. Attackers are operating from within organizations after gaining access through deception.

Ripple stated that threat actors often move quickly between targets after failing initial checks. Shared intelligence, according to the company, enables firms to act on threats in real time rather than starting from scratch. The goal is to reduce response time and limit damage across the ecosystem.

Lazarus-Linked Activity Drives Spike in Crypto Losses as Firms Strengthen Data Sharing

A new API launched by Crypto ISAC supports faster data exchange between participants. Early adopters include Coinbase and Ripple, which have integrated the system into their internal security workflows. Erin Plante, Ripple’s director of brand security and intelligence, said the integration aligns with existing processes.

“As an early adopter, we’ve been working closely with Crypto ISAC to onboard and operationalize new data sources in a way that aligns with our internal workflows,” Plante said.

Data from TRM Labs shows a sharp rise in North Korea-linked activity. The country’s share of global crypto hack losses increased from under 10% in 2020–2021 to 64% in 2025. Analysts attribute several major incidents to coordinated state-backed groups.

TRM Labs has linked the $292 million Kelp DAO exploit to TraderTraitor, an operation tied to the Lazarus Group. These groups are known for combining technical exploits with social engineering methods.

North Korean officials have rejected such claims. A Foreign Ministry spokesperson described the accusations as politically motivated and unfounded. Despite denials, industry data continues to point to a growing role for state-linked actors in crypto-related cybercrime.

The post North Korea–Linked Actors Pivot to Social Engineering, Ripple Reports appeared first on Live Bitcoin News.