The company contributed the data to the Crypto Information Sharing and Analysis Center (Crypto ISAC), a not-for-profit that distributes threat intelligence across exchanges, custodians, and blockchain protocols via a standardized API. The intelligence package includes fraud-linked domain names, cryptocurrency wallet addresses, active indicators of compromise, and detailed identity profiles of suspected North Korean operatives, including LinkedIn usernames, email addresses, phone numbers, and locations.

"The strongest security posture in crypto is a shared one," Ripple said in a statement reported by CryptoNews.net. "A threat actor who fails a background check at one company will apply to three more that same week." Erin Plante, Ripple's Director of Brand Security and Threat Intelligence, added: "Crypto ISAC's newly updated API represents a meaningful step forward in how intelligence is shared across the ecosystem."

Justine Bone, the ISAC's Executive Director, framed the moment more bluntly: "For too long, information sharing was seen as optional. Today, it is the gold standard for security."

The Drift Attack: Six Months of Patience, Twelve Minutes of Theft

The Drift Protocol exploit is the largest DeFi hack of 2026 and the second-largest in Solana's history, behind the $326 million Wormhole bridge hack in 2022. Attribution has been assigned with medium-to-high confidence to UNC4736, a North Korean state-sponsored group also tracked under names including AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. The same group has been attributed to the February 2025 Bybit hack, which resulted in $1.5 billion in losses according to Chainalysis, a track record that gives the current attribution significant weight.

The attackers did not find a flaw in Drift's smart contracts. They found people. Beginning in fall 2025, operatives launched a broad social engineering campaign targeting the crypto industry. By December 2025, they had specifically infiltrated the Drift community under false identities, asking detailed product questions to build credibility and depositing more than $1 million of their own funds to appear as legitimate participants.

Over weeks, they cultivated relationships with Security Council members who held signing authority over the protocol's multisig wallet. Malware was eventually placed on contributor machines. Using Solana's "durable nonce" feature, which allows transactions to be pre-signed and executed later without expiring, the attackers staged everything in advance.

On April 1, 2026, they executed 31 withdrawal transactions in approximately 12 minutes. The mechanics involved minting 750 million units of a fictitious token called CarbonVote Token (CVT), seeding it with a few thousand dollars of liquidity, using wash trading to establish a price near $1, and then exploiting Drift's oracle system to treat CVT as legitimate collateral worth hundreds of millions.

At least two Security Council signers approved transactions they did not fully understand. Five days before the exploit, Drift had migrated its Security Council to a 2/5 multisig structure with zero timelock, removing the final detection window that might have allowed intervention. DRIFT token prices fell more than 40% in the immediate aftermath.

TRM Labs described the result clearly: the zero-timelock governance migration "removed the protocol's final safeguard, enabling immediate exploitation without intervention opportunity."

North Korea Now Accounts for 76% of 2026 Crypto Theft Losses

The Drift hack sits inside a broader and accelerating pattern. North Korean-linked actors stole $2.02 billion in cryptocurrency in 2025, a 51% increase over the $1.34 billion stolen in 2024, and representing more than half of the $3.4 billion taken globally that year. So far in H1 2026, DPRK-linked groups account for 76% of all crypto hack losses, according to Dark Reading and BeInCrypto. Cumulative all-time theft attributed to North Korean operations stands at approximately $6.75 billion.

A UN Panel of Experts, cited by TRM Labs, estimates between 3,000 and 7,000 North Korean IT operatives are working globally, generating $250 to $600 million annually through fraudulent employment schemes alone.

In March 2026, the U.S. Treasury's Office of Foreign Assets Control sanctioned six DPRK IT workers and two associated entities for schemes that generated nearly $800 million in 2024. A parallel campaign called "Mach-O Man," which researchers have linked to Lazarus Group according to reporting by CoinDesk and CertiK, targets macOS devices at fintech and crypto firms through fabricated business communications.

A separate "ClickFix" operation, attributed to DPRK actors including the Bluenoroff subgroup by Infosecurity Magazine, directs victims to fake Zoom and Teams pages where they are prompted to paste a terminal command that installs credential-stealing malware. Cybersecurity researchers, as reported by Infosecurity Magazine, identified more than 80 typo-squatted Zoom and Teams domains registered over a five-month period beginning in late 2025.

Access Gap Leaves Emerging Market Projects Exposed

Ripple's contribution to Crypto ISAC addresses a real problem, but the network's membership is weighted toward established exchanges and protocols, most of them based in the United States, Europe, or large Asian markets. Smaller DeFi projects operating in South Asia or Sub-Saharan Africa have limited access to this intelligence unless they join the ISAC directly. No known equivalent regional body currently exists in those markets.

This matters because both regions have seen significant exposure to sophisticated financial fraud. The CBEX investment scheme gathered more than $250 million in Nigeria. Treasure NFT circulated widely in India and Pakistan. These cases illustrate the vulnerability of markets with less established screening infrastructure, and that vulnerability is compounded by the geographic reach of state-sponsored operations: DPRK IT worker schemes have now penetrated companies in more than 40 countries, according to CSIS, with expansion accelerating as US enforcement pressure mounts.

Developers across South Asia represent a substantial share of the global Web3 workforce and are a documented target demographic for fake recruiter schemes, according to Chainalysis and Cybersecurity Dive. The technical threat extends beyond workforce targeting as well: the oracle manipulation technique used against Drift is directly relevant to any DeFi protocol using similar infrastructure, including Pyth and Switchboard on Solana and Chainlink on EVM chains, regardless of where that protocol is based or who its users are.

Coinbase announced an expanded automated integration with the Crypto ISAC API in February 2026, making it an early contributor alongside Ripple. Whether other major platforms expand participation, and whether the network finds ways to extend access to smaller regional actors, will determine how far this collective defense effort actually reaches.