May 4
Ripple opens its internal DPRK threat intelligence to the crypto industry through Crypto ISAC’s API. The perimeter just got sharper. The action moment is still naked.
Yesterday Ripple announced it is contributing exclusive North Korea threat intelligence to Crypto ISAC, a non-profit information sharing center for the crypto industry. The feed includes fraud-linked domains, wallets, indicators of compromise from active DPRK campaigns, and enriched profiles of suspected DPRK IT-worker applicants. Names, LinkedIn handles, emails, locations, behavioral patterns. Coinbase is one of the first integrators. The data flows through Crypto ISAC’s just-launched API directly into security workflows.
This is the right move. It is also not enough.
Ripple’s own framing said the quiet part loud: “a threat actor who fails a background check at one company will apply to three more that same week.” Now apply that sentence one step further. On the fourth attempt, they get hired. They embed for six months. They sign a transaction. Nothing in the Crypto ISAC feed reaches the moment of the signature.
The perimeter just got sharper across the entire industry. The signing surface is unchanged.
The Drift loss in April was $285 million. KelpDAO eighteen days later was $292 million. By TRM Labs’ count, those two attacks alone account for 76 percent of all crypto hack losses year-to-date 2026. Both were the work of operatives who had already cleared whatever hiring or vetting checkpoint stood at the door, months before they signed anything. The shared-intelligence layer Ripple is opening to the industry is exactly the layer that, in a counterfactual world, might have flagged those operators earlier. That is the value. The value is real. It also runs out of road at the moment one cleared insider authorizes a transaction nobody re-checks.
Crypto ISAC closes the front door. Nothing yet closes the vault.
Crypto ISAC has 16 Founding Members. Coinbase, Kraken, Circle, Ripple, Evertas, Fireblocks, Halborn, Hedera, Solana, Trail of Bits, and others. The membership has grown over the last year to include Robinhood, Binance.US, Talos, Uniswap, Phantom, NYDIG, Uphold, and more. Crypto ISAC’s mission is straightforward: turn the things one company learns the hard way into intelligence the entire industry can act on the easy way.
The newly upgraded API normalizes indicators across Web2 and Web3, preserves context, assigns confidence levels, and maintains links between related signals. The Coinbase CISO Jeff Lunglhofer described the workflow upgrade plainly: “One of the biggest challenges in crypto threat intelligence is bridging the gap between raw signals and operational decisions.”
He is right. He is also describing the wrong layer for the actual losses.
The perimeter answers the first question. Crypto ISAC is now an industry-grade answer to the first question. The second question has no industry-grade answer yet, because no industry-grade answer exists at the moment of the action.
A signed JWT minted in front of a live human, before the transaction executes, is what closes that gap.
16 members. Hundreds of reputable exchanges.
Crypto ISAC is a real defense and a fast-growing one. It is also bounded by membership. Sixteen Founding Members, plus a couple dozen later additions, plus a Charter Member roster that adds a few names a quarter. The math is what it is: a great defense, available to a fraction of the platforms that need it.
The exchanges outside that membership do not get the Ripple feed. That includes most regional and mid-tier centralized exchanges in EMEA, LATAM, APAC, and parts of North America. They do not get Coinbase’s enrichment. They do not get the contextual confidence levels. They get whatever their own security team can scrape from public threat reports, plus whatever shared analysis a vendor can sell them, plus whatever was already in the Sumsub or Persona pipeline at signup six months earlier.
For those exchanges the perimeter question is harder, not easier. Which makes the second question, the action-moment question, harder still.
The pattern Ripple is describing is the pattern of a workforce attack, not a code attack. The applicant clears one company’s interview. They fail another’s. They are a different name and a different LinkedIn at the third. By the fourth attempt the perimeter has not seen them yet, and they sit inside an organization for months as a contractor or vendor or trusted counterparty.
When the action arrives, a multisig signature, a privileged upgrade, a withdrawal authorization, a vault integration, the perimeter is gone. The perimeter ran out at the offer letter. The signing surface is unguarded.
Necessary, insufficient, complementary.
Three things to be clear about.
First. The Ripple-Crypto ISAC announcement is necessary. Industries that share threat intelligence beat industries that hoard it. FS-ISAC has been the model in traditional finance for two decades, and the gap in crypto has been a persistent embarrassment. This closes a real gap.
Second. It is insufficient by design. The data feed is perimeter intel. Domains, wallets, IOCs, applicant profiles. None of it answers what’s happening in front of the camera at the moment a real human authorizes a real action. That is a different layer of defense, and it requires a different artifact: a signed, timestamped attestation that a real human, the right one, was present at the moment of the signature.
Third. The two layers are complementary, not competitive. Crypto ISAC’s intel makes the perimeter sharper. Action-moment attestation makes the post-perimeter blast radius smaller. An exchange running both has a defense that catches the operator at the door whenever possible, and stops the action at the vault when the door fails.
The math is not “perimeter or action moment.” The math is “what does each one cost when it’s the only thing you have?” The 76 percent DPRK figure exists because the door has been the only layer for most of the industry. As the door gets sharper, the next attack adapts. The cleared insider keeps signing. Until the action moment is also a verified moment, the same losses arrive at a slightly higher acquisition cost for the attacker and the same dollar amount for the platform.
One API call. Signed JWT. The right human, on record.
Lorica is biometric step-up verification at the moment a privileged action executes. The user, signer, or admin initiates a high-risk action: a withdrawal, a contract upgrade, a multisig approval. The calling system invokes the verify endpoint. The camera opens, a live face is matched against the enrolled embedding, and the response is a signed JWT confirming who authorized what and when.
Median verify is 292 milliseconds on the warm path. Three endpoints: enroll, verify, delete.
The JWT is the artifact your auditor and your underwriter both want. It is independently verifiable, cryptographically signed, and timestamped to the moment of the action. It does not depend on the platform’s logs being trustworthy after the fact, because the signature was minted before the fact. It does not depend on the perimeter having flagged the operator, because the verification happens at the action regardless of who that operator is or how they got hired.
For an exchange inside Crypto ISAC, action-moment attestation is the second wall of a defense the perimeter built first. For an exchange outside Crypto ISAC, it is the wall that the perimeter has not yet been built to provide.
Crypto ISAC asks the front door to flag the right people. The front door is necessary. The door is also not where money moves.
Express interest — action-moment attestation, signed JWT before the action executes, 292ms warm path,