North Korean Hackers Use Blockchain to Hide Crypto-Stealing Malware

Google’s Mandiant division has uncovered a new campaign where North Korean hackers use blockchain technology to hide and distribute crypto malware. The technique, known as EtherHiding, allows attackers to store malicious code inside smart contracts on public blockchains like Ethereum and Binance Smart Chain.

According to the Google Mandiant report, this marks the first time a nation-state group has used blockchain networks as part of an active cyberattack. Once the code is on the blockchain, it stays there. You cannot remove or block it. Unfortunately, hackers found a permanent place to host and update their malware.

What Is EtherHiding?

EtherHiding first appeared among cybercriminals in 2023 but has now reached a new level. Instead of hiding malware on ordinary servers or phishing sites, attackers place parts of it inside blockchain smart contracts.

These smart contracts are bits of code that run on decentralized networks like Ethereum. Because they are stored across thousands of computers, blockchain data cannot be erased or altered. This is the concept of immutable blockchains.

For hackers, this makes an ideal hiding place. Once uploaded, the malicious script remains permanently accessible, even if cybersecurity teams shut down the original websites or servers used in the attack.

Who’s Behind the Attack

Google attributes the operation to a North Korean group identified as UNC5342. The same cluster has been linked to the “Contagious Interview” campaign, which targeted crypto developers and exchange employees with fake job offers.

UNC5342’s goal, like many of Pyongyang’s cyber units, is financial theft and espionage. By embedding malware into smart contracts, the group avoids detection while maintaining full control of its attack infrastructure.

The report notes that this North Korea cyberattack uses multiple layers of deception, including legitimate-looking documents and web links. Once opened, they silently connect to the blockchain to retrieve hidden instructions.

How the Attack Works

In simple terms, the smart contract exploit functions as a secret delivery system.

1. The victim downloads what appears to be a normal file or job document.
2. That file includes a short script that reaches out to the blockchain.
3. The script reads data from a malicious Ethereum smart contract or the BNB Smart Chain, where the hackers have hidden new payloads.
4. These payloads install the real malware onto the victim’s device.

Once active, the malware performs crypto wallet theft, targeting applications like MetaMask or Phantom to steal stored keys and passwords. It can also capture screenshots, collect system data, and download additional tools directly from the blockchain.

Because this process uses read-only blockchain calls, attackers don’t need to pay high transaction fees or interact with centralized servers. It’s cheap, quiet, and almost impossible to trace.

Why It’s So Hard to Stop

Traditional cybersecurity systems block malicious domains or shut down infected servers. But in this case, there’s nothing to take offline.

The blockchain is decentralized, meaning it exists on thousands of machines worldwide. Once malicious code is embedded, it’s immutable. Nobody can delete it, not even the network itself.

Mandiant researchers found that the hackers updated their smart contract payloads for as little as $1.37 per change. That means they can quickly alter their code, switch between blockchains, and stay one step ahead of defenders. This evolution highlights how north korean hackers’ crypto malware operations now exploit blockchain resilience as a defensive shield against removal.

This kind of decentralized malware uses the same features that make blockchain technology resilient, ie. transparency, redundancy, and permanence, but for criminal purposes.

>>> Read more: ModStealer Malware Uses Fake Job Ads to Target Crypto Wallets

What’s at Stake for Crypto Users

The danger isn’t limited to developers or cybersecurity professionals. Anyone who uses crypto wallets, browser extensions, or decentralized apps could become a target.

If you interact with a compromised website or open a phishing document, the blockchain malware could quietly activate in your browser and begin collecting data. Once your wallet keys or credentials are stolen, your assets can be drained instantly, and recovery is nearly impossible.

The campaign also poses a risk for crypto exchanges and DeFi platforms, since attackers often impersonate partners or applicants to infiltrate internal systems. It’s a reminder that crypto security now extends far beyond protecting tokens; it includes defending the infrastructure itself.

How to Stay Safe

• Be skeptical of unsolicited job offers or collaborations, especially those asking you to open files or code samples.
• Install browser extensions and wallet updates only from official sources.
• Use antivirus and browser isolation tools that detect suspicious scripts running in the background.
• Monitor wallet permissions and revoke access to unknown decentralized apps.
• For companies, monitor blockchain API calls for unusual behavior that could indicate malicious smart contract access.

Building crypto security awareness across teams is now just as important as keeping funds in cold storage.

What Experts Expect Next

The Mandiant threat analysis suggests that EtherHiding could soon spread beyond North Korea’s operations. The method is inexpensive, resilient, and adaptable — making it appealing to other hacker groups.

Because the blockchain-based attack uses standard smart contracts, even legitimate on-chain tools can unknowingly host malicious code. Researchers warn that new detection systems will be needed to scan for hidden data inside contracts, not just external phishing links.

In short, the North Korea cyberattack may have opened the door to an entirely new class of decentralized threats.

>>> Read more: North Korea Crypto Hackers Undermine the Crypto Ecosystem

The discovery of EtherHiding highlights how quickly north korean hackers crypto malware tactics are evolving. By turning the blockchain into a weapon, they’ve blurred the line between financial innovation and cyberwarfare.

As blockchain technology continues to spread, defenders will have to adapt — not just to protect coins, but to secure the very networks that power the digital economy.