A new cyber threat is emerging from North Korea as its state-backed hackers experiment with embedding malicious code directly into blockchain networks.
Google’s Threat Intelligence Group (GTIG) reported on October 17 that the technique, called EtherHiding, marks a new evolution in how hackers hide, distribute, and control malware across decentralized systems.
Sponsored
Sponsored
What is EtherHiding?
GTIG explained that EtherHiding allows attackers to weaponize smart contracts and public blockchains like Ethereum and BNB Smart Chain by using them to store malicious payloads.
Once a piece of code is uploaded to these decentralized ledgers, removing or blocking it becomes nearly impossible due to their immutable nature.
In practice, the hackers compromise legitimate WordPress websites, often by exploiting unpatched vulnerabilities or stolen credentials.
After gaining access, they insert a few lines of JavaScript—known as a “loader”—into the website’s code. When a visitor opens the infected page, the loader quietly connects to the blockchain and retrieves malware from a remote server.
EtherHiding on BNB Chain and Ethereum. Source: Google Threat Intelligence GroupGTIG pointed out that this attack often leaves no visible transaction trail and requires little to no fees because it happens off-chain. This, in essence, allows the attackers to operate undetected.
Sponsored
Sponsored
Notably, GTIG traced the first instance of EtherHiding to September 2023, when it appeared in a campaign known as CLEARFAKE, which tricked users with fake browser update prompts.
How to Prevent the Attack
Cybersecurity researchers say this tactic signals a shift in North Korea’s digital strategy from merely stealing cryptocurrency to using blockchain itself as a stealth weapon.
John Scott-Railton, a senior researcher at Citizen Lab, described EtherHiding as an “early-stage experiment.” He warned that combining it with AI-driven automation could make future attacks much harder to detect.
This new attack vector could have severe implications for the crypto industry, considering North Korean attackers are significantly prolific.
Data from TRM Labs shows that North Korean-linked groups have already stolen more than $1.5 billion in crypto assets this year alone. Investigators believe those funds help finance Pyongyang’s military programs and efforts to evade international sanctions.
Given this, GTIG advised crypto users to reduce their risk by blocking suspicious downloads and restricting unauthorized web scripts. The group also urged security researchers to identify and label malicious code embedded within blockchain networks.
Source: https://beincrypto.com/north-korea-hackers-embed-malware-in-ethereum/
