Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
A hot potato: By embedding malicious code into the cryptographic backbone of blockchain networks, hackers are effectively turning one of the most tamper-resistant technologies into a resilient delivery system for cyberattacks. For cybersecurity teams, the findings highlight a growing challenge: the same decentralization that secures digital currencies is now being exploited to hide and distribute malware beyond the reach of any central authority.
Hackers aligned with North Korea are using public cryptocurrency blockchains to conceal and distribute malicious code, adopting a technique researchers describe as a new form of untouchable online hosting.
The approach reuses the design of blockchain smart contracts, a system intended for transparency and trust, to store and deliver malware in ways that are nearly impossible to disrupt.
In a report released this week, Google’s Threat Intelligence Group said several hacking groups, including at least one acting on behalf of the North Korean government, have shifted toward a method the company calls EtherHiding. The strategy represents what the researchers describe as next generation bulletproof hosting, a term typically used for servers located in jurisdictions resistant to law enforcement orders.
Traditional versions of these bulletproof services often operate offshore, beyond the reach of international cooperation agreements, and provide refuge for cybercriminal operations that distribute malware, conduct phishing campaigns, or trade in illegal digital content.
UNC5342 EtherHiding on BNB Smart Chain and Ethereum
EtherHiding eliminates the need for such services by exploiting the structure of blockchain technology itself. Smart contracts, which are self executing applications that run on decentralized ledgers such as Ethereum or the BNB Smart Chain, make it possible for hackers to embed code directly onto the blockchain. Because these systems are designed to be immutable and resistant to modification, any malicious payload stored this way becomes effectively permanent. The researchers noted that the inherent decentralization of these platforms “repurposes the features of blockchain technology for malicious ends.”
Once embedded, the malicious smart contracts can store data, distribute infected code, and even receive updates at any time. The cost is minimal: creating or altering a contract typically costs less than $2 per transaction, a fraction of what traditional underground hosting services might charge. The blockchain’s anonymity features also shield attackers’ identities, and its distributed nature eliminates any single point of control or failure. Accessing malware hosted in a smart contract leaves no evidence in transaction logs, allowing hackers to retrieve payloads without leaving a trace.
The cost is minimal: creating or altering a contract typically costs less than $2 per transaction, a fraction of what traditional underground hosting services might charge.
The observed attacks combine this blockchain based technique with a social engineering campaign aimed at software developers. Google’s analysts said hackers posing as recruiters entice developers with job offers that require them to complete technical assignments. Those test files secretly contain malware that installs the initial stage of the infection.
From there, the malware unfolds in several layers. The later stages are not delivered from a controlled server and are instead retrieved from malicious smart contracts on Ethereum and the BNB Smart Chain. This approach allows the attackers to update or redirect the malware at will while staying out of view of traditional monitoring tools.
One of the groups using EtherHiding is tracked by Google as UNC5342, a collective associated with North Korea’s state-sponsored cyber operations. Its attack sequence begins with a downloader toolkit named JadeSnow, which fetches secondary payloads stored within the blockchains. In several incidents, Google observed the group switching from Ethereum to the BNB Smart Chain mid-operation – a maneuver that could signal internal division of labor or cost-saving tactics since BNB transactions typically carry lower fees. Using multiple chains also helps the hackers complicate efforts by analysts to trace or block their activity.
Another group identified as UNC5142, which appears to be financially motivated, has also adopted EtherHiding for its campaigns. Google said the consistency of these patterns suggests that blockchain-based malware delivery is becoming a favored tool among advanced threat actors.
North Korea’s cyber activity has grown substantially in both technical sophistication and ambition over the past decade. What was once limited to basic attacks and theft has evolved into overlapping espionage and financial operations across multiple sectors. Blockchain analysis firm Elliptic reported earlier this month that groups linked to North Korea have stolen digital assets exceeding $2 billion since the beginning of 2025.
