North Korean hackers seen using blockchain to hide crypto-stealing malware

North Korean state-linked hackers have begun using public blockchains to deliver malware and steal cryptocurrency, in what researchers say is the first known case of a nation-state adopting the technique.

Google security researchers said on Thursday that they observed a Pyongyang-backed hacking group, tracked as UNC5342, deploying a method known as EtherHiding — a way of embedding malicious code inside smart contracts on decentralized networks such as Ethereum and BNB Smart Chain.

The technique makes it harder to block or remove malware, since the code is stored on blockchain ledgers that cannot be taken offline or altered. The malicious code remains accessible as long as the blockchain itself is operational, according to researchers.

“This represents a shift toward next-generation bulletproof hosting,” Google said, noting that attackers are increasingly exploiting the same decentralization features that make blockchain resilient.

Malware hidden in smart contracts

Since February, UNC5342 has used EtherHiding as part of a social-engineering campaign that lures developers — often those working in the cryptocurrency or tech industries — into downloading malware disguised as job-related files or coding challenges.

Once a target opens the file, a malicious script connects to the blockchain to retrieve encrypted code from a smart contract. That code installs the JadeSnow loader, which in turn delivers a more persistent backdoor known as InvisibleFerret that has been used in multiple cryptocurrency thefts.

Because the malicious payloads are stored on decentralized blockchains, they cannot be removed by traditional takedown efforts. Attackers can also quietly update or replace their malware by modifying the smart contract, Google said.

Blockchain’s pseudonymous nature adds another layer of anonymity, making it difficult to identify those behind the operation.

Google said EtherHiding was first used in 2023 by a financially motivated group known as UNC5142, but this is the first time a state-sponsored actor has adopted it.

The company added that while the hackers rely on decentralized blockchains to store their code, they still interact through centralized web services that defenders can monitor or block to disrupt attacks.

“In other words, UNC5142 and UNC5342 are using permissioned services to interact with permissionless blockchains,” the researchers said.