Cybersecurity researchers at Google’s Threat Intelligence Group (GTIG) have uncovered a sophisticated hacking campaign by a North Korean state-linked group exploiting public blockchains to host malware through a method called “EtherHiding.” The attackers are believed to have stolen approximately $2 billion in cryptocurrency this year through this technique.
The campaign, attributed to the threat actor cluster UNC5342, targets developers and crypto employees by luring them with fake job offers and coding tasks. Victims download files that load a JavaScript payload, which then interacts with smart contracts on the Ethereum and BNB Smart Chain to retrieve further malicious code — all without leaving visible traces on‐chain.
The EtherHiding Malware and Its Danger
According to Google, EtherHiding allows attackers to embed malicious instructions inside smart contracts that remain immutable and publicly accessible, thereby turning blockchain infrastructure into a decentralized platform that malicious actors can command and control.
The infection chain begins with a compromised website, often a job-recruitment bait for crypto developers. Once the victim downloads and runs a script, it uses a read-only blockchain call to fetch the next malware embedded inside a smart contract. That leads to the installation of a backdoor that enables long-term remote access to the victim’s device and crypto wallets.
Victims, often developers and crypto employees, were tricked through fake job offers or coding tasks. Once a victim downloaded the booby-trapped files, JavaScript payloads connected to blockchain smart contracts to fetch additional malicious instructions without leaving obvious traces on the blockchain. This allowed the attackers to bypass traditional defenses while maintaining operational stealth.
Because the smart contracts are immutable, conventional security solutions like server takedowns or URL blocking don’t work. Attackers can update the code, making the attack infrastructure resilient and persistent.
Google’s Malware Hunt Reinforces The Need For Strong Security
Google and its team have uncovered another vulnerability within the crypto ecosystem, especially via decentralized finance (DeFi) and smart contracts.
For institutions and corporate treasuries holding crypto assets, the risk is broader than just exchange hacks or smart-contract bugs because malware embedded via blockchain calls presents an under-the-radar supply‐chain risk.
Until now, many crypto entities have focused on code audits and wallet security, but may now need to add endpoint protection, supply-chain vetting, and blockchain transaction forensics. If hackers can hide command-and-control infrastructure inside smart contracts, then even regulated asset managers or custodians may face stealth exposure, which could erode confidence in institutional crypto adoption.
Overall, the Google-revealed DPRK campaign using EtherHiding turns a new page in crypto risk. It sends a signal that public blockchains are no longer just assets to steal from, but also infrastructure that attackers can weaponize. As digital assets scale with institutional adoption, the industry must adapt to the ever-growing threat within the crypto ecosystem or risk becoming the next stealth funding channel for cybercrime.
