Mandiant links the campaign to DPRK’s financially motivated cyber operations.
A new cyber threat has emerged targeting cryptocurrency users through compromised WordPress websites. Security researchers at Mandiant, part of Google Cloud, have identified a North Korean hacking group using a novel technique known as EtherHiding to deploy malicious crypto wallets.
The campaign disguises its operations within the Binance Smart Chain (BSC), making detection difficult for traditional security tools. According to Mandiant’s recent report, the attacks highlight a growing sophistication in state-sponsored financial cybercrime.
Mandiant’s investigation revealed that the group, tracked as APT43, embedded malicious code within legitimate WordPress plug-ins using EtherHiding. This technique allows attackers to conceal payloads in blockchain-based smart contracts, enabling dynamic updates without relying on centralized servers.
Once a user visits an infected site, the injected JavaScript prompts them to download a fake crypto wallet or security update. These deceptive wallets drain funds once users import their private keys or connect to decentralized apps. The attackers’ blockchain-based infrastructure makes tracing their operations more complex.
Mandiant noted that the malicious code communicates with the Binance Smart Chain to retrieve obfuscated scripts. This method not only conceals the hackers’ identity but also uses blockchain immutability to ensure the payload remains live even if the original websites are cleaned.
Besides crypto holders, the campaign also targets developers and investors exploring Web3 projects. By compromising trusted WordPress plug-ins, the attackers exploit the credibility of widely used tools to reach unsuspecting victims across multiple platforms.
According to the report, EtherHiding fits into North Korea’s ongoing efforts to generate revenue for its government through cyber theft. Mandiant’s threat intelligence analysts identified overlaps between this campaign and previous DPRK-linked operations such as Lazarus Group and Kimsuky.
The group’s tactics focus on stealing digital assets rather than disrupting systems. Mandiant explained that EtherHiding is an evolution of prior DPRK methods that used centralized command-and-control servers. Moving payload delivery to blockchain networks allows the hackers to bypass takedowns and remain persistent.
Furthermore, Mandiant found that compromised sites distributed phishing wallets designed to mimic reputable applications like MetaMask or Trust Wallet. Victims installing these fake extensions unknowingly exposed seed phrases that granted the attackers direct access to their funds.
Cybersecurity experts warn that this operation demonstrates how state-backed hackers are integrating blockchain technology into offensive campaigns. The decentralization that underpins Web3 now doubles as a tool for evading detection.
Mandiant urged developers to verify plug-in authenticity and monitor blockchain transactions linked to suspicious domains. Organizations relying on WordPress or Web3 integrations were advised to strengthen endpoint protection and review on-chain scripts for hidden payloads.
