DPRK Hackers Use ‘EtherHiding’ to Host Malware on Ethereum, BNB Blockchains: Google

Google’s Threat Intelligence Group has warned that North Korea is using EtherHiding—a malware that hides in blockchain smart contracts and enables cryptocurrency theft—in its cyber hacking operations, as 2025 looks set to be a record year for crypto heists by the rogue state.

Though Google researchers said EtherHiding has been used by financially motivated threat actors abusing blockchain to distribute infostealers since at least September 2023, this is the first time they have observed its use by a nation state. The malware is particularly resistant to conventional takedown and blocking methods.

“EtherHiding presents new challenges as traditional campaigns have usually been halted by blocking known domains and IPs,” the researchers said in a blog post, singling out smart contracts on BNB Smart Chain and Ethereum as having played host to malicious code. Malware authors could “leverage the blockchain to perform further malware propagation stages since smart contracts operate autonomously and cannot be shut down,” they added.

While security researchers can alert the community by tagging a contract as malicious on official blockchain scanners, they noted, “malicious activity can still be performed.”

The North Korean hacking threat

North Korean hackers have stolen more than $2 billion so far this year, most of that coming from the $1.46 billion attack on crypto exchange Bybit in February, according to an October report by blockchain analytics firm Elliptic.

The DPRK has also been held responsible for attacks on LND.fi, WOO X and Seedify, as well as thirty other hacks, bringing the total amount stolen by the country to date to over $6 billion. These funds, according to intelligence agencies, help finance the country’s nuclear weapons and missile programs.

Obtained through a mix of social engineering, deploying malware and sophisticated cyber espionage, North Korea has developed a mix of tactics to gain access to the financial systems or sensitive data of companies. The regime has proven itself willing to go to great lengths to do so, including setting up fake companies and targeting developers with fake employment offers.

Cases reported to Decrypt also show North Korean hacking outfits are now hiring non-Koreans to use as fronts to help them pass interviews to get jobs at tech and crypto companies as employers become more wary of North Koreans posing as people from elsewhere for interviews. Attackers can also lure victims to video meetings or fake podcast recordings on platforms which then display error messages or prompt update downloads which contain malicious code.

North Korean hackers have also targeted conventional web infrastructure, uploading more than 300 malicious code packages to the npm registry, an open-source software repository used by millions of developers to share and install JavaScript software.

How does EtherHiding work?

North Korea’s latest pivot to include EtherHiding in its arsenal was traced back to February 2025, and since then Google said it has tracked UNC5342—a North Korean threat actor linked to the country’s hacking outfit FamousChollima—incorporating EtherHiding into its social engineering campaign Contagious Interview.

The use of the EtherHiding malware involves embedding malicious code into the smart contracts of public blockchains, and then targeting users through WordPress sites injected with a small piece of JavaScript code.

“When a user visits the compromised website, the loader script executes in their browser,”  Google researchers explained. “This script then communicates with the blockchain to retrieve the main malicious payload stored in a remote server.”

They added that the malware deploys a read-only function call (such as eth_call), which doesn’t create a transaction on the blockchain. “This ensures the retrieval of the malware is stealthy and avoids transaction fees (i.e. gas fees),” they noted. “Once fetched, the malicious payload is executed on the victim’s computer. This can lead to various malicious activities, such as displaying fake login pages, installing information-stealing malware, or deploying ransomware.”

The researchers warned that it “underscores the continuous evolution” of cybercriminals’ tactics. “In essence, EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends.”