Rony Roy
North Korean hackers are using a new malware that can hide within blockchain smart contracts to stealthily siphon cryptocurrencies.
Dubbed EtherHiding, the malware has been active since at least September 2023, according to a recent report from Google’s Threat Intelligence Group.
While it was previously spotted in financially motivated campaigns by cybercriminals, this is the first time researchers have observed a nation-state actor deploying it.
In its latest findings, Google linked the malware’s use to UNC5342, a threat group associated with North Korea’s infamous hacking unit, FamousChollima.
Google’s researchers warned that EtherHiding introduces new challenges for defenders, since it bypasses traditional methods of neutralizing malicious campaigns.
Unlike typical malware infrastructure, which can often be disrupted by blocking known IP addresses or taking down domains, smart contracts operate autonomously on blockchain networks and cannot be removed or altered once deployed.
The team singled out both Ethereum and BNB Smart Chain as platforms where malicious code has already been embedded, allowing hackers to use these contracts as vehicles to distribute malware.
How does EtherHiding target crypto users?
According to researchers, EtherHiding functions by hiding code within public smart contracts, which can then be triggered via JavaScript planted on compromised WordPress websites.
When a user visits one of these booby-trapped sites, a small loader script runs silently in their browser.
Subsequently, the script reaches out to the blockchain, without leaving any traces on-chain, since it uses read-only calls like eth_call, and pulls malicious instructions from the smart contract, which then redirect to attacker-controlled servers that deliver the full malware payload to the user’s device.
Because the interaction with the blockchain does not generate any transactions or incur gas fees, it leaves no typical indicators that security tools might look for.
Once the malware is executed, it can take various forms, ranging from fake login pages designed to harvest credentials to infostealers and even ransomware.
And since the malware uses blockchain as a resilient backend, it makes it significantly harder to shut down the campaign once it is underway.
The implications are serious, especially given North Korea’s history of using cybercrime to fund its weapons programs and evade sanctions.
North Korean hackers have remained a consistent threat
Over the years, Pyongyang’s hacking units have developed a reputation for sophistication, deploying a wide range of social engineering tricks and malicious software to breach crypto platforms and financial institutions.
From posing as developers applying for jobs to infiltrate companies to tricking victims into joining fake podcast interviews, North Korean threat actors have consistently demonstrated patience and creativity in executing long-term infiltration campaigns.
In recent months, they have even resorted to outsourcing parts of their operations.
According to past reports, North Korean groups have begun hiring non-Korean individuals to act as fronts, helping them pass interviews and gain insider access to crypto firms.
But North Korea is not alone in turning to smart contracts for malicious purposes.
In a separate campaign uncovered earlier in 2025 by ReversingLabs, attackers were found using npm packages to load smart contracts on Ethereum, which in turn hosted URLs used to deliver second-stage payloads that target crypto users.
The post North Korean hackers embedded malware in Ethereum and BNB smart contracts appeared first on Invezz
