How public blockchains became the perfect place for state-backed cyberattacks, and why it’s getting harder to stop them
Photo by Steve Johnson on Unsplash
If you thought blockchains were just for crypto and NFTs, think again. Hackers—some working directly for the North Korean government—are using public blockchain platforms like Ethereum and BNB Smart Chain to stash malware. And here’s the catch: we can’t really take it down.
Google’s Threat Intelligence team recently shared details about this new tactic, dubbed “EtherHiding,” that flips the typical use of blockchain technology on its head. Instead of decentralized apps and smart contracts powering the future of finance, they’re now hosting files used to infect people’s computers.
What is EtherHiding?
Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash
At its core, EtherHiding is a malware delivery method. Hackers embed malicious code directly into blockchain smart contracts—those self-executing chunks of code that live on platforms like Ethereum.
Why does this matter? Well, smart contracts are:
- Decentralized, so there’s no central authority that can take them down
- Immutable, meaning once they’re live, no one can change or delete them
- Pseudonymous, offering solid cover for the attacker’s identity
- Stealthy, because retrieving data from the contracts leaves no log trail
So instead of relying on shady servers or compromised websites (which can be discovered and shut down), attackers now just spend a couple bucks—literally less than $2 per transaction—to plant their malware in a place that practically lives forever.
Who’s behind it?
Photo by Yogendra Singh on Unsplash
There are at least two known hacker groups using EtherHiding right now.
One of them is UNC5342, a group backed by the North Korean government. They’re using malware called JadeSnow to kick off the infection process. That initial malware then digs deeper, reaching into blockchains to grab more harmful code as needed—like pieces of a digital puzzle being assembled in secret.
What’s especially tricky is that they’re using multiple blockchains: both Ethereum and BNB Smart Chain. Google’s analysts suggested this might be a sign of different teams within UNC5342 working semi-independently. It also makes it harder to track and block their actions.
Another group, UNC5142, is doing similar things, although they appear to be in it for financial gain rather than espionage.
How are targets getting hooked?
Photo by Immo Wegmann on Unsplash
This isn’t random phishing or spam. The hackers are running carefully crafted social engineering campaigns—one example involves offering fake job interviews to developers in the crypto space.
The scam works like this:
- The target is told to complete a coding test as part of the interview.
- They download a file that looks like part of the test.
- That file softly plants a downloader (like JadeSnow) on their machine.
- Later stages of the malware quietly pull more code from blockchain contracts.
Once that code is in place, attackers can steal credentials or drop additional malware, all without triggering typical alarms.
Why it’s so hard to stop
The real danger here isn’t just the malware itself—it’s the host. Blockchain smart contracts weren’t built with takedowns in mind. Once a malicious contract is uploaded, it’s essentially permanent.
With traditional hosting, security experts or law enforcement can shut things down. But with blockchains, there’s no “central” phone number to call. Worse, the smart contracts can be updated to shift where they deliver payloads from—making investigations feel like a game of digital whack-a-mole.
As Google’s researchers put it:
“EtherHiding represents a shift toward next-generation bulletproof hosting.”
And they’re not exaggerating.
One more reason to stay alert
In just the first half of 2025, North Korea has reportedly stolen over $2 billion worth of cryptocurrency. That’s not loose change. It’s a clear sign that these aren’t small-time hackers—they’re part of a highly coordinated and well-funded effort.
If you’re a developer in the crypto or Web3 space, pay extra attention. Fake recruiters and too-good-to-be-true job offers aren’t just scams to waste your time—they could be entry points for very real attacks.
For the rest of us, it’s a reminder that the tools powering the decentralized internet can be used in unexpected (and unsettling) ways. The blockchain might be unstoppable—but that cuts both ways.
Keywords: EtherHiding, blockchain malware, North Korean hackers, smart contract malware, UNC5342, Ethereum malware, BNB Smart Chain exploit, cyber threat 2025, Google Threat Intelligence, blockchain cybersecurity
