Blockchain and cryptocurrency, Cybercrime, Cyberwar / Nation-state attacks
State and criminal hackers use blockchain technique to evade withdrawals
Rashmi Ramesh (rashmiramesh_) •
October 16, 2025
At least two hacker groups are using public blockchains to hide and control malware in ways that make their operations nearly impossible to take down, according to a study by Google’s Threat Intelligence Group.
See also: Top 10 technical forecasts for 2025
Researchers discovered two separate campaigns – one led by a North Korean state actor and the other by a financially motivated cybercriminal group – exploiting public blockchains to hide their malware operations in plain sight.
The technique, known as EtherHiding, embeds malicious instructions into blockchain smart contracts rather than traditional servers. Since the blockchain is decentralized and immutable, attackers obtain what researchers call a “bulletproof” infrastructure.
The development signals an “escalation in the threat landscape,” said Robert Wallace, head of consulting at Mandiant, part of Google Cloud. The hackers found a method that is “law enforcement takedown-resistant” that can be “easily modified for new campaigns.”
The researchers said the hackers adapted EtherHiding for different purposes. North Korea-linked UNC5342 is using it as part of a social engineering campaign to infiltrate cryptocurrency developers and companies, while UNC5142 is using it to spread information thieves through hacked WordPress sites.
EtherHiding first appeared in 2023 in a financially motivated campaign dubbed ClearFake, in which attackers lured victims with fake browser update prompts. The concept involves storing malicious code in a blockchain transaction or smart contract and retrieving it using read-only calls that leave almost no trace.
Since these calls do not create visible transactions, defenders cannot rely on conventional indicators such as domains or IP addresses. As long as the blockchain is operational, the “malicious code remains accessible,” the report states.
North Korean group targets developers
The North Korean threat group UNC5342 has incorporated EtherHiding into what Palo Alto Networks previously called the Contagious Interview campaign. The operation impersonates recruiters on LinkedIn and job boards, approaching developers with offers from fake companies such as “BlockNovas LLC” and “Angeloper Agency.”
The threat actor lured targets into staged interviews on messaging apps such as Telegram and Discord. In a purported technical test, they asked victims to download files from GitHub or npm repositories containing malware like JadeSnow and InvisibleFerret, which use EtherHiding to communicate with attacker-controlled smart contracts on the Ethereum and BNB Smart Chain networks.
The researchers also tracked the infection chain: the JadesNow downloader queries blockchain contracts to retrieve encrypted JavaScript payloads, which provide the InvisibleFerret backdoor. Once installed, the malware can exfiltrate data, capture credentials and control the system remotely.
Researchers observed that InvisibleFerret in some cases deployed an additional credential-stealing component designed to target web browsers and cryptocurrency wallets like MetaMask and Phantom. The stolen data is exfiltrated both to the attackers’ servers and to private Telegram channels.
The campaign generates cryptocurrency revenue for the North Korean regime and collects intelligence from compromised developers.
UNC5142 of a financial nature uses WordPress
In a separate report, Google Mandiant exposed UNC5142, a financially motivated actor that relies on EtherHiding to infect websites and distribute a range of information-stealing malware.
The actor compromises vulnerable WordPress sites by injecting JavaScript downloaders collectively dubbed ClearShort, which use smart contracts on the BNB Smart Chain as a control layer. The scripts retrieve second-stage payloads or links to landing pages hosted by the attacker.
The UNC5142 infrastructure stands out for its use of legitimate platforms to integrate. Malicious pages are hosted on the Cloudflare site. pages.dev service, and the command and control information is stored on the blockchain. The Google team found around 14,000 websites containing traces of the scripts injected by UNC5142 in mid-2025.
Over time, the group expanded its architecture from a simple smart contract to a three-tier system mimicking a software “proxy model.” This allows for rapid updates without affecting compromised sites. One contract acts as a router, another fingerprints the victim’s system, and a third contains encrypted payloads and decryption keys. A single blockchain transaction, costing just $1 in network fees, can change decoy URLs or encryption keys on thousands of infected sites.
Researchers said the threat actor used social engineering tricks such as fake Cloudflare verifications or Chrome update prompts to persuade victims to execute malicious commands. Decoys deliver infostealers such as Vidar, Lummac.V2 and RadThief. The campaigns also show progress toward stronger encryption with AES-GCM and improved obfuscation.
In one example, the attacker’s JavaScript retrieved encrypted HTML pages from Cloudflare, decrypted them client-side, and prompted users to execute hidden PowerShell commands that downloaded the final payloads disguised as media files.
The researchers’ analysis of blockchain transactions showed that UNC5142 maintained at least two parallel infrastructures, called primary and secondary, using identical smart contract code and funded by linked wallets through the OKX cryptocurrency exchange. Updates to both occurred within minutes of each other, suggesting coordinated control by a single actor.
A persistent problem
Neither threat actor interacts directly with blockchain nodes, instead relying on centralized services such as public RPC endpoints or API providers to retrieve data. This reliance creates “points of observation and control” where advocates or service providers could potentially intervene, the researchers said.
In the case of UNC5342, researchers contacted several API providers used in the campaign. Some acted quickly to block malicious activity, while others did not. The researchers said that inconsistent cooperation from intermediaries “increases the risk of proliferation of this technique among threat actors.”
Smart contracts are public and immutable, meaning security teams can’t simply delete or block them. Even if it is identified as malicious, the code will still be accessible.
Network-based filters designed for traditional web traffic struggle to scale with decentralized Web3 models. And the anonymity of wallet addresses and the low cost of blockchain transactions allow actors to iterate quickly and continue their campaigns indefinitely.
In UNC5142 operations, researchers estimated that updating an entire malware distribution chain costs between 25 cents and $1.50 per transaction. The efficiency, combined with the immutability of blockchain storage, provides attackers with agility that surpasses conventional infrastructure.
The researchers also identified possible choke points. Since attackers often rely on third-party APIs or hosting platforms to interface with the blockchain, coordinated responses from providers can help disrupt access. Chrome Enterprise’s centralized management tools, for example, could allow admins to block malicious downloads or apply automatic browser updates, compromising the fake “outdated Chrome” prompts used in previous campaigns.
The researchers said the adoption of blockchain-based hosting “marks a new phase in malware resilience.” Defenders can still monitor centralized touchpoints, but the underlying infrastructure that is public, distributed, and immutable provides an advantage to attackers.
