North Korea Uses EtherHiding Malware in $2B Crypto Heists

Google researchers have identified EtherHiding as a game-changing malware that embeds malicious code directly into smart contracts on public blockchains like BNB Smart Chain and Ethereum. This technique represents a significant evolution in cybercrime tactics, as traditional security measures that rely on blocking known domains and IP addresses become ineffective against autonomous smart contracts that cannot be shut down. The malware’s deployment by North Korean threat actors marks the first time a nation state has been observed using this method, elevating the threat level significantly.

The technical sophistication of EtherHiding lies in its ability to use read-only function calls (such as eth_call) that don’t create visible transactions on the blockchain. This ensures both stealth and cost-effectiveness by avoiding gas fees while retrieving malicious payloads. As Google researchers noted, this approach “underscores the continuous evolution” of cybercriminals’ tactics and represents “a shift toward next-generation bulletproof hosting” where blockchain’s inherent features are repurposed for malicious ends.

According to blockchain analytics firm Elliptic, North Korean hackers have stolen more than $2 billion in 2025 alone, with the February attack on crypto exchange Bybit accounting for $1.46 billion of that total. The regime’s hacking operations extend far beyond this single incident, with responsibility claimed for attacks on LND.fi, WOO X, Seedify, and thirty other platforms. The cumulative effect has been staggering, with total cryptocurrency thefts by North Korea now exceeding $6 billion.

These stolen funds serve a critical purpose for the isolated nation. Intelligence agencies confirm that the proceeds from these cyber heists help finance North Korea’s nuclear weapons and missile programs, making cryptocurrency theft a matter of national security concern. The regime has developed a sophisticated mix of tactics including social engineering, malware deployment, and cyber espionage to gain access to financial systems and sensitive corporate data.

The North Korean approach has evolved to include setting up fake companies and targeting developers with fraudulent employment offers. As employers become more wary of North Koreans posing as citizens from other countries, hacking outfits have begun hiring non-Koreans to serve as fronts during interviews for positions at tech and crypto companies. Attackers also lure victims to video meetings or fake podcast recordings that display error messages or prompt malicious update downloads.

Google’s investigation traced North Korea’s adoption of EtherHiding to February 2025, with threat actor UNC5342—linked to the hacking outfit FamousChollima—incorporating the malware into its social engineering campaign dubbed “Contagious Interview.” The attack chain begins with compromised WordPress sites injected with a small piece of JavaScript code that serves as the initial loader.

When users visit these compromised websites, the loader script executes in their browsers and communicates with the blockchain to retrieve the main malicious payload stored on remote servers. The malware’s use of read-only function calls ensures the retrieval process remains stealthy and avoids transaction fees. Once fetched, the malicious payload executes on the victim’s computer, enabling various malicious activities including displaying fake login pages, installing information-stealing malware, or deploying ransomware.

North Korean hackers have also targeted conventional web infrastructure, uploading more than 300 malicious code packages to the npm registry, an open-source software repository used by millions of developers to share and install JavaScript software. This multi-pronged approach demonstrates the regime’s commitment to developing diverse attack vectors that exploit both emerging technologies like blockchain and established development ecosystems.

The emergence of EtherHiding represents a fundamental shift in the cybersecurity landscape. Traditional defense mechanisms that rely on blocking known malicious domains and IP addresses are rendered ineffective against malware hosted on immutable smart contracts. While security researchers can tag contracts as malicious on official blockchain scanners, the researchers noted that “malicious activity can still be performed” even after identification.

The autonomous nature of smart contracts means that once deployed, they operate without the possibility of takedown or modification. This creates a persistent threat that cannot be eliminated through conventional means. The use of BNB Smart Chain and Ethereum as hosting platforms for malicious code leverages the very features that make blockchain technology valuable—decentralization, immutability, and autonomy—turning them into vulnerabilities that threat actors can exploit.

As Google’s Threat Intelligence Group warned, this development signals a new era in cybercrime where blockchain technology is systematically repurposed for malicious ends. The combination of nation-state resources with advanced blockchain-based malware creates a formidable challenge for security professionals, requiring new defensive strategies that address the unique characteristics of decentralized systems while maintaining the security of traditional web infrastructure.