It seems no corner of the digital world is safe anymore – not even the blockchain, once hailed as the fortress of online security. North Korean cyber groups, long known for their creativity in hacking, have now found a new playground: hiding malicious code directly inside blockchain networks.
A new digital weapon
In February 2025, cybersecurity experts at Google’s Threat Intelligence Group uncovered a worrying trend. State-backed North Korean hackers had begun using the blockchain itself – particularly the Ethereum network – to conceal and spread malware. The attack, dubbed EtherHiding, marks a turning point in how cybercriminals exploit decentralised technology.
Traditionally, malicious code sits on a server somewhere on the internet, waiting to be detected and taken down. But the blockchain is different. Once something is written onto it, it’s almost impossible to delete. Hackers realised they could slip their code into smart contracts – those self-executing bits of code used in decentralised finance (DeFi). From there, their malware becomes practically untouchable.
According to Google researchers, one infected contract was modified more than twenty times in just a few months, showing how easily these attacks can evolve. As cybersecurity specialist Robert Wallace explained, this represents “an escalation of state-level threats”, making it extremely difficult for authorities to neutralise.
How the attacks unfold
The operation starts in a deceptively innocent way. Developers receive fake job offers from what appear to be promising crypto start-ups. The scammers go to great lengths – creating realistic company profiles, designing logos, even conducting video interviews.
During the “recruitment process”, candidates are asked to complete a coding test. The test involves running a small script, which secretly triggers a hidden download. That download connects to a smart contract on the blockchain and pulls a file known as JADESNOW.
This initial script is just the delivery boy. Its main job is to fetch and execute a more dangerous payload called InvisibleFerret – a stealthy spyware designed to dig deep into victims’ computers. Once active, it begins scouring browsers for passwords, crypto wallet keys, and financial data. It even targets browser extensions like MetaMask and Phantom, where users often store digital assets.
When stolen data becomes digital gold
After collecting the sensitive data, the malware bundles it neatly into a compressed file and quietly sends it off to the hackers via Telegram bots or private channels. From there, the stolen credentials are used to drain victims’ cryptocurrency wallets.
Behind the campaign is a hacking group identified as UNC5342, reportedly working under the direction of the North Korean regime. This group specialises in large-scale cryptocurrency theft, part of a broader effort to fund the country’s heavily sanctioned government.
According to Chainalysis, a leading blockchain analytics firm, North Korean-linked hackers stole nearly $2 billion in digital assets in 2024 alone. Their methods are becoming more sophisticated, moving from traditional phishing scams to technically complex operations like EtherHiding.
A growing global concern
The implications are serious. The blockchain was designed to resist censorship and tampering – but that same resilience now shields malicious actors. Once a smart contract containing malware is deployed, even the developers of the blockchain can’t remove it.
Cybersecurity agencies worldwide, including Europol and the US Cybersecurity and Infrastructure Security Agency (CISA), have issued warnings about the rise of state-sponsored crypto attacks. They urge developers and investors to double-check the legitimacy of job offers and never execute unfamiliar scripts, no matter how convincing they seem.
As one analyst put it, “The blockchain doesn’t judge what you upload – it just preserves it forever.” That’s both its greatest strength and, as we’re learning, its most dangerous flaw.
In the cat-and-mouse game of cybersecurity, North Korean hackers have just moved the goalposts. And for the rest of the digital world, it’s another reminder that even the safest systems can become a hacker’s playground when ingenuity meets bad intentions.
