Show summary Hide summary
Just when you thought cybercrime couldn’t get any more creative, North Korean hackers have decided to use the blockchain—the very foundation of crypto’s so-called security—as a hiding place for their latest wave of unstoppable malware. As if DeFi didn’t have enough drama!
Hackers, Blockchains, and a Recipe for Trouble
In a revelation sure to make crypto enthusiasts and cybersecurity pros break into a cold sweat, Google’s Threat Intelligence Group (GTIG) uncovered that hackers from North Korea have been hiding malware directly on the blockchain since February 2025. By embedding malicious code within smart contracts on public decentralized networks like Ethereum and the Binance Smart Chain, these cybercriminals have found a way to evade both law enforcement and cybersecurity experts alike. The operation is known internally as “EtherHiding”—a fitting moniker, since the Ethereum blockchain is a key player in this scheme.
Let’s break it down: instead of relying on traditional web servers—which, honestly, are about as secure as a screen door—the hackers sneak their code into smart contracts. These automated programs power much of decentralized finance and make it trivially easy to execute transactions, shift coins between blockchains, and now, apparently, run illicit software. Once the code is slipped onto the blockchain, it’s there to stay—immutability turns from virtue to vice, as the code can’t be censored or deleted. Google investigators observed one smart contract updated over twenty times in just the first four months, proving just how dynamic and elusive this method is.
Anglo-Saxon burial reveals “unprecedented” secrets: experts stunned by 1,400-year-old grave mysteries
What Your Instinctive Tree Choice Reveals About Your Personality—Experts Explain
The Unstoppable Weaponization of Blockchain
Why does this trick work so well? Because blockchains are public and accessible to all. Any hacker can toss in a smart contract laced with malware, disguise it as normal data, and deploy it where nobody can take it down. Unlike most sites (where a well-aimed takedown can pull the rug out), these smart contracts are here to stay and can be modified to constantly update the malicious payload.
This tactic isn’t just creative—it’s dangerous. According to GTIG researcher Robert Wallace, “This development marks a significant escalation in the threat landscape: nation-state actors are now using unprecedented techniques to distribute malware that is tough for authorities to neutralize and easily adaptable for new campaigns.” In other words, welcome to a new level of cat-and-mouse.
The Trap: Fake Jobs and Real Headaches
So how do the hackers bait their victims? It starts innocently enough: by posting fake job offers for developers. These alleged crypto start-ups (made up from scratch, with convincing professional profiles on job platforms and networking sites) invite interested candidates to a friendly online chat. The friendly chat soon turns into a request for a technical skills test—a seemingly innocuous script or program to run on your laptop. This is where the jaws of the trap snap shut.
- The program triggers the download of another script, tucked away inside a blockchain smart contract.
- A malware named JADESNOW is pulled from the blockchain, ready to play its part.
- JADESNOW exists solely to fetch and execute the real payload: InvisibleFerret, a snoopy spyware designed to observe and record everything happening on the infected system.
- InvisibleFerret scours all browsers for passwords, stored login credentials, email addresses, and even saved bank card information. However, its prime targets are crypto wallets managed in extensions such as MetaMask or Phantom.
- Digging deep, it hunts for the private keys that can unlock a user’s crypto fortune.
- All these stolen details are zipped up and, with minimal fanfare, exfiltrated via Telegram (using bots or private channels), or a remote server, landing straight in the hackers’ hands. The loot? The developer’s cryptocurrencies, of course.
The Faces Behind the Screens—and the Cost to Crypto
Behind this large-scale heist sits a group of North Korean state-sponsored attackers, designated UNC5342. These hackers are no amateurs—they specialize in digital asset theft and work under the auspices of the Pyongyang regime. North Korean cybercriminals remain among the greatest threats facing the crypto ecosystem. So far this year alone, these digital thieves have swiped two billion dollars’ worth of digital assets.
To make matters worse, their compatriots in the infamous Lazarus group hold the dubious honor of orchestrating the largest hack in crypto history, recently targeting exchange Bybit back in February. Surely, nobody in the blockchain world is sleeping easy these days.
With hackers weaponizing the very infrastructure meant to guarantee digital trust, it’s never been more crucial for crypto users and developers to double down on skepticism. Think twice before running any “skills test”—especially if your interview questions seem too good (or too technical) to be true!
