Google Warns of ‘EtherHiding’ — North Korea’s New Weapon to Steal Crypto

Nyohoka News ✔
17 Oct, 2025

 

nyohokanews,nyohoka,nyohoka.com,pi coin,coin,crypto,cryptocurrency,blockchain,pi network,pi network open mainnet,news,pi news Coin Cryptocurrency Digital currency Pi Network Decentralized finance Blockchain Mining Wallet Altcoins Smart contracts Tokenomics Initial Coin Offering (ICO) Proof of Stake (PoS) Airdrop Proof of Work (PoW) Public key cryptography Bsc News bitcoin btc Ethereum, web3hokanewshokanews,hoka news,hokanews.com,pi coin,coin,crypto,cryptocurrency,blockchain,pi network,pi network open mainnet,news,pi news Coin Cryptocurrency Digital currency Pi Network Decentralized finance Blockchain Mining Wallet Altcoins Smart contracts Tokenomics Initial Coin Offering (ICO) Proof of Stake (PoS) Airdrop Proof of Work (PoW) Public key cryptography Bsc News bitcoin btc Ethereum, web3hokanewshokanews,hoka news,hokanews.com,pi coin,coin,crypto,cryptocurrency,blockchain,pi network,pi network open mainnet,news,pi news Coin Cryptocurrency Digital currency Pi Network Decentralized finance Blockchain Mining Wallet Altcoins Smart contracts Tokenomics Initial Coin Offering (ICO) Proof of Stake (PoS) Airdrop Proof of Work (PoW) Public key cryptography Bsc News bitcoin btc Ethereum, web3hokanews

Google Uncovers North Korean Hackers’ New ‘EtherHiding’ Method Targeting Crypto Users

In a major cybersecurity revelation, Google’s Threat Intelligence Group has identified a new crypto-stealing technique used by North Korean hackers, marking one of the most sophisticated blockchain-based attacks of the year. The technique, called “EtherHiding,” embeds malicious code directly into blockchain smart contracts, allowing hackers to distribute malware in a decentralized and nearly unstoppable manner.

According to Google’s latest investigation, the North Korean threat actors are primarily targeting developers and crypto enthusiasts through fake job interviews, especially on professional networking platforms like LinkedIn. These attacks are part of a broader campaign that has been ongoing since early 2025 and has already affected multiple industries across the globe.

A New Era of Crypto-Focused Cyberattacks

Google’s Threat Intelligence team reported that the threat cluster known as UNC5342—a group that cybersecurity firms have long associated with North Korean state-sponsored hacking—has adopted EtherHiding as a way to mask and distribute malicious software.

Unlike traditional malware attacks that rely on centralized servers, EtherHiding leverages blockchain technology to conceal malicious payloads within smart contracts hosted on public blockchains like Ethereum and Binance Smart Chain (BSC).

This method allows the hackers to store and distribute harmful code directly on the blockchain—making it resistant to takedowns by law enforcement or cybersecurity firms. Since blockchain data is immutable and transparent, once the code is uploaded, it becomes nearly impossible to erase.

Robert Wallace, a senior cybersecurity consultant at Mandiant, described this as “a major escalation in the cybersecurity landscape,” adding that:

“Nation-state hackers are now leveraging blockchain’s decentralization to hide their operations. EtherHiding is a chilling example of how these technologies can be misused for persistent, hard-to-trace attacks.”

The Contagious Interview Campaign

At the heart of this operation lies what investigators have dubbed the “Contagious Interview” campaign. In this campaign, attackers disguise themselves as legitimate recruiters from well-known tech firms on LinkedIn. They reach out to software developers and blockchain professionals, offering lucrative job opportunities or freelance contracts.

Once the target shows interest, the attackers invite them to participate in a fake interview process. During this phase, they ask the candidates to download “assessment packages” or coding tools, which actually contain hidden malware scripts.

These files are designed to run automatically once opened, infecting the victim’s system with a series of malicious programs. From there, the attackers gain unauthorized access to password managers, cryptocurrency wallets, and sensitive system data.

Google’s analysis shows that the malware targets Windows, macOS, and Linux systems, highlighting its cross-platform adaptability and sophistication.

Multi-Stage Infection Chain

The attack unfolds in multiple stages, employing a complex infection chain to ensure persistence and stealth.

  1. Stage One – Delivery:
    The initial infection vector is often a disguised npm (Node Package Manager) downloader sent during the fake interview process.

  2. Stage Two – Data Theft:
    Once installed, a malware variant known as BeaverTail activates, stealing confidential data such as browser passwords, crypto wallet seeds, and authentication tokens.

  3. Stage Three – Payload Retrieval:
    Another component, JADESNOW, connects to the Ethereum blockchain to fetch additional payloads encoded in smart contracts. This stage is the essence of the EtherHiding method, enabling remote code execution and updates directly from blockchain data.

  4. Stage Four – Remote Control:
    The final payload, InvisibleFerret, allows remote access to the infected device, enabling attackers to execute commands, transfer files, and exfiltrate cryptocurrency assets in real time.

This multi-layered approach makes detection extremely difficult. Traditional antivirus programs often fail to recognize the attack, since the malicious components are dynamically downloaded from blockchain contracts rather than traditional command-and-control servers.

Google’s Response and Global Cybersecurity Implications

Following the discovery, Google’s Threat Intelligence Group has issued urgent alerts to major platforms, including LinkedIn, GitHub, and npm, warning them to tighten security measures around developer interactions and software uploads.

In a statement, Google said it is “working closely with blockchain partners and cloud providers to identify and block malicious smart contracts tied to EtherHiding campaigns.”

The report also warns that the decentralized nature of blockchain poses unique challenges for law enforcement. Unlike conventional websites or databases that can be shut down, malicious smart contracts on Ethereum or BSC cannot be deleted once deployed, forcing cybersecurity experts to rely on blacklisting and address flagging instead.

Cybersecurity researchers believe that North Korea’s hacking division, often referred to as the Lazarus Group, is likely behind this campaign. The group has previously been implicated in several high-profile cyber heists, including the 2016 Bangladesh Bank hack and the 2022 Ronin Bridge attack, which collectively stole billions of dollars in crypto assets.

A Growing Trend: Job Scams as Attack Vectors

This campaign also underscores a growing trend in cybercrime—the use of fake job offers to compromise individuals in the blockchain and tech sectors.

In 2024 and early 2025, several similar attacks were reported, where hackers impersonated HR representatives from reputable companies like Binance, Coinbase, and OKX. Victims were lured into downloading files that appeared legitimate but contained malicious payloads.

These tactics have become increasingly effective as remote work and online recruiting have grown more common. Attackers exploit the trust inherent in professional platforms like LinkedIn, turning them into conduits for malware delivery.

Crypto Industry Reacts

In response to the discovery, Binance’s founder Changpeng Zhao (CZ) has once again raised awareness about the rising frequency of state-backed phishing attempts. Zhao himself has reportedly received warnings such as “Google may have detected government-backed attackers trying to steal your password.”

The broader crypto community has taken note as well. Developers and investors are being urged to:

  • Avoid downloading files from unverified sources.

  • Cross-check job offers and email domains with official company websites.

  • Enable multi-factor authentication (MFA) and hardware wallets for crypto storage.

  • Use blockchain security tools to verify smart contracts before interacting with them.

Cybersecurity firms like Halborn and Trail of Bits have already begun scanning blockchain networks for EtherHiding-related activity to prevent further exploitation.

The Future of Blockchain-Based Malware

Experts warn that EtherHiding is just the beginning of a new era in cyber threats, where attackers use the same decentralized tools that power blockchain innovation to conceal their crimes.

Unlike conventional web malware, blockchain-embedded payloads are immutable and globally accessible—meaning that even if the hacker’s identity is exposed, the malicious code remains online indefinitely.

As Mandiant’s Robert Wallace emphasized, “The security community must now prepare for the next evolution of attacks—where blockchain itself becomes the hiding place for malware.”

With over $10 billion stolen from crypto users between 2021 and 2025 through various schemes, the emergence of EtherHiding adds yet another layer of complexity to the global fight against cybercrime.

Final Thoughts

Google’s findings highlight a critical intersection between blockchain technology and cybersecurity. While decentralized systems offer resilience and transparency, they also create new opportunities for misuse.

The discovery of EtherHiding should serve as a wake-up call for developers, investors, and policymakers to strengthen digital defenses and close the security gaps that allow such sophisticated attacks to thrive.

As the crypto ecosystem continues to evolve, so too must its defenses—because in this new landscape, even the blockchain itself is no longer safe from exploitation.

Source: News

Disclaimer

The content published on nyohoka.com is for informational and educational purposes only. It should not be considered as financial, investment, trading, or legal advice. Cryptocurrency and digital asset investments carry a high level of risk and may not be suitable for all investors.

We do not guarantee the accuracy, reliability, or completeness of the information provided. nyohoka.com and its authors are not responsible for any losses or damages that may arise from the use of this content.

Always do your own research (DYOR) and consult with a qualified professional before making any financial decisions.

Next Post Previous Post