Google’s Threat Intelligence Group has uncovered a new wave of cyberattacks where hackers are using public blockchains to host and distribute malicious code. This alarming trend transforms one of the world’s most secure and tamper-resistant technologies into a stealthy channel for cybercrime.
According to Google’s latest report, several advanced threat actors, including one group suspected of operating on behalf of North Korea have begun embedding harmful code into smart contracts on major blockchain platforms such as Ethereum and the BNB Smart Chain. The technique, known as “EtherHiding,” allows attackers to conceal malware within the blockchain itself, creating a nearly untraceable and permanent delivery system.
Smart contracts were originally designed to enable transparent and trustworthy transactions without intermediaries. However, attackers are now exploiting their immutability to host malware that cannot be deleted or blocked. Once malicious code is written into a blockchain contract, it becomes permanently accessible to anyone who knows how to retrieve it.
This innovation replaces the need for traditional “bulletproof hosting” services, offshore servers that cybercriminals once used to evade law enforcement. By using blockchain networks instead, hackers can distribute malicious software at a fraction of the cost, often paying less than two dollars per contract update.
The decentralized nature of these systems eliminates any single point of failure, meaning there is no authority capable of taking down the malicious data. Even blockchain’s anonymity features benefit attackers, as retrieving code from smart contracts leaves no identifiable trace in transaction logs.
How the Attacks Unfold
Google researchers observed that hackers often begin their campaigns with social engineering tactics targeting software developers. Pretending to be recruiters, they send job offers that require the victims to complete “technical tasks.” The provided test files secretly install the initial stage of malware.
Once the system is compromised, additional malicious components are fetched directly from smart contracts stored on Ethereum or BNB Smart Chain. This multi-layered strategy enables attackers to modify or update their payloads anytime without being detected by conventional cybersecurity tools.
Among the identified actors, UNC5342, a North Korea-linked hacking collective, uses a downloader called JadeSnow to pull secondary payloads hidden within blockchain contracts. In several incidents, the group switched between Ethereum and BNB Smart Chain mid-operation; a move possibly motivated by lower transaction fees or operational segmentation. Another financially driven group, UNC5142, has reportedly adopted the same approach, signaling a broader trend among sophisticated threat actors.
The findings stress upon how cybercriminals are reimagining blockchain’s purpose. A tool built for transparency and trust is now being reshaped into an indestructible infrastructure for malware delivery.
Analysts also note that North Korea’s cyber operations have become more advanced in recent years. Blockchain research firm Elliptic estimated earlier this month that North Korean-linked hackers have collectively stolen over $2 billion in digital assets since early 2025.
Security experts warn that as blockchain adoption expands, defenders must develop new strategies to monitor and counter such decentralized threats. Traditional takedown mechanisms will no longer suffice when malicious data resides within a public, unchangeable ledger.
