North Korea Now Targets Entire Blockchains Like Ethereum

EtherHiding on BNB Chain and Ethereum. Source: Google Threat Intelligence Group

GTIG pointed out that this attack often leaves no visible transaction trail and requires little to no fees because it happens off-chain. This, in essence, allows the attackers to operate undetected.

Sponsored

Sponsored

Notably, GTIG traced the first instance of EtherHiding to September 2023, when it appeared in a campaign known as CLEARFAKE, which tricked users with fake browser update prompts.

How to Prevent the Attack

Cybersecurity researchers say this tactic signals a shift in North Koreas digital strategy from merely stealing cryptocurrency to using blockchain itself as a stealth weapon.

“EtherHiding represents a shift toward next-generation bulletproof hosting, where the inherent features of blockchain technology are repurposed for malicious ends. This technique underscores the continuous evolution of cyber threats as attackers adapt and leverage new technologies to their advantage,” GTIG stated.

John Scott-Railton, a senior researcher at Citizen Lab, described EtherHiding as an “early-stage experiment.” He warned that combining it with AI-driven automation could make future attacks much harder to detect.

“I expect attackers to also experiment with directly loading zero click exploits onto blockchains targeting systems & apps that process blockchains… especially if they are sometimes hosted on the same systems & networks that handle transactions / have wallets,” he added.

This new attack vector could have severe implications for the crypto industry, considering North Korean attackers are significantly prolific.

Data from TRM Labs shows that North Korean-linked groups have already stolen more than $1.5 billion in crypto assets this year alone. Investigators believe those funds help finance Pyongyangs military programs and efforts to evade international sanctions.

Given this, GTIG advised crypto users to reduce their risk by blocking suspicious downloads and restricting unauthorized web scripts. The group also urged security researchers to identify and label malicious code embedded within blockchain networks.