North Korean Hackers Use New EtherHiding for Crypto Hacks

Google Identifies North Korean Hackers' New Crypto Stealing Method

Google Threat Intelligence Group identified that North Korean hackers have employed a new technique called ‘EtherHiding’ for crypto hacks. They are caught using sophisticated tactics to deceive job seekers into installing malicious code on their devices.

According to Google’s intelligence group, these players have been targeting developers through fake job interviews on platforms like LinkedIn, ultimately aiming to steal cryptocurrency assets. This EthereHiding technique allows the attackers to hide malicious code within blockchain smart contracts, enabling decentralized and resilient malware distribution.

Google Identifies North Korea Hackers’ New Technique

In a recent investigation by Google Threat Intelligence Group, North Korean hackers’ novel sophisticated hacking method has been identified. As per reports, the group has recently started using the ‘EtherHiding’ technique to distribute malware and steal cryptocurrencies.

The investigating team attributed this malicious activity to a threat cluster known as UNC5342, which is tracked by various security firms under different names. As reported by Google, as of February of 2025, the threat cluster called UNC5342 uses a technique called EtherHiding. This technique utilizes malicious code embedded within smart contracts on a public blockchain, such as Binance Smart Chain ("BSC") or Ethereum, to create a decentralized and resilient malware dispersal scheme that is difficult to disable.

Contagious Interview Campaign

This campaign, called Contagious interview, sees attackers impersonate recruiters on LinkedIn with the intent of persuading their targets into executing malicious code, typically by advertising an interview assessment. The overall intent is to surreptitiously obtain sensitive data, steal cryptocurrencies, and compromise developer machines, in line with North Korea's objectives regarding cyber espionage and financial gain.

Robert Wallace, consulting leader at Mandiant, noted,

“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns.”

Notably, this development comes on the heels of a crypto hack alert on Binance founder Changpeng Zhao, also known as CZ. As earlier reported by CoinGabbar, CZ frequently receives alerts like “Google may have detected government-backed attackers trying to steal your password.”

Multi-Stage Infection Chain

The attack progresses through multiple stages, infecting Windows, macOS, and Linux systems with a range of malware. It starts with a disguised npm package downloader, which then deploys specific tools: BeaverTail steals sensitive data, JADESNOW fetches additional payloads via Ethereum, and InvisibleFerret enables remote control and long-term data theft, targeting cryptocurrency wallets and password managers.