- Trending
- Comments
- Latest
North Korea-linked hacking groups are increasingly deploying blockchain-based hacking tools to carry out sophisticated cyberattacks, according to new analyses from Cisco Talos and Google Threat Intelligence. These attacks target individuals and global organizations through fake job recruitment campaigns designed to steal cryptocurrency, infiltrate corporate systems, and avoid traditional detection methods.
Researchers from both firms said the use of decentralized blockchain infrastructure allows hackers to operate command-and-control (C2) systems that are virtually impossible to dismantle. The development marks a major escalation in cyber warfare tactics, as traditional cybersecurity frameworks are struggling to adapt to decentralized threats.
“These actors are evolving faster than many defense systems,” said Warren Mercer, Technical Leader at Cisco Talos. “By embedding malicious code in blockchain transactions, they create a permanent, decentralized delivery network that can’t simply be taken down.”
The blockchain-based hacking tools approach has allowed North Korean operatives to maintain persistence and access to targets for months, even after infected systems are cleaned or reset.
Cisco Talos identified a North Korean threat group known as Famous Chollima, which has expanded its toolkit with two related malware families, BeaverTail and OtterCookie. Both are engineered to steal credentials, monitor activity, and exfiltrate sensitive data. Recent variants share overlapping modules designed to enhance stealth and inter-device communication.
In one instance, a Sri Lankan company became collateral damage after an unsuspecting job seeker was tricked into downloading a malicious “technical test.” The embedded malware secretly recorded keystrokes and screenshots before transmitting them to attacker-controlled servers.
Researchers said the infection chain demonstrated how blockchain-based hacking tools can operate indirectly through individuals, allowing hackers to bypass organizational defenses entirely.
Cisco’s report emphasized that these methods mirror the MITRE ATT&CK framework’s persistence and defense evasion techniques, illustrating how blockchain data is being exploited to conceal communications.
Google’s Threat Intelligence Group (GTIG) linked another North Korean cluster, UNC5342, to a new malware strain called EtherHiding. The malware stores malicious JavaScript code directly on public blockchain networks, creating a decentralized command structure that is nearly impossible to remove.
By using public smart contracts to store and retrieve payloads, EtherHiding eliminates the need for centralized infrastructure, which traditional cyber defense teams usually target. This design enables attackers to remotely modify behavior without redeploying servers or domains.
According to GTIG researchers, EtherHiding is part of a broader campaign known as “Contagious Interview,” in which victims are lured with fake job offers. Once installed, the malware can adapt dynamically by retrieving updated code segments from blockchain transactions which is a tactic leveraging the immutable nature of decentralized networks.
“Blockchain-based hacking tools represent a new frontier in cyber threats,” said Shane Huntley, Head of GTIG. “These campaigns weaponize the resilience of blockchain to maintain control indefinitely.”
To understand how blockchain data remains permanent and public, Google’s report cited the Ethereum documentation on immutability.
The use of blockchain-based hacking tools poses growing challenges for international cybersecurity and financial regulation. Because blockchain transactions are immutable and globally distributed, law enforcement agencies cannot easily disrupt command channels.
Organizations like the Cybersecurity and Infrastructure Security Agency (CISA) have urged companies to monitor network traffic for unusual blockchain-related activity and to train staff against targeted social engineering schemes.
Cisco Talos and Google have released detailed indicators of compromise (IOCs) to help companies detect activity linked to the BeaverTail, OtterCookie, and EtherHiding families. They also advise firms to verify job recruitment processes, restrict executable file sharing, and enhance multi-factor authentication for crypto-related systems.
Cybersecurity analysts warn that failure to adapt could allow hostile state actors to create decentralized, self-sustaining malware ecosystems beyond state control.
“These attacks show how blockchain, originally designed for transparency and trust, can be repurposed into a powerful cyber weapon,” said Mercer. “Defenders now face a decentralized enemy that can’t simply be shut down.”
As North Korea intensifies its cyber operations, the integration of blockchain-based hacking tools underscores a broader shift toward decentralized threat architectures as one that will test the limits of global cybersecurity resilience.
