Key highlights:
- North Korean hackers are manipulating blockchain smart contracts to steal cryptocurrency.
- Unsuspecting people are tricked into giving access to their system by running a simple code.
- Google alleges that its a state-sponsored attack from North Korea.
Google has issued an international warning where the company has spotted a group of North Korean hackers stealing cryptocurrency from innocent people using a technique called EtherHiding. It involves tricking the victim into a fake job interview, and asking them to run a JavaScript code. Once the code is executed, it keeps running in the background and steals cryptocurrency from the victim’s system and wallet in direct and indirect ways. This scam is being operated using blockchain-based smart contracts, which are almost untraceable.
What is EtherHiding?
EtherHiding is an advanced malware technique where hackers embed malicious codes in a blockchain contract. In simple words, a blockchain contract is a system which executes a deal between two parties when the approved conditions are met, without the need of a regulatory body in between. It is considered secure in the crypto world, but hackers are using phishing methods to trick victims into giving access to their wallets. The blockchain smart contracts are indeed safe, with no known loopholes in this context.
The plan of attack used by hackers is simple. They target job seekers on portals like LinkedIn, and filter out users with a known background in crypto. Hackers then conduct an online interview, asking the victim to run a JavaScript on their system as a part of the assesment. In the front, it looks like a harmless code related to the job. But in the backend, it runs through the victim’s computer and starts to authorize withdrawal transactions from local wallets. It also attacks other crypto-based software on the system, looking for additonal ways to extract crypto from the victim.
North Korea threat actor UNC5342 is using EtherHiding, the first time we observed a nation-state use this technique. 🚨
— Google Cloud Security (@GoogleCloudSec) October 17, 2025
Their end goal? Conducting cryptocurrency heists, and espionage.
Read the full blog post: https://t.co/lE4XbVjRZi pic.twitter.com/m87xq6Kl9v
Note that this is just a simplified explanation of the attack process, and the actual procedure is way more complex. Google has explained the technicalities of this scam on its official blog, which you can refer to understand the detailed working and execution used by the hackers.
Since the attack uses the blockchain network, the hackers are able to maintain anonymity which makes it difficult to trace them. Google has identified this attack to be from state-sponsored North Korean hackers. However, no hacking group has taken responsibility for the same, at the time of publishing this article.
Also Read: Elliptic Study Reveals Rise in AI-Driven Crimes in Crypto Space
Is Your Crypto Safe?
Crypto as a concept is safe as it uses the highly secured and encrypted blockchain network, which is almost impossible to hack with current technologies. All the breaches, thefts, and heists related to the crypto in recent years are a result of planned stealing, negligence from the exchange or owner, and phishing attacks.
As long as you remain vigilant and do not install any unknown software on your system which you use to deal in crypto, your cryptocurrency remains safe. You should also remain careful of not running any malicious code or program, even in the context of an interview or anything else important.
If you ever develop the need of running a less-reputed software, then we recommend running it in a virtual machine, or a completely different laptop. This will serve as an additional layer of safety and protect you from any potential crypto scams.
