Google’s Warning: How Hackers Are Turning Blockchains Into Malware Superhighways

Web3’s Dark Side: Smart Contracts Repurposed for Cybercrime

The promise of blockchain technology has always been rooted in security, transparency, and decentralization. But in a chilling new development, these very features are being weaponized. Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated malware campaign where a hacking group, identified as UNC5142, is using public blockchains to orchestrate widespread cyberattacks, marking a pivotal shift in the landscape of digital threats.

This financially motivated group has turned the immutable ledger of the blockchain into a resilient command-and-control center for their malicious operations, challenging conventional cybersecurity measures and putting thousands of internet users at risk.

What is EtherHiding? The New Attack Vector

At the core of this campaign is a technique dubbed EtherHiding. Instead of relying on traditional web servers that can be easily identified and shut down, UNC5142 embeds malicious code directly into smart contracts on public blockchains like the BNB Smart Chain. In essence, they are using the decentralized network as a bulletproof hosting service for their malware.

Since mid-2024, this method has been used to compromise over 14,000 WordPress websites. Malicious JavaScript is injected into these sites, turning them into unwitting launchpads for the next stage of the attack.

The Anatomy of the Attack: From a Blog Visit to Stolen Data

The infection chain is deceptive and dangerously effective, guiding unsuspecting users from a legitimate website to a full-blown malware infection. Here’s how it works:

• Step 1: The Initial Compromise: The attack begins when a user visits a hacked WordPress site. The malicious code, often hidden in plugins or themes, quietly activates in the background.
• Step 2: The Blockchain Call: This code doesn’t contain the malware itself. Instead, it communicates with a malicious smart contract on the BNB Smart Chain to retrieve instructions.
• Step 3: The Fake Update: Following the smart contract’s directions, the user is redirected to a convincing but fake landing page. This page mimics an official browser update prompt (for both Windows and macOS), tricking the user into believing they need to install a critical update.
• Step 4: The Payload Delivery: The “update” is actually a command that executes a powerful information-stealing malware. The campaign deploys several notorious stealers, including Atomic (AMOS), Lumma, Rhadamanthys (RADTHIEF), and Vidar. These payloads are often hosted on legitimate services like Cloudflare, GitHub, or MediaFire to evade suspicion.
• Step 5: The Silent Theft: Once executed, the malware runs directly in the computer’s memory to avoid being detected by antivirus software. It then begins siphoning off sensitive information, such as passwords, financial data, browser cookies, and cryptocurrency wallet credentials.

The Hacker’s Ace in the Hole: The Smart Contract Proxy Pattern

What makes this campaign so difficult to stop is UNC5142’s clever use of a blockchain development technique known as the proxy pattern. This architecture separates their smart contract system into three parts: a router, logic, and storage.

This separation gives the hackers incredible flexibility. If a payload URL hosted on GitHub gets taken down, they don’t need to re-infect thousands of websites. Instead, they simply update the logic contract on the blockchain with a new URL. This transaction is:

• Extremely Cheap: Each update costs them between $0.25 and $1.50 in network fees.
• Instantaneous: The change is propagated immediately across all 14,000+ infected sites.
• Resilient: Because the core instructions are on an immutable blockchain, law enforcement and cybersecurity firms cannot simply “take down” the hackers’ central server. There isn’t one.

A Game-Changer for Cybersecurity

The rise of blockchain-based malware delivery signals a paradigm shift. For years, cybercriminals have struggled with maintaining their infrastructure against takedown efforts. By leveraging a decentralized, public ledger, UNC5142 has built an agile and virtually indestructible system for malware distribution.

As one researcher noted, “Once hackers start leveraging immutable public ledgers for infection control, traditional takedown models simply don’t work anymore.”

While Google reports that new campaigns from this specific group have not been observed since July 2025, the technique is now public. Experts warn that this could inspire a new wave of copycat attacks, blending the anonymity of crypto with the scalability of automated malware campaigns. The line between Web3 innovation and cyber exploitation has officially been blurred, and the security community must adapt before it’s too late.