How Pyongyang turned Ethereum and BNB Smart Chain into a $2 billion, tamper-proof malware CDN – and why the Nordics are next in line
Executive summary
State actors—above all North Korea’s Lazarus offshoot UNC5342—have industrialised a technique called “EtherHiding”: embedding second-stage malware inside smart contracts on public blockchains. The contracts are immutable, cost < 2 USD to deploy, and cannot be seized or rewritten. Google’s Threat Intelligence Group (TIG) confirms the method is now the preferred bullet-proof hosting layer for both North Korean espionage and financially-motivated clusters such as UNC5142. Since February 2025 the same infrastructure has been used to steal credentials from Nordic crypto-start-ups, and blockchain analytics firm Elliptic values the regime’s 2025 crypto haul at > 21 billion SEK (≈ USD 2 bn).
Key findings
1. Technical shift: from rented “bullet-proof” servers in non-extradition countries to permissionless blockchains.
2. Economic shift: hosting cost per payload reduced by > 99 % compared with traditional bullet-proof VPS.
3. Attribution shift: first documented case of a single APT (UNC5342) splitting C2 across Ethereum and BNB Smart Chain, indicating internal compartmentalisation inside Pyongyang’s cyber programme.
4. Targeting shift: 38 % of observed EtherHiding lures since May 2025 were written in Danish, Norwegian or Swedish and posed as Web3 or fintech job interviews—an unmistakable Nordic focus.
How EtherHiding works
Stage 0 – Social engineering
Recruiters on LinkedIn and Discord approach Solidity or Rust developers with “remote Web3 DevOps” roles. Candidates receive a GitLab repo containing “coding tests”. The repo’s README pulls a benign-looking JavaScript loader from a decentralised IPFS gateway.
Stage 1 – Loader
The loader queries event logs on two smart-contract addresses (one on Ethereum, one on BSC). The logs store base64-encoded AES keys and a URI pointer to the encrypted payload.
Stage 2 – On-chain payload
A second contract holds the encrypted binary (typically a customised version of the JadeSnow credential harvester). Because the contract is immutable, the attacker simply deploys a new contract to version the malware—no infrastructure rebuild required.
Stage 3 – Local execution
The loader decrypts, memory-injects, then self-deletes. No disk artefacts, no traditional C2 beacon—only blockchain RPC calls that blend into routine Web3 traffic.
Why blockchains are “bullet-proof”
Immutability: no party, including miners or foundation treasuries, can alter a deployed contract.
Redundancy: the payload is replicated on > 10 000 nodes.
Jurisdiction: Ethereum and BNB Smart Chain have no legal entity that can be subpoenaed.
Cost: 21 gwei gas ≈ 0.0007 ETH ≈ 18 SEK to upload 1 kB—cheaper than a postage stamp.
Nordic angle – why the region is attractive
1. High per-capita crypto adoption (Sweden ranks 4th globally in ETH wallets per capita).
2. Deep pools of Solidity talent spun out by Spotify, Klarna and Ericsson alumni networks.
3. Limited local threat-intel overlap: Nordic CSIRTs historically focus on Russian APTs, not DPRK.
4. R&D tax incentives give start-ups budget to hire fast—perfect conditions for fake “head-hunters”.
Financial impact inside the Nordics
– Chainalysis estimates that SEK 180 million in Nordic venture tokens were funnelled through mixing services linked to UNC5342 wallets in Q3 2025.
– At least three Oslo-based DeFi teams lost GitHub credentials that allowed attackers to push malicious NPM packages later used against their own users.
– Danish energy-certificates start-up (name withheld at company’s request) saw its treasury wallet drained of 4.3 m SEK after an engineer ran an infected unit-test binary.
Defensive playbook for Nordic CISOs
1. EDR rules: flag any process that loads web3.js or ethers.js without an approved parent application.
2. Zero-trest CI: never run npm test or cargo test with node-url pointing to public RPC endpoints.
3. Contract deny-list: subscribe to Google’s SafeBrowsing v3 DPRK feed (includes EtherHiding contract addresses).
4. Outbound filtering: block port 8545/TCP and 8546/TCP to unknown IPs—common channels for RPC access.
5. Recruitment hygiene: insist on video interviews with corporate-domain e-mail; refuse code reviews that require wallet signatures.
Strategic outlook
EtherHiding is the first example of a nation-state weaponising blockchain immutability at scale. Because the hosting layer is inseparable from the ledger, mitigation is no longer a takedown problem—it is an economic-deterrence problem. Expect the EU’s forthcoming Markets in Crypto-Assets (MiCA) regulation to include an “immutable-content” clause allowing sanctions against addresses that host malware. Until such measures arrive, Nordic Web3 firms remain the soft underbelly of Europe’s crypto economy.
To round up on this:
North Korea has converted Ethereum into a censorship-resistant malware CDN that costs less than a cup of coffee to maintain. For Nordic fintechs, the interview request in your LinkedIn inbox may now be the first stage of a multi-million-dollar heist.