North Korea Uses Blockchain For Covert Hacks, Disguises Agents as Job Recruiters

Recent reveals that North Korea’s cyber forces, particularly the notorious Chollima organization, are utilizing innovative blockchain-based tools to facilitate their covert hacking operations. This change marks a significant advancement in cyber warfare, leveraging new technology to combine traditional espionage with financial crimes.

The Breakthrough Method: EtherHiding

EtherHiding is a stealth technology that is at the center of this new wave of digital spying. The Google Threat Intelligence Group (GTIG) and Mandiant Threat Defense have both established that UNC5342, a cyber threat actor linked to , has been employing EtherHiding to hide harmful code in blockchain smart contracts since ahead 2025.

This method embeds malware in a public blockchain, such as ETH or BNB Chain, making the payload hard to remove.

How EtherHiding Works

EtherHiding alters blockchain transactions by adding harmful scripts to smart contracts, effectively turning the into a decentralized command and control system. This new method enables hackers to store and retrieve dangerous payloads without detection by regular security technologies.

Covert Operations Disguised as Job Offers

One of the most worrying things about North Korea’s cyber approach is that it uses fake job recruiters to trick people. The , a North Korean cyber squad, has recently used fake LinkedIn profiles to trick aerospace workers in Spain into thinking they were Silicon Valley recruiters. 

These actors use coding challenges that are infested with malware. When these challenges are run, they install remote access Trojans like LightlessCan, which give them exclusive access to the infected systems.

This strategy includes initiatives called Contagious Interview and Wagemole, in which poor people pose as hiring supervisors to get to their targets. They utilize false job offers on sites like GitHub to spread malware that can run complicated commands on a variety of operating systems, such as Windows, Linux, and macOS.

Stealing Money and Laundering Cryptocurrency

Money is another reason why North Korea’s cybercriminals engage in cybercrime. Since 2023, the regime-linked group UNC5142 has utilized blockchain technology to facilitate cryptocurrency theft and launder the stolen funds. 

In 2025 alone, North Korean hackers stole more than $1.3 billion, and at least $300 million of that has been successfully laundered and moved out of the reach of the police. Their operations utilize advanced methods, including automatic conversions and transfers between cryptocurrencies, to conceal their activities.

A New Age of Cyber Crime and Espionage

The use of blockchain stealth methods like EtherHiding marks a new stage in government-sponsored cyber operations. To stay ahead in global cyber wars, North Korea is using a mix of cyber espionage, financial crime, and social engineering. The continuous deployment of these tactics demonstrates an extraordinary level of expertise and resilience, challenging standard measures.

North Korea continually develops new methods of cyber warfare, and the use of blockchain-based stealth tactics like EtherHiding demonstrates how modern cyber threats are evolving.

Governments and businesses must act swiftly to identify and counter these covert attacks, which blur the lines between cybercrime and state-sponsored espionage. These changes have far-reaching effects, not just on cybersecurity but also on global stability.