Malware Distribution Via Ethereum Smart Contracts: According to Recent Reports

Binance's chief security officer, Jimmy Su, has identified package poisoning as one of the main vectors of attack used by North Korean hackers. This form of attack is part of a larger campaign of poisoned packages across GitHub, with a network of repositories connected to colortoolsv2 and mimelib2, many branded as crypto trading bots or token sniping tools.

The cybersecurity company Chainalysis has identified a network of manipulated packages downloaded with the help of Ethereum smart contracts. In this campaign, the malware downloading process involves two files, with one running a script to download the second half of the attack via an Ethereum smart contract.

Lucija Valentić, a software threat researcher at ReversingLabs, stated that the use of smart contracts in this campaign is something they haven't seen previously. What is new and different is the use of Ethereum smart contracts to host the URLs where malicious commands are located, downloading the second-stage malware.

Major crypto exchanges, including Binance, Coinbase, and Kraken, share intelligence via Telegram and Signal groups to highlight poisoned libraries. Binance has been in alliance with these exchanges for years for incident response and frontline operations. Binance has previously linked this type of package poisoning to North Korean hackers.

Binance told Decrypt last month that it forces employees to closely scrutinise NPM libraries due to known attacks. Downloaders that retrieve late-stage malware are being published to the NPM repository weekly, if not daily, according to Lucija Valentić.

The use of Ethereum smart contracts in this campaign is not the only unusual aspect. Most of the activity in these repositories, including commits, stars, and contributors, may be fake, according to ReversingLabs. This suggests that the hackers are going to great lengths to disguise their activities.

Jimmy Su, Binance's chief security officer, identified North Korean hackers as the single biggest threat to crypto companies. Package poisoning is a growing vector of attack for North Korean hackers, according to Su, and is in second place alongside fake interview scams.

The FBI has attributed North Korean attackers to the $1.4 billion Bybit hack, the largest crypto hack of all time. North Korean hackers are believed to have been responsible for 61% of all crypto stolen in 2024, totaling $1.3 billion, according to a Chainalysis report.

As the crypto industry continues to grow, so too does the threat from cyber attacks. Exchanges must remain vigilant and work together to combat these threats and protect their users' assets.