‘EtherHiding’ Hack Extorts WordPress Users via the Binance Blockchain


Guardio Labs researchers have uncovered a new attack called as ‘EtherHiding,’ which combines Binance Smart Chain and Bullet-Proof Hosting to serve malicious code into victims’ web browsers.

Stay in the know on crypto by frequently visiting Crypto News Today

Unlike an earlier set of false update hacks that targeted WordPress, this variant employs a new tool: Binance’s blockchain. Previously, non-blockchain variations would interrupt a webpage visit with a realistic-looking, browser-styled ‘Update’ prompt. A victim’s mouse click installed malware.


Hackers can serve a catastrophic payload of code directly from Binance Smart Chain due to its cheap, quick, and weakly policed programmability.

This is not a MetaMask assault, to be clear. Hackers simply serve malicious code within victims’ web browsers that looks like any webpage the hacker desires – hosted and served indefinitely. Hackers attack victims for various extortion scams using Binance’s blockchain to serve code. Indeed, EtherHiding targets victims who have no cryptocurrency holdings.


Using a Browser Hijack to Steal Personal Information

Fake browser updates have become increasingly common in recent months. Unwary internet users come to a plausible, surreptitiously compromised website. They notice a bogus browser update and inadvertently click ‘Update.’ Hackers immediately install malware such as RedLine, Amadey, or Lumma. This sort of malware, known as a ‘infostealer,’ frequently conceals through Trojan attacks that appear to be legal software on the surface.

CryptoCaster Quick Check:

ClearFake, a more powerful infostealer, is used in the EtherHiding version of these WordPress-based update attacks. EtherHiding injects JS code into the machines of unwary consumers using ClearFake.

Some code in a previous version of ClearFake relied on CloudFlare servers. CloudFlare noticed and removed the malicious code, which rendered some of the ClearFake assault inoperable.

Follow GappyCoin PreSale on Twitter, and ReCap for information and more.

Unfortunately, the attackers have discovered how to avoid cybersecurity-minded sites such as CloudFlare. Binance proved to be an ideal host.

The EtherHiding hack famously redirects its traffic to Binance servers. It employs obfuscated Base64 code to query Binance Smart Chain (BSC) and initialize a BSC contract with an address controlled by the attackers. It specifically calls some software development kits (SDKs), such as Binance’s eth_call, which simulate contract execution and can be used to call malicious code.

As Guardio Labs researchers stated in their Medium postings, Binance may avoid this issue by limiting queries to fraudulent addresses or removing the eth_call SDK.

Binance, for its part, has marked some ClearFake smart contracts as malicious on BSCScan, the leading Binance Smart Chain explorer. It notifies blockchain explorers that the addresses used by the attacker are part of a phishing attack.

It does, however, provide very little valuable information regarding the attack’s form. Specifically, BSCScan does not provide warnings to victims where the hacks occur: within their web browsers.

Tips for avoiding EtherHiding in web browsers

With one-quarter of all websites utilizing WordPress, the software has become known for being a target for attackers.

  • Unfortunately, around one-fifth of WordPress websites have not been updated to the most recent version, exposing Internet users to malware such as EtherHiding.
  • Site managers should put in place strong security measures such as password protection, deleting hacked plugins, protecting passwords, and limiting admin access.
  • WordPress administrators should upgrade WordPress and its plugins on a daily basis and avoid installing vulnerable plugins.
  • WordPress administrators should likewise avoid using the login ‘admin’ for their management accounts.

Aside from that, the EtherHiding/ClearFake assault is impossible to counter. Internet users should simply be cautious of any unexpected ‘Your browser requires updating’ message, particularly when visiting a WordPress-powered website. Users should only upgrade their browser from the settings menu, not by clicking a button on a website, no matter how realistic it appears.CRYPTOCASTER® - DECENTRALIZED FREEDOM!

We hope you appreciated this article. Before you move on, I was hoping you would consider taking the step of supporting CryptoCaster’s journalism. 

From  Elon Musk, Larry Fink(BlackRock) to Jamie Dimon(JP Morgan Chase) a number of billionaire owners have a powerful hold on so much of the hidden agendas’ which eludes the public concerning the paradigm shift juxtaposed by cryptocurrency and web3 emerging technologies. CryptoCaster is different. We have no billionaire owner or shareholders to consider. Our journalistic efforts are produced to serve the public interest in crypto development and institutional disruptions – not profit motives.

And we avoid the trap that befalls much U.S. and global media – the tendency, born of a desire to please all sides, to engage in false equivalence in the name of neutrality and retail consumer protection. While fairness and transparency dictates everything we do, we know there is a right and a wrong position in the fight against fiat global banking interest and monetary reconstruction precipitated by the emerging crypto ecology.

When we report on issues like the FTX, Binance and Ripple crisis, we’re not afraid to name who or what is uncovered. And as a crypto sentinel, we’re able to provide a fresh, outsider perspective on the global monetary disruption – one so often missing from the insular American and European media bubble. 

Around the world, readers can access the CryptoCaster’s paywall-free journalism because of our unique reader-supported model. That’s because of people like you. Our readers keep us independent, beholden to no outside influence and accessible to everyone – whether they can afford to pay for news and information, or not.

We thankyou for the on-going support our readers have bestowed monetarily. If you have not considered supporting CryptoCaster, if you can, please consider supporting us just once from $1 or more of Bitcoin (satoshi) or Eth, and better yet, support us every month with a little more. Scroll further down this page to obtain CryptoCaster’s wallet addresses.

Thank you.

Kristin Steinbeck
Editor, CryptoCaster

Please Read Essential Disclaimer Information Here.
© 2024 Crypto Caster provides information. does not provide investment advice. Do your research before taking a market position on the purchase of cryptocurrency and other asset classes. Past performance of any asset is not indicative of future results. All rights reserved.

Contribute to CryptoCaster℠ Via Metamask or favorite wallet. Send Coin/Token to Addresses Provided Below.
Thank you!
BTC – bc1qgdnd752esyl4jv6nhz3ypuzwa6wav9wuzaeg9g
ETH – 0x7D8D76E60bFF59c5295Aa1b39D651f6735D6413D
MATIC – 0x7D8D76E60bFF59c5295Aa1b39D651f6735D6413D
LITECOIN – ltc1qxsgp5fykl0007hnwgl93zr9vngwd2jxwlddvqt


You may also like