2026-07-01 –, Amphitheater 122
EtherHiding has recently been documented as a technique where attackers use blockchain infrastructure to host payloads or resolve command-and-control (C2) endpoints.
In this talk, I present the analysis of a ClickFix campaign that goes one step further: using smart contracts not for payload delivery, but for victim tracking.
By reversing the client-side logic and analyzing on-chain transactions, I show how victim identifiers are written directly to a BSC smart contract, enabling attackers to track conversions and control infection flow without traditional backend infrastructure.
This shifts the role of blockchain from passive infrastructure to active telemetry — a design that can also be leveraged by defenders for visibility, tracking, and threat intelligence.
This RUMP session presents a short analysis of a recent ClickFix campaign leveraging EtherHiding techniques.
While prior research has shown how smart contracts can be used as decentralized dead drops for payloads and C2 resolution (e.g. BSC and Polygon-based designs), this work highlights a different usage pattern observed in the wild.
The analyzed sample interacts with a smart contract using eth_call to evaluate a victim-specific state. Corresponding transactions reveal that victim identifiers are written on-chain, effectively turning the contract into a conversion tracking mechanism.
This design allows attackers to:
- avoid re-infecting victims
- control lure visibility
- track engagement without backend infrastructure
The talk briefly covers:
- the ClickFix infection chain (browser → clipboard → shell execution)
- the role of EtherHiding in known campaigns
- the reverse engineering of the smart contract interaction
- and the implications for defenders
Finally, I discuss how blockchain transparency provides an opportunity to monitor attackers, estimate victim activity, and track campaign evolution.