Hackers Exploit Blockchain, Breach Sotheby’s And Flood Fake Password Managers

When was the last time you actually reviewed your digital footprint? Not something we do too often, right? Some people might do it once a week, others once a month, and very few do it every single day.

The point is that, in our digital world, most of us forget that the window is left wide open.

Attackers, however, never forget. They’re constantly scanning the internet for spots where defenses are weak, and awareness is almost nonexistent.

It’s a bit like realizing your locked house has been broken into, only to find out the thief came in through the Wi-Fi router instead of the front door.

Well, this is happening in the enterprise sector, as cybersecurity researchers have uncovered a trifecta of alarming developments over the past few days.

These include nation-state hackers embedding malware in leading blockchains like Ethereum and BNB, phishing attacks targeting top password managers, and a data breach at popular auction house Sotheby’s.

So, what happened exactly? Let’s explore!
 

Nation-State Hackers Deploy Malware Via Blockchain Networks

On 17^th October, Google’s Threat Intelligence Group announced that a North Korean–backed threat actor, known as UNC5342, is using a technique dubbed EtherHiding to embed and deliver malware via public blockchains such as Ethereum and BNB Smart Chain.

EtherHiding works by stowing malicious code inside smart contracts. Since blockchains are decentralized and immutable, such payloads cannot be easily taken down or altered.

Attackers initiate the campaign via social engineering (e.g., a fake job interview) to lure developers or crypto-adjacent professionals into downloading test files embedded with early-stage malware that then retrieves further malicious stages from the blockchain.

FUNC5342’s chain uses a loader (JadeSnow) to fetch a payload, InvisibleFerret, from the smart contract. In some cases, the loader switches between Ethereum and BNB chains dynamically depending on cost or detection concerns.


Interestingly, this marks the first time a confirmed nation-state actor has been observed using EtherHiding. Previously, the technique was associated with financially motivated group UNC5142 (e.g., in the ClearFake campaigns).

Key advantages of EtherHiding for attackers include:
 

• Takedown Resistance: Smart contracts can’t be removed once deployed.

• Immutable Payloads: Defenders can’t alter or delete them.

• Anonymity: Blockchain transactions are pseudonymous, hampering attribution.

• Stealth: Fetching malware via read-only blockchain calls leaves little trace in system logs.

• Low Cost And Flexibility: Deploying or updating contracts is cheap (often < $2), and payloads can be moved across chains.

Google researchers note that in one observed instance, the loader switched from Ethereum to BNB mid-operation to take advantage of lower gas fees.

The adoption of EtherHiding by state actors suggests a strategic change: leveraging decentralized technology to create a new class of “bulletproof hosting” immune to conventional disruption.

Although the blockchain story is just one side of the coin. Even trusted tools built for security aren’t immune—especially when human behavior becomes the weakest link.
 

Enterprise Users On Edge As Attackers Target LastPass, 1Password And Bitwarden

Concurrent phishing campaigns have surged against major password managers, including LastPass, 1Password, and Bitwarden.


These campaigns impersonate the vendors and attempt to coax users into surrendering their master passwords, granting full access to all stored credentials.

Most password managers centralize access behind a single “master password,” and successful compromise can yield catastrophic consequences as every account associated with the vault becomes vulnerable.

In the 1Password attacks, phishing emails claimed users’ master passwords were compromised and directed them to reset via a fake page where they had to enter their email, secret key, and master password.

On October 13, 2025, LastPass announced a phishing campaign in which attackers pretended that LastPass had been hacked, advising users to download a “secure” update via a link. However, that link led to malware deployment.

Attackers also targeted Bitwarden with similar impersonation emails, pushing a modified version of Syncro (a legitimate IT tool), which installed hidden remote management software (ScreenConnect) to take control of victim systems.

Notably, these campaigns did not necessarily aim at extracting master passwords (at least in some attacks), and instead, attackers used remote access tools to harvest data later.

Password-manager vendors are urging users to employ multifactor authentication (MFA), hardware tokens, and app alerts for unusual logins in the current risk environment.

While individuals scramble to secure their personal vaults, institutions managing billions in assets are also fighting battles of their own. One name was recently pushed in the spotlight—Sotheby’s.
 

Sotheby’s Confirms Breach Of Employee Financial Data

Auction house Sotheby’s recently disclosed a cybersecurity incident that exposed internal employee data, including financial information.


The breach was first detected on July 24, 2025, and an investigation over two months later determined what types of data were exfiltrated.

A filing submitted to Maine’s Attorney General indicates the stolen information may include full names, Social Security numbers, and banking/financial account details.

Initially, the company had framed the breach as exposing customers’ financial data, but an updated statement clarified that only employees were impacted, and not customers.

As a remedial step, Sotheby’s is offering affected individuals 12 months of identity protection and credit monitoring via TransUnion, with a 90-day window to enroll. At the time of disclosure, no extortion group or hackers had claimed responsibility.

Sotheby’s also highlighted past security incidents, such as website skimmers and supply chain attacks affecting its online platforms.

As the dust settles across these parallel cyber incidents, one thing is clear: the threat landscape isn’t just expanding, it’s evolving.

The EtherHiding attacks signal a paradigm shift wherein defenders can no longer rely purely on takedowns of servers or domain blocking. Phishing campaigns against password-manager vendors reiterate that even the most “secure” tools are vulnerable via human manipulation, while for institutions like Sotheby’s, even internal data is a target.

This highlights that incident response must be swift, transparent, and include remediation for those affected. Enterprises must leverage multi-layered defenses with MFA at each touchpoint, behavioral anomaly detection, isolating high-value credentials, and constantly adapting to evolving attacker playbooks.

From blockchain exploits to social engineering-driven phishing and data theft, the ripple effects for enterprises are far-reaching.

Do you think the adoption of blockchain technology gives bad actors a significant advantage?

Can awareness campaigns tackle the issue of social engineering attacks like we saw with leading password managers?

Let us know in the comments below!