ether_unhide

A Python tool for detecting and analyzing EtherHiding attacks, a technique that conceals malicious redirect URLs in Ethereum smart contracts.

See the research article for more information.

Overview

ether_unhide automatically identifies and extracts hidden phishing URLs from blockchain-based redirect contracts. Threat actors use these contracts to evade traditional URL scanning tools by storing the final malicious destination on-chain, retrieving it dynamically via eth_call.

This tool emerged from an independent discovery of the EtherHiding technique in January 2025. This aligns with research by Google Threat Intelligence Group (GTIG) on campaigns like CLEARFAKE (UNC5142) and DPRK-linked operations (UNC5342).

Key Features

• Bytecode Analysis: Identifies potential redirect functions in unverified contract bytecode using evmole.
• Multi-Chain Support: Works across Ethereum and EVM-compatible chains (Arbitrum, Optimism, Polygon, BSC, Base).
• Automated URL Extraction: Makes eth_call requests to extract hidden URLs from smart contracts.
• Method Fingerprinting: Identifies common 4-byte method signatures used in malicious campaigns.

How EtherHiding Works

1. Phishing Email: Victim receives a targeted email with a seemingly legitimate link.
2. HTTP Redirects: Initial click-tracking service redirects through multiple hops.
3. JavaScript Loader: Final page contains minimal JavaScript making an eth_call to a smart contract.
4. On-Chain Retrieval: Contract returns ABI-encoded URL of the actual phishing site.
5. Dynamic Redirect: JavaScript decodes and redirects to the malicious destination.

Traditional scanners often stop at step 3, seeing only a blank page. ether_unhide completes the chain.

Installation

Prerequisites

• Python 3.13 or higher
• uv (recommended)

Steps

git clone https://github.com/Blockmage/ether_unhide.git
cd ether_unhide
uv sync

Configuration

Create a .env file in the project root:

# Required: Ankr API key for RPC access
ANKR_API_KEY=your_ankr_api_key_here

# Optional: Etherscan API key for enhanced contract metadata
ETHERSCAN_API_KEY=your_etherscan_api_key_here

# Optional: Custom data directories (defaults shown below)
# DATA_DIR=data/
# ANALYSIS_DIR=data/analysis_results/
# CONTRACTS_DIR=data/possible_redir_contracts_enriched/

Getting API Keys

• Ankr: Sign up at ankr.com for free RPC access.
• Etherscan: Register at etherscan.io/apis for API access.

Usage

Basic Analysis

Run analysis on all contracts in your configured CONTRACTS_DIR:

uv run ether-unhide

Input Format

Place contract data files in your CONTRACTS_DIR (default: data/possible_redir_contracts_enriched/). Each JSON file should contain an array of contracts:

[
  {
    "contract_address": "0xad8bcd576470deb183dff61b557e3ab37e5f2e73",
    "chain_name": "Ethereum",
    "chain_id": 1,
    "creation_tx_hash": "0x...",
    "explorer_url": "https://etherscan.io",
    "network_id": 1,
    "native_currency": { "name": "Ether", "symbol": "ETH", "decimals": 18 }
  }
]

Output

Results are saved to ANALYSIS_DIR (default: data/analysis_results/) as JSON files. They include contract addresses, extracted URLs, method signatures (e.g., 0x8a054ac2), chain information, and bytecode analysis.

Example output:

[
  {
    "contract_address": "0xad8bcd576470deb183dff61b557e3ab37e5f2e73",
    "chain_name": "Ethereum",
    "chain_id": 1,
    "method_id": "0x8a054ac2",
    "potential_url": "rebate-kroll.com/home/?ref=872842",
    "bytecode": "0x608060...",
    "functions": [...]
  }
]

Finding Suspicious Contracts

Currently, the most effective method for discovering EtherHiding contracts is using Etherscan's "Similar Contracts" feature:

1. Start with a known malicious contract (e.g., 0xad8bcd576470deb183dff61b557e3ab37e5f2e73).
2. Navigate to its Etherscan page.
3. Use the "Similar Contracts" tool to find related contracts.
4. Export addresses and analyze with ether_unhide.

This tool accompanies research on EtherHiding attacks discovered independently in January 2025. For detailed technical analysis and threat intelligence, see the accompanying research article.

Sample Findings

During analysis, ether_unhide has identified malicious URLs impersonating:

• Cryptocurrency exchanges (Bittrex, BlockFi, Voyager)
• Hardware wallets (Trezor, Ellipal)
• Tech platforms (Google, Microsoft)
• Other Web3 services

The data can be found in samples.

---

Caution

The URLs and data found by ether_unhide (including those in the samples/ directory) are MALICIOUS. They are part of active phishing and malware campaigns.

This might seem obvious, but just in case, we want to be very clear:

DO NOT VISIT THESE WEBSITES. DO NOT INTERACT WITH THESE CONTRACTS OR ADDRESSES UNLESS YOU ARE OPERATING IN A SECURE, ISOLATED ENVIRONMENT.

We have redacted PII like email addresses where possible

Limitations

• Manual Discovery: Currently requires manual identification of suspicious contracts via Etherscan.
• RPC Dependency: Relies on centralized RPC providers (Ankr).
• Chain Coverage: Limited to EVM-compatible chains with configured RPC endpoints.

Acknowledgments

• Google Threat Intelligence Group for their parallel research on EtherHiding campaigns.
• The Ankr team for their Python SDK, parts of which were adapted for this tool.
• The broader Web3 security community.

Contact

• Blockmage Ltd
  • Email: contact@blockmage.dev
  • Website: blockmage.dev

License

Licensed under the Apache License, Version 2.0. See LICENSE for details.

Disclaimer: This tool is provided for security research and defensive purposes only. Users are responsible for ensuring their use complies with applicable laws and regulations. The author and Blockmage Ltd assume no liability for any damages which may arise from use or misuse of this software.