Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)
2025-11-13 • Ransom ISAC •
https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist/
Ransom-ISAC analyzed a cryptocurrency and data theft attempt delivered through a malicious private GitHub repository impersonating the legitimate node-react-e-commerce project. The repository used obfuscated JavaScript in tailwind.config.js and a multi-blockchain C2 design that queried TRON or Aptos transaction metadata to retrieve a BSC transaction hash, then pulled encoded payload data from BSC transaction input. The report distinguishes this Cross-Chain TxDataHiding approach from Etherhiding because the payload is embedded in transaction data rather than smart contract storage. The technique matters because attackers can modify pointer data, use multiple chains as resilient infrastructure, and make detection harder in isolated analysis environments.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.trongrid.io | 2025-10-27 | 2026-05-31 |
| DOMAIN | fullnode.mainnet.aptoslabs.com | 2025-10-27 | 2026-05-31 |
| DOMAIN | aptoslabs.com | 2025-10-27 | 2026-04-24 |
| IPv4 | 23.27.20.143 | 2025-10-20 | 2026-04-21 |
| DOMAIN | bsc-dataseed.binance.org | 2025-10-27 | 2026-04-11 |
| DOMAIN | bsc-rpc.publicnode.com | 2025-10-27 | 2026-04-11 |
| URL | https://bsc-dataseed.binance.org | 2025-10-27 | 2026-01-14 |
| YARA | DPRKObfuscatedJavaScript2 | 2025-11-13 | 2025-11-13 |
| YARA | DPRKObfuscatedJavaScript1 | 2025-11-13 | 2025-11-13 |
| HASH | f3c46284d1f89f33427b332a7b93571… | 2025-10-27 | 2025-11-13 |
| HASH | 16df15306f966ae5c5184901747a320… | 2025-10-27 | 2025-11-13 |
| URL | https://api.trongrid.io/v1/acco… | 2025-10-27 | 2025-11-13 |