When you consider what has been recorded over the last six months, the term “sleeper malware on the blockchain” seems like marketing speak. The way cybersecurity experts view decentralized infrastructure has changed as a result of numerous campaigns, numerous study teams, and a trend. Contrary to what some headlines claim, the infection is typically not “living inside” blockchain nodes.
It would be more accurate to say that attackers have discovered ways to use public blockchains, such as Ethereum, Polygon, and others, as unchangeable, censorship-resistant command-and-control infrastructure. They have then used more traditional channels, such as phony browser extensions and freelance job lures, to deploy dormant payloads.
| Blockchain Sleeper Malware Threat Landscape — Key Information | Details |
|---|---|
| Notable Campaign #1 | Omnistealer (April 2026) |
| Reported Stolen Credentials | Over 300,000 |
| Notable Campaign #2 | SleepyDuck (Ethereum-powered C2) |
| Disguise Vector for SleepyDuck | Malicious VS Code extension for Solidity developers |
| SleepyDuck Downloads Before Detection | Over 14,000 |
| Notable Campaign #3 | GlassWorm “sleeper” extensions on OpenVSX |
| April 2026 GlassWorm Cluster | 73 extensions, 6 already activated |
| Earlier GlassWorm Wave | March 2026 (72 extensions documented) |
| Notable Campaign #4 | DeadLock ransomware using Polygon smart contracts |
| Common C2 Innovation | Blockchain-resident command-and-control addresses |
| Targeted Ecosystem | Ethereum, Polygon, OpenVSX, GitHub |
| Reference Reporting | Group-IB Threat Intelligence |
| Application Security Firm Cited | Socket |
| Investigators Reference | Ransom-ISAC, North Korean “Contagious Interview” group |
| Consumer Resource | CISA Cybersecurity Advisories |
The most striking recent example is the Omnistealer campaign, which was discovered in April 2026 by Ransom-ISAC investigators. More than 300,000 distinct credentials were hacked, according to researchers, by malicious code that had been directly integrated into blockchain transactions for years. Prior to its current activation, the code was dormant as a digital sleeper agent. The storing media is the intelligent part.
Its capacity to use blockchain ledgers’ immutability as an untraceable, persistent storage medium for its initial payloads is what makes it special. A payload cannot be removed once it has been added to a public blockchain. It is possible to take a domain. It is possible to block IP addresses. Because a blockchain transaction is unchangeable by design, it may be used for both lawful banking and, as it turns out, state-sponsored cyber espionage.
The smaller, more sophisticated variant of the same concept is called SleepyDuck. Before being found, it was submitted to the official VS Code marketplace and accumulated over 14,000 downloads while posing as a genuine VS Code plugin for developers working with Solidity smart contracts.
When the user accessed a.sol file, the infection launched a remote access trojan. Hardcoded servers were not a part of the C2 architecture. In order to get around this restriction,
SleepyDuck used the Ethereum blockchain to dynamically update its C2 address. The malware periodically queries the blockchain via public Ethereum nodes to retrieve the most recent C2 details, and the attacker embeds the C2 server address inside a transaction on the Ethereum blockchain. Security researchers have uncomfortable observed in their write-ups that the approach has a certain charm.
Although it belongs to a slightly different category, the GlassWorm campaign uses the same sleeper reasoning. After a wave of 72 malicious Open VSX extensions in March 2026, a cluster of 73 additional “sleeper” extensions was discovered in April 2026. These extensions are innocent at first, but after a silent update, they become harmful. This is a basic sleeper-cell strategy that has been modified for the developer extension marketplace. Six of the most recent clusters have already been turned on.
The others are thought to be inactive. Another piece of information is added by the DeadLock ransomware family. Group-IB experts have noticed that DeadLock uses Polygon smart contracts for proxy address storage, an underreported and poorly documented method that gives threat actors excellent options to go beyond conventional defenses by utilizing decentralized blockchains that are accessible globally.
As this category grows, there’s a sense that the security industry is now catching up to an attack class that has been working covertly for longer than anyone was aware. In certain ways, Web3 is transparent and auditable as it was intended to be. Attackers can publish encrypted payloads that are impossible to remove thanks to the same transparency that enables analysts to track stolen money between wallets.
Deeper detection algorithms that search blockchain data for patterns associated with malicious storage will most likely be used in the next round of this. The truly unanswered question is whether the defense can scale as quickly as the offense. In a way, the infrastructure attackers were already there. All they needed was some time to learn how to use it.
