Digital skimming has officially entered the decentralized era, bringing in a new era for a major source of crime and fraud.
Researchers at Source Defense have uncovered that a large-scale Digital Skimming (aka Magecart) campaign is targeting retail sites across the globe. What makes this form different? The campaign has been built to use the Ethereum blockchain as a steadfast framework for command-and-control operations.
These cybercriminals were able to successfully engineer a setup that is shielded from traditional blue team efforts by first hiding inside legitimate-looking containers such as spoofed Google Tag Manager containers, then swapping out vulnerable, blacklisted domains for decentralized smart contracts.
Why This Changes the Game
Traditionally, defensive strategies relied on mapping out known bad domains and blacking static threat indicators. This campaign has shattered those previous methods.
When a user lands on an infected payment page, the compromised site queries a smart contract on the blockchain behind the scenes. This lookup returns encrypted data that the browser decrypts locally, revealing the location of the live malicious server, which then injects the actual data-harvesting payload directly into the browser.
If a defender successfully flags and kills one of their external landing domains, the threat actor would not need to touch the hacked website’s code. Instead, the attacker can simply redirect the smart contract to a fresh link, constantly rotating their operational backend to keep the data siphon running.
Once the malicious script is embedded in the checkout flow, it renders a pixel-perfect replica of the transaction form, silently grabbing credit card data, billing credentials, personal data, and browser fingerprinting details.
“What we’re seeing now is a clear shift away from simple opportunistic attacks toward infrastructure designed for long-term survivability,” says Hadar Blutrich, Co-Founder of Source Defense. “By leveraging technologies like blockchain-based routing, attackers are building command-and-control frameworks that are harder to disrupt, easier to reconfigure, and capable of remaining operational even when portions of the infrastructure are identified and taken down.”
“Many organizations still focus narrowly on compliance rather than the broader problem”
– Hadar Blutrich, Co-Founder of Source Defense
The emergence of this tactic lands at a critical moment for the payments and e-commerce industry. While online merchants are actively working to adopt the strict client-side controls required by the updated PCI DSS 4.0.1 framework, adversaries are already developing ways to circumvent them.
One aspect Blutrich emphasized was that too many security teams treat front-end defense as a simple compliance box to check off, allowing more ingrained systemic vulnerabilities to surface across the entire browser experience.
Because securing the actual user-facing side of the web is frequently left on the back burner, hackers are thriving in the space between meeting regulatory minimums and deploying real-time defenses.
Final Thoughts
Web-based theft is moving beyond simply crypto monetization.
With threat groups adopting blockchain-backed mechanisms, relying on rigid, reactive security perimeters is a losing battle.
As Source Defense highlights, e-commerce enterprises need to transition to continuous, behavioral front-end monitoring. Catching and neutralizing these unverified scripts before they can interact with external networks or blockchain nodes is the only way to safeguard the integrity of the consumer transaction.
Author Notes
Source Defense Threat Intelligence Research Paper: “Magecart Evolves: Blockchain-Based Command and Control Infrastructures in E-Skimming”
About the Author
Carmen Estela is a Cybersecurity Research Analyst at Cyber Defense Magazine and a Women in Cybersecurity Award Candidate. She recently graduated with a Master’s of Science degree from the University of Central Florida and holds a Bachelor’s degree in Criminology from the University of Florida with certifications in Data Analytics and AI Fundamentals. She frequently speaks and volunteers at well-known industry gatherings, such as BSides Orlando and BSides Jax, where she offers her perspectives on emerging cyber trends. Carmen is committed to advancing the standards of governance, risk, and compliance within cybersecurity. She has also served as an adult protective investigator, police dispatcher, and legal intern, applying investigative skills across law enforcement, academic, and public service settings.
Reach her online at [email protected].
