The Rise of Decentralised Infrastructure in Cyberattacks: How Blockchain Is Being Weaponised Against Software Supply Chains

Attackers Are Moving to Blockchain-Based Command Infrastructure That Can't Be Taken Down

The cybersecurity landscape is witnessing a troubling evolution: sophisticated threat actors are increasingly leveraging decentralised blockchain infrastructure for command-and-control (C2) operations, making their attack infrastructure virtually immune to traditional takedown methods. The recent CanisterWorm supply chain attack, which used Internet Computer Protocol (ICP) canisters as dead drops for C2 server addresses, represents the first publicly documented case of this technique — but security researchers warn it is unlikely to be the last.

Traditional cyberattacks rely on centralised infrastructure — servers with IP addresses or domains registered with registrars that can be compelled to take them down. When security teams or law enforcement identify malicious C2 servers, they can issue takedown requests to hosting providers, block IP addresses at the network level, or seize domains through legal orders. This cat-and-mouse game has been the foundation of cyber defence for decades, and while imperfect, it provides a meaningful mechanism for disrupting ongoing attacks.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

Blockchain-based C2 infrastructure fundamentally breaks this model. When an attacker stores C2 addresses on a decentralised network like the Internet Computer, there is no single server to take down, no hosting provider to contact, and no domain registrar to compel. The information exists across a distributed network of nodes operated by independent parties, and removing it requires consensus mechanisms that may not accommodate takedown requests. This resilience — designed to make legitimate applications censorship-resistant — becomes a weapon in the hands of attackers.

Background and Context

The use of unconventional infrastructure for C2 communications is not entirely new. Attackers have previously used social media platforms, cloud storage services, and encrypted messaging apps to relay commands to compromised systems, taking advantage of the fact that traffic to these popular services is unlikely to be flagged as suspicious. However, these approaches still rely on centralised platforms that can and do remove malicious content when notified.

The Internet Computer Protocol (ICP), launched by the DFINITY Foundation, provides a public blockchain network designed to host web applications and data in a decentralised manner. ICP canisters — the protocol's equivalent of smart contracts — can store and serve arbitrary data, making them suitable for hosting C2 configuration that malware can query. Because canisters run on a decentralised network, they inherit the censorship resistance that is a fundamental design property of blockchain systems. Businesses and individuals maintaining their digital security through properly licensed systems with a genuine Windows 11 key still face risks from novel attack vectors that bypass traditional security architectures.

The CanisterWorm attack demonstrated a specific implementation pattern: malware installed through compromised npm packages contacts an ICP canister to retrieve the current C2 server URL. This adds a layer of indirection that allows the attacker to rotate C2 servers without updating the malware itself — if a C2 server is taken down, the attacker simply updates the canister with a new address, and all infected systems automatically reconnect.

Why This Matters

The weaponisation of decentralised infrastructure represents a paradigm shift in the cyber threat landscape. For the past two decades, the cybersecurity industry has built detection and response capabilities around the assumption that malicious infrastructure can eventually be identified and taken down. Network security tools monitor for connections to known malicious IP addresses and domains. Threat intelligence platforms maintain databases of indicators of compromise (IOCs) that include server addresses and domain names. Incident response procedures include steps for requesting takedowns from hosting providers and domain registrars.

When C2 infrastructure moves to decentralised networks, many of these capabilities become less effective. Blocking connections to legitimate blockchain networks would disrupt legitimate applications that use the same infrastructure. Identifying malicious canister addresses requires monitoring blockchain activity rather than traditional network traffic, demanding new tooling and expertise that most security teams don't yet possess. For organisations managing their security posture alongside enterprise productivity software, this evolution demands attention to emerging threat vectors that traditional endpoint protection may not address.

The implications extend beyond individual attacks to the broader balance of power between attackers and defenders. If decentralised C2 becomes widespread, the cost and difficulty of disrupting active attack campaigns could increase significantly, potentially shifting the advantage further toward attackers in what is already an asymmetric conflict.

Industry Impact

The cybersecurity industry faces a significant adaptation challenge. Security vendors that provide threat intelligence, network monitoring, and incident response services must develop new capabilities for detecting and disrupting blockchain-based C2 infrastructure. This requires expertise in blockchain analysis, which has traditionally been the domain of cryptocurrency forensics firms rather than mainstream cybersecurity companies. Expect acquisitions and partnerships as cybersecurity firms seek to fill this capability gap.

For blockchain projects and the decentralised web community, the weaponisation of their infrastructure creates a reputational and governance challenge. Blockchain projects designed to resist censorship must now contend with the reality that this resistance also protects malicious actors. Some projects may face pressure to implement content moderation mechanisms, while others may argue that any moderation capability undermines the fundamental value proposition of decentralisation.

Government agencies and law enforcement organisations face perhaps the most significant impact. International cooperation frameworks for cybercrime — including mutual legal assistance treaties and voluntary cooperation agreements with technology companies — are designed around the assumption that someone controls the infrastructure being used for criminal activity. Decentralised systems challenge this assumption, potentially requiring new legal frameworks and investigative techniques.

Expert Perspective

Cybersecurity researchers view the CanisterWorm's use of ICP canisters as a proof of concept that other threat actors will study and replicate. The technique is relatively simple to implement, requiring only basic blockchain interaction capabilities, but provides significant operational security advantages for attackers. The combination of resilient C2 infrastructure with the self-spreading capabilities demonstrated by CanisterWorm creates a particularly concerning threat model.

Some security professionals advocate for a proactive approach: developing monitoring tools that can detect malware communicating with blockchain networks, even when the specific canister addresses are not yet known as malicious. Behavioural detection — identifying the patterns of blockchain API calls that characterise C2 communication — may prove more effective than signature-based approaches that rely on known indicators.

What This Means for Businesses

Organisations should begin evaluating their security posture against blockchain-based threats. This includes assessing whether current network monitoring tools can detect connections to blockchain networks, whether security teams have the expertise to analyse blockchain-based indicators of compromise, and whether incident response plans account for scenarios where C2 infrastructure cannot be taken down through traditional channels.

Investing in endpoint detection and response (EDR) solutions that can identify malicious behaviour regardless of the C2 channel is becoming essential. Additionally, keeping all software updated and properly licensed — from operating systems with a affordable Microsoft Office licence to development tools and security scanners — reduces the attack surface that threat actors can exploit to establish initial access.

Key Takeaways

• The CanisterWorm attack marks the first documented use of blockchain (ICP) canisters for malware command-and-control
• Decentralised C2 infrastructure is virtually immune to traditional takedown methods
• Existing cybersecurity tools and processes are not designed to detect or disrupt blockchain-based threats
• The technique is simple enough for other threat actors to replicate, suggesting wider adoption is likely
• Security vendors, law enforcement, and blockchain communities all face adaptation challenges
• Behavioural detection may be more effective than signature-based approaches against this threat

Looking Ahead

The cybersecurity industry is at an inflection point. As attackers adopt decentralised infrastructure, defenders must evolve their tools, techniques, and legal frameworks to match. The next twelve months will likely see increased investment in blockchain-aware security tools, new partnerships between cybersecurity and blockchain analytics firms, and policy discussions about balancing censorship resistance with the need to disrupt criminal infrastructure. The CanisterWorm may be the canary in the coal mine — the first visible sign of a shift that will reshape cybersecurity for years to come.