Hackers bought 30 WordPress plugins and planted backdoors, laying low for 8 months, using Ethereum smart contracts to bypass domain blocking

In August 2025, a buyer who called himself “Kris” planted a time bomb in 191 lines of code; eight months later it detonated, and C2 communications bypassed the blocklist. This article is based on a report by security researcher Austin Ginder.
(Recap: BTC shocks $75k! ETH rebounds to 2400; Vance says the U.S.-Iran talks have made “a great deal of progress,” with a tentative second round of negotiations on the 16th)
(Background: Gate founder Dr. Han’s 13th-anniversary open letter: unleash the power of change during a cycle transition)

Table of Contents

Toggle

• 191 lines, one “compatibility update”
• wp-config.php written with 6KB of malicious code
• This isn’t the first time, and it won’t be the last
• A policy issue, not a technical issue
• WordPress.org shut down more than 30 plugins in a single day

Thirty plugins, an eight-month dormancy period, and C2 servers dynamically updated via Ethereum smart contracts. In early April 2026, WordPress.org disabled more than 30 plugins within a single workday, with a total installation base in the millions. Even more shocking: the backdoor was already live as early as August 8, 2025, a full 243 days before it was discovered.

191 lines, one “compatibility update”

Turn back the clock to 2015. In India, the WP Online Support team (later renamed Essential Plugin), founded by three people including Minesh Shah, built up over a decade a product line covering 30-plus plugins. By the end of 2024, revenue had declined 35% to 45% from its peak, and the team chose to list it for sale on Flippa.

The buyer is someone whose background spans SEO, cryptocurrency, and online gambling marketing, who publicly presents himself as “Kris.” On August 8, 2025, version 2.6.7 went live, and the changelog only wrote four words: “compatibility update.”

What actually changed is this: class-anylc-admin.php expanded from line 473 to line 664, adding 191 lines of backdoor code. This is Kris’s first commit in SVN.

The backdoor did not start immediately. It slept until April 5–6, 2026, when it began the first stage: the wpos-analytics module sent a callback request to analytics.essentialplugin.com, downloading a file named wp-comments-posts.php. It deliberately mimicked WordPress core’s wp-comments-post.php—differing by just one letter.

wp-config.php written with 6KB of malicious code

At 04:22 UTC on April 6, 2026, the injection code started running; by 11:06 UTC, wp-config.php had been fully written on compromised sites worldwide. In 6 hours and 44 minutes, no platform-level alerts were triggered.

The injected malicious code does two things: first, it plants spammy external links, but only displays them for the User-Agent of Googlebot—ordinary visitors and site administrators see pages that look completely normal; second, it opens an unauthenticated REST API endpoint (permission_callback: __return_true), together with the PHP unserialization function fetch_ver_info(), forming a remote execution path for arbitrary function calls.

However, the most important design details worth recording are not in the injection itself, but in the evasion strategy for the C2 infrastructure: the attackers embed the resolution logic for the command-and-control domain into an Ethereum smart contract, and the backdoor queries the latest pointer through public blockchain RPC nodes.

Conventional security defenses like domain blocklists and DNS blocking are completely ineffective against this architecture. The attackers only need to update the contract, and the C2 for all infected sites switches in sync—without having to touch any controlled server.

This isn’t the first time, and it won’t be the last

In 2017, Daley Tias bought the Display Widgets plugin with 200k installations for $15k, and injected loan-related spam links; afterward, it affected at least nine other plugins. After that incident, WordPress.org did not introduce a mandatory review mechanism for plugin ownership transfers; did not trigger extra manual or automated scrutiny when the new committer submitted for the first time; and did not send existing installation users any notification saying the “plugin has changed hands.”

Nine years later, the process was exactly the same. Kris completed the acquisition, obtained SVN commit permissions, and the first commit was the backdoor—fully compliant end to end.

A policy issue, not a technical issue

This incident did not use any zero-day vulnerability. The backdoor code quality was mediocre, and there was no clever obfuscation technique within those 191 lines. It managed to lie dormant for 243 days not due to technical capability, but because WordPress.org’s plugin marketplace had a complete absence of safeguards at the ownership-change stage.

Parsing the C2 domain via an Ethereum smart contract does add a layer of design worth discussing at the technical architecture level, but it only makes cleanup more difficult—it is not the reason the attack could happen. The attack could happen because the platform allows anyone to buy a plugin, push updates, and not have to explain to anyone what that “compatibility update” in the changelog actually made compatible.

WordPress.org shut down more than 30 plugins in a single day

On April 7, 2026, the WordPress.org plugin team permanently disabled all plugins of the Essential Plugin author. At least 30 plugins—everything disabled on the same day. Below are the plugins confirmed by Austin Ginder:

• Accordion and Accordion Slider — accordion-and-accordion-slider
• Album and Image Gallery Plus Lightbox — album-and-image-gallery-plus-lightbox
• Audio Player with Playlist Ultimate — audio-player-with-playlist-ultimate
• Blog Designer for Post and Widget — blog-designer-for-post-and-widget
• Countdown Timer Ultimate — countdown-timer-ultimate
• Featured Post Creative — featured-post-creative
• Footer Mega Grid Columns — footer-mega-grid-columns
• Hero Banner Ultimate — hero-banner-ultimate
• HTML5 VideoGallery Plus Player — html5-videogallery-plus-player
• Meta Slider and Carousel with Lightbox — meta-slider-and-carousel-with-lightbox
• Popup Anything on Click — popup-anything-on-click
• Portfolio and Projects — portfolio-and-projects
• Post Category Image with Grid and Slider — post-category-image-with-grid-and-slider
• Post Grid and Filter Ultimate — post-grid-and-filter-ultimate
• Preloader for Website — preloader-for-website
• Product Categories Designs for WooCommerce — product-categories-designs-for-woocommerce
• Responsive WP FAQ with Category — sp-faq
• SlidersPack – All in One Image Sliders — sliderspack-all-in-one-image-sliders
• SP News And Widget — sp-news-and-widget
• Styles for WP PageNavi – Addon — styles-for-wp-pagenavi-addon
• Ticker Ultimate — ticker-ultimate
• Timeline and History Slider — timeline-and-history-slider
• Woo Product Slider and Carousel with Category — woo-product-slider-and-carousel-with-category
• WP Blog and Widgets — wp-blog-and-widgets
• WP Featured Content and Slider — wp-featured-content-and-slider
• WP Logo Showcase Responsive Slider and Carousel — wp-logo-showcase-responsive-slider-slider
• WP Responsive Recent Post Slider — wp-responsive-recent-post-slider
• WP Slick Slider and Image Carousel — wp-slick-slider-and-image-carousel
• WP Team Showcase and Slider — wp-team-showcase-and-slider
• WP Testimonial with Widget — wp-testimonial-with-widget
• WP Trending Post Slider and Widget — wp-trending-post-slider-and-widget