- Group-IB launched a report on January 15 that stated this system might make it harder for defenders to disrupt.
- The malware reads on-chain knowledge so victims would not have to pay fuel charges.
- Researchers stated that whereas Polygon was not weak, the approach might unfold.
Ransomware teams sometimes depend on command and management servers to handle communications as soon as they’ve compromised a system.
However safety researchers say a less-obvious variant is now utilizing blockchain infrastructure in methods which can be tough to dam.
Cybersecurity agency Group-IB stated in a report launched on January 15 that the ransomware marketing campaign generally known as DeadLock is exploiting Polygon (POL) sensible contracts to retailer and rotate proxy server addresses.
These proxy servers are used to relay communications between the attacker and the sufferer after the system is contaminated.
As a result of the data is saved on-chain and could be up to date at any time, the researchers warned that this method might make the group’s backend extra resilient and fewer vulnerable to disruption.
Good contract used to retailer proxy data
Group-IB stated DeadLock doesn’t depend on the same old setup of mounted command and management servers.
As a substitute, as soon as a machine is compromised and encrypted, the ransomware queries a particular sensible contract deployed on the Polygon community.
This contract shops the newest proxy deal with that DeadLock makes use of for communication. Proxies act as a center layer, permitting attackers to take care of connectivity with out instantly exposing your key infrastructure.
Good contract knowledge is publicly readable, permitting malware to acquire particulars with out sending blockchain transactions.
This additionally signifies that victims would not have to pay fuel charges or work together with their wallets.
DeadLock solely reads data and treats the blockchain as a persistent supply of configuration knowledge.
Infrastructure rotation with out requiring malware updates
One purpose this system stands out is that it permits an attacker to rapidly change communication routes.
Group-IB stated the attackers behind DeadLock can replace the proxy addresses saved throughout the contract at any time if they want.
This permits infrastructure to be rotated with out altering the ransomware itself or publishing new variations.
With conventional ransomware, defenders might be able to block site visitors by figuring out identified command and management servers.
Nonetheless, utilizing an on-chain proxy record, you’ll be able to substitute flagged proxies by merely updating the values saved within the contract.
As soon as contact is established by means of the up to date proxy, the sufferer receives a ransom demand together with a risk to promote the stolen data if cost isn’t made.
Why takedowns are tough
Group-IB warned that utilizing blockchain knowledge on this approach would make disruption considerably harder.
There isn’t any single central server that may be seized, eliminated, or shut down.
Even when a specific proxy deal with is blocked, an attacker can change to a special proxy deal with with out redeploying the malware.
Good contracts stay accessible by means of Polygon’s distributed nodes all over the world, permitting configuration knowledge to live on even when the attacker’s infrastructure adjustments.
Researchers stated this might give ransomware operators a extra resilient command-and-control mechanism in comparison with conventional internet hosting setups.
Small-scale campaigns utilizing artistic strategies
DeadLock was first noticed in July 2025 and has remained comparatively unnoticed up to now.
Group-IB stated the variety of confirmed casualties from the operation was restricted.
The report additionally notes that DeadLock isn’t linked to any identified ransomware affiliate packages and doesn’t seem to function a public knowledge breach web site.
Whereas this will likely clarify why the group has acquired much less consideration than main ransomware manufacturers, researchers say its technical method is price monitoring carefully.
Group-IB warned that though DeadLock stays small, its expertise might be imitated by extra established cybercrime teams.
No Polygon vulnerabilities concerned
The researchers emphasised that DeadLock doesn’t exploit any vulnerabilities in Polygon itself.
It additionally doesn’t assault third-party sensible contracts equivalent to decentralized finance protocols, wallets, and bridges.
As a substitute, attackers exploit the general public and immutable nature of blockchain knowledge to cover configuration data.
Group-IB in contrast this system to the earlier “EtherHiding” method, the place criminals use blockchain networks to distribute malicious configuration knowledge.
In accordance with the corporate’s evaluation, a number of sensible contracts associated to the marketing campaign have been launched or up to date between August and November 2025.
Researchers stated that though exercise is at the moment restricted, the idea might be reused in numerous methods by different risk actors.
Whereas Polygon customers and builders face no direct danger from this specific marketing campaign, Group-IB stated the incident is one more reminder that public blockchains could be misused to assist off-chain felony exercise in methods which can be tough to detect or dismantle.