• Group-IB launched a report on January 15 that stated this system might make it harder for defenders to disrupt.
• The malware reads on-chain knowledge so victims would not have to pay gasoline charges.
• Researchers stated that whereas Polygon was not weak, the method might unfold.

Ransomware teams sometimes depend on command and management servers to handle communications as soon as they’ve compromised a system.

However safety researchers say a less-obvious variant is now utilizing blockchain infrastructure in methods which can be tough to dam.

Cybersecurity agency Group-IB stated in a report launched on January 15 that the ransomware marketing campaign often known as DeadLock is exploiting Polygon (POL) sensible contracts to retailer and rotate proxy server addresses.

These proxy servers are used to relay communications between the attacker and the sufferer after the system is contaminated.

As a result of the data is saved on-chain and may be up to date at any time, the researchers warned that this method might make the group’s backend extra resilient and fewer inclined to disruption.

Good contract used to retailer proxy data

Group-IB stated DeadLock doesn’t depend on the same old setup of mounted command and management servers.

As an alternative, as soon as a machine is compromised and encrypted, the ransomware queries a particular sensible contract deployed on the Polygon community.

This contract shops the most recent proxy handle that DeadLock makes use of for communication. Proxies act as a center layer, permitting attackers to keep up connectivity with out immediately exposing your key infrastructure.

Good contract knowledge is publicly readable, permitting malware to acquire particulars with out sending blockchain transactions.

This additionally implies that victims would not have to pay gasoline charges or work together with their wallets.

DeadLock solely reads data and treats the blockchain as a persistent supply of configuration knowledge.

Infrastructure rotation with out requiring malware updates

One cause this system stands out is that it permits an attacker to shortly change communication routes.

Group-IB stated the attackers behind DeadLock can replace the proxy addresses saved throughout the contract at any time if they need.

This enables infrastructure to be rotated with out altering the ransomware itself or publishing new variations.

With conventional ransomware, defenders could possibly block site visitors by figuring out identified command and management servers.

Nonetheless, utilizing an on-chain proxy checklist, you may substitute flagged proxies by merely updating the values ​​saved within the contract.

As soon as contact is established by the up to date proxy, the sufferer receives a ransom demand together with a risk to promote the stolen data if cost shouldn’t be made.

Why takedowns are tough

Group-IB warned that utilizing blockchain knowledge on this method would make disruption considerably harder.

There isn’t any single central server that may be seized, eliminated, or shut down.

Even when a specific proxy handle is blocked, an attacker can change to a unique proxy handle with out redeploying the malware.

Good contracts stay accessible by Polygon’s distributed nodes world wide, permitting configuration knowledge to live on even when the attacker’s infrastructure adjustments.

Researchers stated this might give ransomware operators a extra resilient command-and-control mechanism in comparison with conventional internet hosting setups.

Small-scale campaigns utilizing artistic strategies

DeadLock was first noticed in July 2025 and has remained comparatively unnoticed to date.

Group-IB stated the variety of confirmed casualties from the operation was restricted.

The report additionally notes that DeadLock shouldn’t be linked to any identified ransomware affiliate packages and doesn’t seem to function a public knowledge breach website.

Whereas this may increasingly clarify why the group has obtained much less consideration than main ransomware manufacturers, researchers say its technical method is price monitoring carefully.

Group-IB warned that although DeadLock stays small, its expertise could possibly be imitated by extra established cybercrime teams.

No Polygon vulnerabilities concerned

The researchers emphasised that DeadLock doesn’t exploit any vulnerabilities in Polygon itself.

It additionally doesn’t assault third-party sensible contracts comparable to decentralized finance protocols, wallets, and bridges.

As an alternative, attackers exploit the general public and immutable nature of blockchain knowledge to cover configuration data.

Group-IB in contrast this system to the earlier “EtherHiding” method, the place criminals use blockchain networks to distribute malicious configuration knowledge.

Based on the corporate’s evaluation, a number of sensible contracts associated to the marketing campaign have been launched or up to date between August and November 2025.

Researchers stated that though exercise is presently restricted, the idea could possibly be reused in varied methods by different risk actors.

Whereas Polygon customers and builders face no direct danger from this specific marketing campaign, Group-IB stated the incident is one more reminder that public blockchains may be misused to assist off-chain legal exercise in methods which can be tough to detect or dismantle.