- Group-IB revealed its report on Jan. 15 and stated the tactic may make disruption more durable for defenders.
- The malware reads on-chain knowledge, so victims don’t pay fuel charges.
- Researchers stated Polygon will not be weak, however the tactic may unfold.
Ransomware teams often depend on command-and-control servers to handle communications after breaking right into a system.
But safety researchers now say a low-profile pressure is utilizing blockchain infrastructure in a means that may very well be more durable to block.
In a report published on Jan. 15, cybersecurity agency Group-IB stated a ransomware operation often called DeadLock is abusing Polygon (POL) sensible contracts to retailer and rotate proxy server addresses.
These proxy servers are used to relay communication between attackers and victims after methods are contaminated.
Because the knowledge sits on-chain and could be up to date anytime, researchers warned that this strategy may make the group’s backend extra resilient and more durable to disrupt.
Smart contracts used to retailer proxy data
Group-IB stated DeadLock doesn’t depend upon the standard setup of fastened command-and-control servers.
Instead, as soon as a machine is compromised and encrypted, the ransomware queries a particular sensible contract deployed on the Polygon community.
That contract shops the most recent proxy deal with that DeadLock makes use of to talk. The proxy acts as a center layer, serving to attackers preserve contact with out exposing their principal infrastructure straight.
Since the sensible contract knowledge is publicly readable, the malware can retrieve the small print with out sending any blockchain transactions.
This additionally means victims don’t want to pay fuel charges or work together with wallets.
DeadLock solely reads the knowledge, treating the blockchain as a persistent supply of configuration knowledge.
Rotating infrastructure with out malware updates
One motive this methodology stands out is how shortly attackers can change their communication routes.
Group-IB stated the actors behind DeadLock can replace the proxy deal with saved contained in the contract each time mandatory.
That provides them the power to rotate infrastructure with out modifying the ransomware itself or pushing new variations into the wild.
In conventional ransomware instances, defenders can generally block site visitors by figuring out identified command-and-control servers.
But with an on-chain proxy listing, any proxy that will get flagged could be changed just by updating the contract’s saved worth.
Once contact is established by way of the up to date proxy, victims obtain ransom calls for together with threats that stolen data can be offered if fee will not be made.
Why takedowns change into harder
Group-IB warned that utilizing blockchain knowledge this fashion makes disruption considerably more durable.
There is not any single central server that may be seized, eliminated, or shut down.
Even if a particular proxy deal with is blocked, the attackers can swap to one other one with out having to redeploy the malware.
Since the sensible contract stays accessible by way of Polygon’s distributed nodes worldwide, the configuration knowledge can proceed to exist even when the infrastructure on the attackers’ aspect modifications.
Researchers stated this provides ransomware operators a extra resilient command-and-control mechanism in contrast with typical internet hosting setups.
A small marketing campaign with an creative methodology
DeadLock was first noticed in July 2025 and has stayed comparatively low profile thus far.
Group-IB stated the operation has solely a restricted variety of confirmed victims.
The report additionally famous that DeadLock will not be linked to identified ransomware affiliate programmes and doesn’t seem to function a public knowledge leak website.
While which will clarify why the group has acquired much less consideration than main ransomware manufacturers, researchers stated its technical strategy deserves shut monitoring.
Group-IB warned that even when DeadLock stays small, its approach may very well be copied by extra established cybercriminal teams.
No Polygon vulnerability concerned
The researchers harassed that DeadLock will not be exploiting any vulnerability in Polygon itself.
It can also be not attacking third-party sensible contracts akin to decentralised finance protocols, wallets, or bridges.
Instead, the attackers are abusing the general public and immutable nature of blockchain knowledge to cover configuration data.
Group-IB in contrast the approach to earlier “EtherHiding” approaches, the place criminals used blockchain networks to distribute malicious configuration knowledge.
Several sensible contracts related to the marketing campaign have been deployed or up to date between August and Nov. 2025, in accordance to the agency’s evaluation.
Researchers stated the exercise stays restricted for now, however the idea may very well be reused in many various types by different risk actors.
While Polygon customers and builders aren’t dealing with direct threat from this particular marketing campaign, Group-IB stated the case is one other reminder that public blockchains could be misused to help off-chain legal exercise in methods which might be troublesome to detect and dismantle.
