Quick Breakdown
- •DeadLock ransomware uses Polygon smart contracts to store and rotate proxy addresses.
- •On-chain infrastructure makes the malware extremely difficult to disrupt.
- •Researchers warn that blockchain-based attack techniques are becoming more common.
Cybersecurity researchers have uncovered a new ransomware strain, dubbed DeadLock, that quietly abuses Polygon blockchain smart contracts to manage its command-and-control infrastructure, according to a new report from Group-IB.
The malware, first identified in July, has largely flown under the radar, with researchers noting its limited number of known victims and the absence of any links to major ransomware affiliate programs or data leak websites. Despite its low visibility, experts warn that the threat should not be underestimated.
Group-IB says DeadLock introduces an unusual and sophisticated tactic by using blockchain technology to rotate and distribute proxy server addresses, making the ransomware’s infrastructure far harder to dismantle.
How DeadLock Weaponizes the Blockchain
Instead of relying on traditional servers, DeadLock embeds code that interacts directly with a specific Polygon smart contract, which stores and dynamically updates proxy addresses used to communicate with infected systems.
Once a device is compromised and files are encrypted, victims receive a ransom demand threatening data exposure if payment is not made. Because the proxy information is stored on-chain, there is no single server for defenders to shut down, and the data remains permanently accessible across Polygon’s decentralized network.
Group-IB noted that this approach creates a highly resilient setup, adding that attackers could theoretically deploy endless variations of the technique using different contracts or blockchains.
Blockchain-Based Malware Tactics Are on the Rise
The use of smart contracts for malicious activity is not entirely new. Group-IB pointed to “EtherHiding,” a technique disclosed by Google in October, which was linked to a North Korean hacking group tracked as UNC5342.
In that campaign, attackers embedded malicious JavaScript payloads directly into public blockchain transactions, effectively turning the blockchain into a durable, decentralized command-and-control server.
Researchers say DeadLock’s approach reinforces concerns that blockchains are increasingly being explored as stealthy infrastructure tools for cybercrime, particularly as defenders struggle to monitor and neutralize on-chain threats.