Group-IB revealed its report on Jan. 15 and mentioned the strategy might make disruption more durable for defenders.
The malware reads on-chain knowledge, so victims don’t pay gasoline charges.
Researchers mentioned Polygon will not be susceptible, however the tactic might unfold.
Ransomware teams normally depend on command-and-control servers to handle communications after breaking right into a system.
However safety researchers now say a low-profile pressure is utilizing blockchain infrastructure in a manner that could possibly be more durable to dam.
In a report revealed on Jan. 15, cybersecurity agency Group-IB mentioned a ransomware operation generally known as DeadLock is abusing Polygon (POL) sensible contracts to retailer and rotate proxy server addresses.
These proxy servers are used to relay communication between attackers and victims after techniques are contaminated.
As a result of the data sits on-chain and will be up to date anytime, researchers warned that this method might make the group’s backend extra resilient and harder to disrupt.
Good contracts used to retailer proxy info
Group-IB mentioned DeadLock doesn’t rely on the same old setup of fastened command-and-control servers.
As an alternative, as soon as a machine is compromised and encrypted, the ransomware queries a selected sensible contract deployed on the Polygon community.
That contract shops the newest proxy tackle that DeadLock makes use of to speak. The proxy acts as a center layer, serving to attackers preserve contact with out exposing their foremost infrastructure straight.
For the reason that sensible contract knowledge is publicly readable, the malware can retrieve the small print with out sending any blockchain transactions.
This additionally means victims don’t must pay gasoline charges or work together with wallets.
DeadLock solely reads the data, treating the blockchain as a persistent supply of configuration knowledge.
Rotating infrastructure with out malware updates
One cause this methodology stands out is how rapidly attackers can change their communication routes.
Group-IB mentioned the actors behind DeadLock can replace the proxy tackle saved contained in the contract every time obligatory.
That offers them the power to rotate infrastructure with out modifying the ransomware itself or pushing new variations into the wild.
In conventional ransomware instances, defenders can generally block site visitors by figuring out identified command-and-control servers.
However with an on-chain proxy checklist, any proxy that will get flagged will be changed just by updating the contract’s saved worth.
As soon as contact is established by the up to date proxy, victims obtain ransom calls for together with threats that stolen info will likely be offered if cost will not be made.
Why takedowns turn out to be tougher
Group-IB warned that utilizing blockchain knowledge this fashion makes disruption considerably more durable.
There is no such thing as a single central server that may be seized, eliminated, or shut down.
Even when a selected proxy tackle is blocked, the attackers can swap to a different one with out having to redeploy the malware.
For the reason that sensible contract stays accessible by Polygon’s distributed nodes worldwide, the configuration knowledge can live on even when the infrastructure on the attackers’ facet adjustments.
Researchers mentioned this provides ransomware operators a extra resilient command-and-control mechanism in contrast with typical internet hosting setups.
A small marketing campaign with an creative methodology
DeadLock was first noticed in July 2025 and has stayed comparatively low profile thus far.
Group-IB mentioned the operation has solely a restricted variety of confirmed victims.
The report additionally famous that DeadLock will not be linked to identified ransomware affiliate programmes and doesn’t seem to function a public knowledge leak website.
Whereas which will clarify why the group has acquired much less consideration than main ransomware manufacturers, researchers mentioned its technical method deserves shut monitoring.
Group-IB warned that even when DeadLock stays small, its approach could possibly be copied by extra established cybercriminal teams.
No Polygon vulnerability concerned
The researchers careworn that DeadLock will not be exploiting any vulnerability in Polygon itself.
It’s also not attacking third-party sensible contracts corresponding to decentralised finance protocols, wallets, or bridges.
As an alternative, the attackers are abusing the general public and immutable nature of blockchain knowledge to cover configuration info.
Group-IB in contrast the approach to earlier “EtherHiding” approaches, the place criminals used blockchain networks to distribute malicious configuration knowledge.
A number of sensible contracts related to the marketing campaign had been deployed or up to date between August and Nov. 2025, in accordance with the agency’s evaluation.
Researchers mentioned the exercise stays restricted for now, however the idea could possibly be reused in many various types by different menace actors.
Whereas Polygon customers and builders usually are not going through direct danger from this particular marketing campaign, Group-IB mentioned the case is one other reminder that public blockchains will be misused to help off-chain prison exercise in methods which can be troublesome to detect and dismantle.
