A ransomware operation known as DeadLock has been observed abusing Polygon blockchain smart contracts to manage and rotate proxy server addresses.
DeadLock first appeared in July 2025 and has maintained a relatively low profile since then. It is not linked to known ransomware affiliate programs and does not operate a public data leak site.
Despite the limited number of reported victims, Group-IB researchers said its technical approach deserves attention for its novelty and potential reuse by other threat actors.
New DeadLock Infrastructure
The latest DeadLock samples observed by the cybersecurity firm include an HTML file used to communicate with victims through the Session encrypted messaging platform.
Instead of relying on hard-coded servers, the malware retrieves proxy addresses stored inside a Polygon smart contract.
Group-IB noted that retrieving data from the blockchain relies on read-only calls that do not generate transactions or incur network fees, a design choice that complicates traditional blocking approaches.
The JavaScript code found within the calls queries a specific Polygon smart contract to obtain the current proxy URL. That proxy then relays encrypted messages between the victim and the attacker’s Session ID.
Key aspects of the approach include:
-
Decentralized storage of proxy addresses on the Polygon blockchain
-
Fallback mechanisms using multiple RPC endpoints
-
Use of smart contract functions to update infrastructure on demand
Read more on blockchain abuse in cybercrime: Malicious npm Packages Exploit Ethereum Smart Contracts
The research also links multiple smart contracts to a single creator wallet, which was funded shortly before deployment. Transaction history shows the same method being used to set new proxy servers over time, suggesting active management of the infrastructure.
Broader Implications For Defenders
Group-IB said DeadLock also uses AnyDesk as a remote management tool and deploys PowerShell scripts to stop services and delete shadow copies, increasing the impact of encryption.
Victims’ files are renamed with a .dlock extension, and later ransom notes threaten to sell stolen data if payment is not made.
The researchers explained that similar blockchain-based techniques have recently been reported in other campaigns, including cases where smart contracts were used to store malicious payloads or command locations.
While DeadLock remains low volume, its use of Polygon smart contracts demonstrates how decentralized platforms can be repurposed for resilient command-and-control (C2).
The findings suggest that abuse of public blockchains for malware operations is likely to grow, challenging defenders to adapt detection strategies without disrupting legitimate use of decentralized technologies.
