Group-IB revealed its report on Jan. 15 and mentioned the tactic might make disruption tougher for defenders.
The malware reads on-chain knowledge, so victims don’t pay gasoline charges.
Researchers mentioned Polygon isn’t weak, however the tactic might unfold.
Ransomware teams normally depend on command-and-control servers to handle communications after breaking right into a system.
However safety researchers now say a low-profile pressure is utilizing blockchain infrastructure in a method that may very well be tougher to dam.
In a report revealed on Jan. 15, cybersecurity agency Group-IB mentioned a ransomware operation often known as DeadLock is abusing Polygon (POL) good contracts to retailer and rotate proxy server addresses.
These proxy servers are used to relay communication between attackers and victims after methods are contaminated.
As a result of the knowledge sits on-chain and might be up to date anytime, researchers warned that this method might make the group’s backend extra resilient and more durable to disrupt.
Good contracts used to retailer proxy data
Group-IB mentioned DeadLock doesn’t rely upon the same old setup of mounted command-and-control servers.
As a substitute, as soon as a machine is compromised and encrypted, the ransomware queries a particular good contract deployed on the Polygon community.
That contract shops the newest proxy deal with that DeadLock makes use of to speak. The proxy acts as a center layer, serving to attackers keep contact with out exposing their primary infrastructure immediately.
For the reason that good contract knowledge is publicly readable, the malware can retrieve the small print with out sending any blockchain transactions.
This additionally means victims don’t have to pay gasoline charges or work together with wallets.
DeadLock solely reads the knowledge, treating the blockchain as a persistent supply of configuration knowledge.
Rotating infrastructure with out malware updates
One motive this methodology stands out is how shortly attackers can change their communication routes.
Group-IB mentioned the actors behind DeadLock can replace the proxy deal with saved contained in the contract each time essential.
That offers them the flexibility to rotate infrastructure with out modifying the ransomware itself or pushing new variations into the wild.
In conventional ransomware instances, defenders can typically block site visitors by figuring out recognized command-and-control servers.
However with an on-chain proxy checklist, any proxy that will get flagged might be changed just by updating the contract’s saved worth.
As soon as contact is established via the up to date proxy, victims obtain ransom calls for together with threats that stolen data will probably be offered if cost isn’t made.
Why takedowns change into tougher
Group-IB warned that utilizing blockchain knowledge this manner makes disruption considerably tougher.
There isn’t any single central server that may be seized, eliminated, or shut down.
Even when a particular proxy deal with is blocked, the attackers can swap to a different one with out having to redeploy the malware.
For the reason that good contract stays accessible via Polygon’s distributed nodes worldwide, the configuration knowledge can live on even when the infrastructure on the attackers’ aspect modifications.
Researchers mentioned this provides ransomware operators a extra resilient command-and-control mechanism in contrast with typical internet hosting setups.
A small marketing campaign with an creative methodology
DeadLock was first noticed in July 2025 and has stayed comparatively low profile to date.
Group-IB mentioned the operation has solely a restricted variety of confirmed victims.
The report additionally famous that DeadLock isn’t linked to recognized ransomware affiliate programmes and doesn’t seem to function a public knowledge leak web site.
Whereas which will clarify why the group has acquired much less consideration than main ransomware manufacturers, researchers mentioned its technical method deserves shut monitoring.
Group-IB warned that even when DeadLock stays small, its approach may very well be copied by extra established cybercriminal teams.
No Polygon vulnerability concerned
The researchers harassed that DeadLock isn’t exploiting any vulnerability in Polygon itself.
Additionally it is not attacking third-party good contracts reminiscent of decentralised finance protocols, wallets, or bridges.
As a substitute, the attackers are abusing the general public and immutable nature of blockchain knowledge to cover configuration data.
Group-IB in contrast the approach to earlier “EtherHiding” approaches, the place criminals used blockchain networks to distribute malicious configuration knowledge.
A number of good contracts linked to the marketing campaign have been deployed or up to date between August and Nov. 2025, in line with the agency’s evaluation.
Researchers mentioned the exercise stays restricted for now, however the idea may very well be reused in many various types by different risk actors.
Whereas Polygon customers and builders are usually not going through direct threat from this particular marketing campaign, Group-IB mentioned the case is one other reminder that public blockchains might be misused to assist off-chain felony exercise in methods which can be tough to detect and dismantle.
