DeadLock, a ransomware group that first emerged in July 2025, has been observed abusing Polygon blockchain smart contracts to manage and rotate proxy server addresses. This innovative technique makes it significantly more difficult for cybersecurity defenders to permanently block the group's infrastructure.
The ransomware operation utilizes blockchain-based smart contracts to store the group's proxy server URL. This allows for frequent rotation, complicating efforts by defenders to identify and disable their command-and-control servers.
Following the encryption of a victim's systems, DeadLock drops an HTML file. This file acts as a wrapper for the decentralized messaging platform, Session.
How DeadLock Ransomware Operates on Polygon
Embedded JavaScript code within the dropped HTML file queries a specific Polygon smart contract. The purpose of this query is to obtain the current proxy URL. This URL then facilitates the relay of encrypted messages between the victim and the attacker's Session ID.
These read-only blockchain calls do not generate any transactions or incur fees, making them a cost-free method for the attackers to maintain their operational infrastructure.
Group-IB researchers noted that the exploitation of smart contracts for delivering proxy addresses is a novel method. They suggest that attackers can apply infinite variations of this technique, limited only by their imagination.
While this specific technique is not extensively documented and remains under-reported, security researchers observe its usage gradually gaining traction in the wild.
Investigations by Cisco Talos have revealed that DeadLock gains initial access by exploiting CVE-2024-51324, a vulnerability in Baidu Antivirus. The group employs a technique known as “bringing your own vulnerable driver” to terminate endpoint detection and response processes, thereby bypassing security measures.
DeadLock Employs New Extortion Tactics
DeadLock distinguishes itself from most ransomware operations by deviating from the typical double extortion approach. The group does not maintain a data leak site where it publicizes its attacks.
Instead, DeadLock threatens to sell stolen data on underground markets. Concurrently, they offer victims security reports and assurances of non-retaliation if the ransom is paid.
Group-IB's infrastructure tracking has not identified any connections between DeadLock and known ransomware affiliate programs. The group generally maintains a low profile. However, researchers discovered copies of smart contracts that were initially created and updated in August 2025, with subsequent updates occurring in November 2025.
Group-IB stated that they successfully tracked DeadLock's infrastructure through blockchain transactions, which provided insights into their funding patterns and active servers.
Nation-State Actors Adopt Similar Techniques
Google Threat Intelligence Group has observed North Korean threat actor UNC5342 using a related technique called EtherHiding. This technique has been employed since February 2025 to deliver malware and facilitate cryptocurrency theft.
According to Google, EtherHiding involves embedding malicious code, often in the form of JavaScript payloads, within a smart contract on a public blockchain such as BNB Smart Chain or Ethereum.
Polygon is a layer-2 blockchain that is built on Ethereum's layer-1 infrastructure.
While DeadLock currently operates at a low volume and impact, security researchers caution that its adoption of innovative methods demonstrates a skill set that could become significantly more dangerous if organizations do not take the threat seriously.
In addition to urging businesses to be proactive in detecting malware, Group-IB recommends implementing additional layers of security, such as multifactor authentication and robust credential management solutions.
The cybersecurity firm also advises businesses to maintain data backups, conduct regular employee training, promptly patch vulnerabilities, and crucially, "never pay the ransom." Instead, organizations should contact incident response experts as quickly as possible if they become victims of an attack.