Security researchers have identified a low-profile ransomware group that is leveraging Polygon smart contracts to conceal and rotate its command-and-control infrastructure. This novel technique allows the attackers to evade detection and takedowns by utilizing the decentralized and publicly accessible nature of blockchain data.
DeadLock Ransomware's Innovative Infrastructure
The ransomware strain, known as DeadLock, was first observed in July 2025. Cybersecurity firm Group-IB reported that DeadLock is storing rotating proxy addresses within publicly readable smart contracts on the Polygon network. This method provides a decentralized way to manage the communication channels between the attackers and infected victim systems.
Despite its recent emergence and limited number of confirmed victims, Group-IB has warned that the techniques employed by DeadLock are highly inventive. The firm highlighted that the operation is not currently linked to any known ransomware affiliate programs or public data leak sites, indicating a potentially independent and evolving threat.
The potential for these techniques to be adopted by more established ransomware groups poses a significant risk, even though the current campaign has a relatively low profile.
How the Technique Works
Instead of relying on traditional, centralized command-and-control servers that are susceptible to being blocked or taken offline, DeadLock uses a different approach. After a system is infected and its files are encrypted, the ransomware queries a specific Polygon smart contract. This contract contains the current proxy address that facilitates communication between the attackers and the victim.
A key aspect of this technique is that it only requires read operations on the blockchain. Victims do not need to initiate transactions or incur gas fees. The data stored on-chain is publicly accessible, allowing attackers to update the proxy address at any time. This enables rapid rotation of their infrastructure without the need to redeploy malware.
Once communication is established, victims receive ransom demands. These demands often include threats to sell stolen data if payment is not made. Group-IB emphasized that this method makes the ransomware's infrastructure exceptionally resilient.
The absence of a central server to target, combined with the distributed nature of blockchain data, makes dismantling the DeadLock infrastructure significantly more challenging. The contract data remains available across numerous nodes globally, offering a robust layer of obfuscation.
No Exploitation of Polygon Vulnerabilities
The researchers have explicitly stated that DeadLock is not exploiting any vulnerabilities within the Polygon network itself or within third-party smart contracts, such as those used in decentralized finance protocols, wallets, or bridges. The ransomware is simply utilizing the inherent public and immutable characteristics of blockchain data to store its configuration information. This method is comparable to earlier techniques like "EtherHiding."
Group-IB's analysis indicated that several smart contracts associated with this campaign were deployed or updated between August and November 2025. While the scale of activity is currently limited, the firm cautioned that this concept could be adapted and reused by other threat actors in various forms.
While Polygon users and developers are not under direct risk from this specific campaign, this case serves as a notable example of how public blockchains can be misused to support criminal activities occurring off-chain. These activities can be difficult to detect and dismantle due to the decentralized and resilient nature of the underlying technology.