- Group-IB published its report on January 15 and warned the technique can make disruptions harder for defenders.
- The malware reads on-chain data so victims do not need to pay gas fees.
- Researchers say Polygon itself is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control servers to manage communications after gaining access to a target system.
Security researchers now report a low-profile strain is using blockchain infrastructure in a way that’s harder to block.
In a report published on January 15, cybersecurity firm Group-IB said an operation known as DeadLock abused Polygon (POL) smart contracts to store and rotate proxy server addresses.
Those proxy servers are used to relay communications between attackers and victims after systems are infected.
Because the information is stored on-chain and can be updated at any time, researchers warn this approach can make the group’s backend more resilient and more difficult to disrupt.
Smart contracts used to store proxy details
Group-IB says DeadLock does not depend on a traditional fixed command-and-control server setup.
Instead, after a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
The contract contains the current proxy addresses DeadLock uses for communications. Proxies act as an intermediary layer, allowing attackers to maintain contact without exposing their core infrastructure directly.
Because smart contract data is publicly readable, the malware can retrieve these details without submitting any blockchain transactions.
That also means victims are not required to pay gas fees or interact with wallets.
DeadLock only reads configuration data, treating the blockchain as a persistent configuration source.
Infrastructure rotation without malware updates
One reason this method stands out is how quickly attackers can change their communication routing.
Group-IB reports the actors behind DeadLock can update the proxy addresses stored in the contract whenever needed.
That capability lets them rotate infrastructure without modifying the ransomware itself or pushing a new version into the wild.
In conventional ransomware campaigns, defenders can sometimes block traffic by identifying known command-and-control servers.
But with an on-chain proxy list, any blacklisted proxy can be replaced simply by updating the contract’s stored value.
Once contact is established via the updated proxy, victims receive a ransom demand accompanied by a threat to sell stolen data if payment is not made.
Why takedown becomes harder
Group-IB warns that using blockchain data this way significantly complicates disruption efforts.
There is no single central server to seize, remove, or shut down.
Even if a specific proxy address is blocked, attackers can switch to another proxy without redeploying the malware.
Because smart contracts remain accessible through distributed Polygon nodes worldwide, the configuration data can persist even if the attacker-side infrastructure changes.
Researchers say this gives ransomware operators a more resilient command-and-control mechanism compared with conventional hosting arrangements.
A small campaign with inventive tactics
DeadLock was first observed in July 2025 and has so far remained relatively small-scale.
Group-IB says the operation has a limited number of confirmed victims.
The report also notes DeadLock does not appear to be part of a known ransomware affiliate program and does not operate a public data-leak site.
That may explain why the group has attracted less attention than major ransomware brands, but researchers say the technical approach merits close monitoring.
Group-IB warns that even though DeadLock remains small, its technique could be copied by more established cybercriminal groups.
No Polygon vulnerability exploited
Researchers stress DeadLock did not exploit any vulnerability in Polygon itself.
Nor did it target third-party smart contracts such as DeFi protocols, wallets, or bridges.
Instead, attackers abused the public, immutable nature of blockchain data to hide configuration details.
Group-IB compares the technique to a previous “EtherHiding” approach, where criminals used blockchain networks to distribute malicious configuration data.
Several smart contracts linked to the campaign were deployed or updated between August and November 2025, according to the firm’s analysis.
Researchers say activity remains limited for now, but the concept is reusable and could be adopted in different forms by other threat actors.
While Polygon users and developers face no direct vulnerability from this specific campaign, Group-IB says the case is another reminder that public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.