- On January 15, cybersecurity firm Group-IB published a report saying this method could make disruption harder for defenders.
- The malware reads data on-chain, so victims do not need to pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control servers to manage communications after breaching a network.
However, security researchers now say a discreet variant is abusing blockchain infrastructure in a way that may be harder to block.
In a report published on January 15, cybersecurity firm Group-IB detailed an operation known as DeadLock that leverages Polygon smart contracts to store and rotate proxy server addresses.
Those proxy servers relay communications between attackers and victims after systems are compromised.
Because the information is stored on-chain and can be updated at any time, researchers warned this approach could make the group’s backend more resilient and more difficult to disrupt.
Smart contracts used to store proxy information
Group-IB reported that DeadLock does not rely on the usual fixed command-and-control server setup.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
The contract holds the most recent proxy address DeadLock uses to communicate. The proxy acts as an intermediary layer, allowing attackers to maintain contact without exposing their primary infrastructure directly.
Because smart contract data is publicly readable, the malware can retrieve details without submitting any blockchain transactions.
That also means victims do not need to pay gas fees or interact with wallets.
DeadLock only reads the on-chain data, treating the blockchain as a persistent configuration source.
Rotating infrastructure without malware updates
One reason this method stands out is the speed at which attackers can change their communication routes.
Group-IB said the operators behind DeadLock can update the proxy address stored in the contract whenever necessary.
This allows them to rotate infrastructure without modifying the ransomware itself or deploying new versions in the wild.
In traditional ransomware cases, defenders can sometimes disrupt operations by identifying and blocking known command-and-control servers.
But with an on-chain list of proxies, any reported proxy can be replaced simply by updating the value stored in the contract.
Once a connection is established through the new proxy, victims receive ransom demands and threats that stolen data will be sold if payment is not made.
Why disruption becomes harder
Group-IB warned that relying on blockchain data makes disruption notably more difficult.
There is no single central server that can be seized, taken down, or cut off.
Even if a specific proxy address is blocked, the attackers can change it without redeploying the malware.
Since the smart contract remains accessible via Polygon’s distributed nodes worldwide, configuration data can persist even as the attackers’ infrastructure changes.
Researchers said this gives ransomware operators a command-and-control mechanism that can be more resilient than conventional hosting setups.
A small campaign with an inventive method
DeadLock was first observed in July 2025 and has remained relatively low-profile.
Group-IB noted the operation has a limited number of confirmed victims.
The report also said DeadLock does not appear to be tied to known ransomware affiliate programs and does not use a public data-leak site.
That may help explain why the group has attracted less attention than major ransomware families, but researchers believe the technical approach warrants close monitoring.
Group-IB warned that even though DeadLock remains small, its technique could be adopted by more established cybercriminal groups.
No Polygon vulnerability involved
Researchers emphasized that DeadLock does not exploit any vulnerability in Polygon itself.
It is not attacking third-party smart contracts such as DeFi protocols, wallets, or bridges.
Rather, attackers are abusing the public and persistent nature of blockchain data to hide configuration information.
Group-IB compared this technique to earlier “EtherHing” methods, where criminals used blockchain networks to distribute malicious configuration data.
According to the firm’s analysis, several smart contracts tied to the campaign were deployed or updated between August and November 2025.
While activity remains limited for now, researchers said the concept could be reused in many different ways by other malicious actors.
Although Polygon users and developers are not directly at risk from this specific campaign, Group-IB noted the case is a reminder that public blockchains can be repurposed to support off-chain criminal activity in ways that are difficult to detect and dismantle.