- Group-IB published its report on January 15 and warned that the technique could make disruptions harder for defenders.
- The malware reads data stored on-chain, so victims do not need to pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control (C2) servers to manage communications after an intrusion.
But security researchers now say a low-profile group is leveraging blockchain infrastructure in a way that could be harder to disrupt.
In a report published on January 15, cybersecurity firm Group-IB explained that an operation known as DeadLock uses Polygon (POL) smart contracts to store and rotate proxy addresses.
These proxies are used to relay communications between attackers and victims after systems are compromised.
Because the information is stored on-chain and can be updated at any time, researchers warned this approach could make the group more resilient and more difficult to take down.
Smart contracts used to store proxy information
Group-IB said DeadLock does not rely on the usual setup of fixed command-and-control servers.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
The contract stores the most recent proxy server address that DeadLock uses for communication. The proxy acts as an intermediary, helping attackers maintain contact without exposing their primary infrastructure directly.
Because smart contract data is publicly readable, the malware can fetch the information without generating on-chain transactions.
That also means victims do not need to pay gas fees or interact with wallets.
DeadLock only reads the data, using the blockchain as a persistent source of configuration information.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication routes.
Group-IB reported that actors behind DeadLock can update the proxy address stored in the contract as needed.
This allows them to rotate infrastructure without modifying the ransomware itself or pushing new versions into the wild.
In traditional ransomware incidents, defenders can sometimes block traffic by identifying known C2 servers.
But with an on-chain proxy list, any listed proxy can be replaced simply by updating the stored value in the contract.
Once a connection is reestablished via the updated proxy, victims receive ransom demands and threats of data sale unless payment is made.
Why takedown becomes harder
Group-IB warned that using blockchain data in this manner significantly complicates disruption efforts.
There is no single centralized server to seize, take down, or remove.
Even if a specific proxy address is blocked, attackers can switch to another without redeploying the malware.
Because the smart contract remains available via Polygon’s distributed nodes worldwide, the configuration data can persist even as attacker infrastructure changes.
Researchers said this gives ransomware operators a more resilient C2 mechanism compared with traditional hosting arrangements.
Small campaign with a clever method
DeadLock was first observed in July 2025 and has remained relatively low-profile so far.
Group-IB said the operation has a limited number of confirmed victims.
The report also noted DeadLock is not tied to known ransomware affiliate programs and does not appear to maintain a public data leak site.
That may explain why the group has received less attention than larger ransomware brands, but researchers said the technical approach warrants close monitoring.
Group-IB warned that even if DeadLock stays small, established cybercriminal groups could adopt its techniques.
Polygon itself not vulnerable
Researchers emphasized that DeadLock does not exploit any vulnerability in Polygon itself.
It also does not attack third-party smart contracts such as DeFi protocols, wallets, or bridges.
Instead, attackers exploit the public and immutable nature of blockchain data to hide configuration details.
Group-IB compared the technique to earlier “EtherHiding” methods, in which criminals used blockchain networks to distribute malicious configuration data.
According to the firm’s analysis, several smart contracts related to the campaign were deployed or updated between August and November 2025.
Researchers said activity remains limited so far, but the concept could be applied in many forms by other threat actors.
While Polygon users and developers are not directly at risk from this campaign, Group-IB noted the case is a reminder that public blockchains can be abused to support off-chain criminal activity in ways that are difficult to detect and dismantle.