- Group-IB published its report on January 15 and warned that the method could make disruption harder for defenders.
- The malware reads on-chain data, so victims do not pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control servers to manage communications after breaching a system.
However, security researchers now say a low-profile variant is abusing blockchain infrastructure in a way that could be more difficult to disrupt.
In a report published January 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing Polygon smart contracts (POL) to store and rotate the addresses of proxy servers.
Those proxy servers relay communications between attackers and victims after systems are infected.
Because the information is stored on-chain and can be updated at any time, researchers warned this approach could make the group’s backend more resilient and harder to take down.
Smart contracts used to store proxy information
Group-IB said DeadLock does not depend on the usual fixed command-and-control server setup.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
That contract stores the most recent proxy address DeadLock uses to communicate. The proxy functions as an intermediary, allowing attackers to maintain contact without directly exposing their primary infrastructure.
Because smart contract data is publicly readable, the malware can retrieve details without submitting blockchain transactions.
This also means victims do not have to pay gas fees or interact with wallets.
DeadLock only reads the information, treating the blockchain as a persistent source of configuration data.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication routes.
Group-IB reported that the actors behind DeadLock can update the proxy address stored in the contract whenever needed.
This lets them rotate infrastructure without modifying the ransomware itself or releasing new versions into the wild.
In traditional ransomware cases, defenders can sometimes block traffic by identifying known command-and-control servers.
But with an on-chain proxy list, any reported proxy can be replaced simply by updating the contract’s stored value.
Once contact is established through the updated proxy, victims receive ransom demands along with threats that stolen data will be sold if payment is not made.
Why takedowns become harder
Group-IB warned that using blockchain data in this way makes disruption significantly more difficult.
There is no single central server that can be seized, removed, or shut down.
Even if a specific proxy address is blocked, attackers can switch to another without having to redistribute the malware.
Because the smart contract remains accessible via Polygon’s distributed nodes worldwide, the configuration data can persist even if the attackers’ external infrastructure changes.
Researchers said this gives ransomware operators a more resilient command-and-control mechanism compared with conventional hosting arrangements.
A small campaign with an inventive method
DeadLock was first observed in July 2025 and has remained relatively discreet so far.
Group-IB said the operation has a limited number of confirmed victims.
The report also noted that DeadLock is not tied to known ransomware affiliate programs and does not appear to run a public data-leak site.
While that may explain why the group has attracted less attention than larger ransomware brands, researchers said its technical approach warrants close monitoring.
Group-IB warned that even if DeadLock stays small, its technique could be copied by more established cybercriminal groups.
No Polygon vulnerability involved
Researchers emphasized that DeadLock is not exploiting any vulnerability in Polygon itself.
It is also not attacking third-party smart contracts such as DeFi protocols, wallets, or bridges.
Instead, attackers are leveraging the public and persistent nature of blockchain data to hide configuration information.
Group-IB compared the technique to previous “EtherHiding” approaches, where criminals used blockchain networks to distribute malicious configuration data.
Several smart contracts linked to the campaign were deployed or updated between August and November 2025, according to the firm’s analysis.
Researchers said the activity remains limited for now, but the concept could be repurposed in many ways by other threat actors.
Although Polygon users and developers are not facing direct risk from this specific campaign, Group-IB said the case is a reminder that public blockchains can be abused to support off-chain criminal activity in ways that are hard to detect and dismantle.