- Group-IB published its report on January 15 and said the method could make disruption harder for defenders.
- The malware reads on-chain data, so victims do not need to pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control servers to manage communications after breaching a system.
However, security researchers now say a low-profile strain is using blockchain infrastructure in a way that may be harder to block.
In a report published January 15, cybersecurity firm Group-IB said a ransomware operation called DeadLock is abusing Polygon (POL) smart contracts to store and rotate proxy server addresses.
Those proxy servers are used to relay communications between attackers and victims once systems are infected.
Because the information is stored on-chain and can be updated at any time, the researchers warned that this approach can make the group’s backend more resilient and more difficult to disrupt.
Smart contracts used to store proxy information
Group-IB said DeadLock does not depend on the usual setup of fixed command-and-control servers.
Instead, when a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
The contract stores the latest proxy address DeadLock uses for communication. The proxy acts as an intermediary layer, helping attackers maintain contact without exposing their primary infrastructure directly.
Because smart contract data is publicly readable, the malware can fetch those details without submitting any blockchain transactions.
That also means victims do not need to pay gas fees or use wallets.
DeadLock only reads the information and treats the blockchain as a persistent source of configuration data.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication routes.
Group-IB said the operators behind DeadLock can update the proxy address stored in the contract as needed.
That gives them the ability to rotate infrastructure without altering the ransomware itself or releasing new versions.
In traditional ransomware cases, defenders can sometimes block traffic by identifying known command-and-control servers.
But with an on-chain proxy list, any flagged proxy can be replaced simply by updating the contract’s stored value.
Once contact is established through the updated proxy, victims receive ransom demands along with threats that stolen data will be sold if payment is not made.
Why takedowns become harder
Group-IB warned that using blockchain data this way makes disruption significantly more difficult.
There is no single central server that can be seized, removed, or turned off.
Even if a specific proxy address is blocked, attackers can switch to another without needing to redeploy the malware.
Because the smart contract remains accessible via Polygon’s distributed nodes around the world, the configuration data can persist even if the attackers’ other infrastructure changes.
Researchers said this gives ransomware operators a more robust command-and-control mechanism compared with conventional hosting setups.
A small campaign with an inventive method
DeadLock was first observed in July 2025 and has remained relatively low-profile so far.
Group-IB reported the operation has a limited number of confirmed victims.
The report also noted that DeadLock is not tied to known ransomware-as-a-service programs and does not appear to operate a public data-leak site.
While that may explain why the group has received less attention than major ransomware brands, the researchers said the technical approach warrants close monitoring.
Group-IB warned that even if DeadLock stays small, the technique could be copied by more established criminal groups.
No Polygon vulnerability involved
Researchers emphasized that DeadLock is not exploiting any vulnerability in Polygon itself.
It is also not attacking third-party smart contracts such as DeFi protocols, wallets, or bridges.
Instead, the attackers are abusing the public and immutable nature of blockchain data to hide configuration information.
Group-IB compared the technique to earlier “EtherHiding” approaches, where criminals used blockchain networks to distribute malicious configuration data.
Several smart contracts linked to the campaign were deployed or updated between August and November 2025, according to the company’s analysis.
The researchers said the activity is currently limited, but the concept could be reused in many forms by other threat actors.
Although Polygon users and developers do not face direct risk from this specific campaign, Group-IB said the case is a reminder that public blockchains can be misused to support criminal activity in ways that are difficult to detect and dismantle.