- Group-IB published its report on January 15, saying the technique could make disruption harder for defenders.
- The malware reads on-chain data so victims do not have to pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control servers to manage communications after breaching a system.
But security researchers now report that a discreet strain is abusing blockchain infrastructure in a way that may be harder to block.
In a report published on January 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing smart contracts on the Polygon network (POL) to store and rotate proxy server addresses.
Those proxy servers relay communication between attackers and victims after systems are infected.
Because the information is stored on-chain and can be updated at any time, researchers warned this approach could make the group’s backend more resilient and more difficult to disrupt.
Smart contracts used to store proxy information
Group-IB said DeadLock does not rely on the usual fixed command-and-control server setup.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
That contract contains the most recent proxy address DeadLock uses for communications. The proxy acts as an intermediary layer, allowing attackers to maintain contact without exposing their main infrastructure directly.
Because smart contract data is publicly readable, the malware can retrieve the details without submitting blockchain transactions.
That also means victims do not need to pay gas fees or interact with wallets.
DeadLock only reads the information, treating the blockchain as a persistent source of configuration data.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication routes.
Group-IB said the actors behind DeadLock can update the proxy address stored in the contract whenever necessary.
That capability lets them rotate infrastructure without modifying the ransomware itself or releasing new versions into the wild.
In traditional ransomware cases, defenders can sometimes disrupt traffic by blocking known command-and-control servers.
But with an on-chain proxy list, any reported proxy can simply be replaced by updating the value stored in the contract.
Once contact is reestablished through the updated proxy, victims receive ransom demands along with threats that stolen data will be sold if payment is not made.
Why takedowns become more difficult
Group-IB warned that using blockchain data in this way makes disruption significantly harder.
There is no single central server that can be seized, taken down, or shut off.
Even if a particular proxy address is blocked, attackers can switch to another one without needing to redeploy the malware.
Because the smart contract remains accessible via Polygon’s distributed nodes worldwide, configuration data can persist even as the attackers’ infrastructure changes.
Researchers said this gives ransomware operators a more resilient command-and-control mechanism compared with conventional hosting systems.
A small campaign with an inventive method
DeadLock was first observed in July 2025 and has remained relatively low-profile until recently.
Group-IB reported that the operation has a limited number of confirmed victims.
The report also noted DeadLock is not tied to known ransomware-affiliate programs and does not appear to operate a public data-leak site.
While that may explain why the group has attracted less attention than larger ransomware brands, researchers said its technical approach warrants close monitoring.
Group-IB cautioned that even if DeadLock remains small, its technique could be copied by more established cybercriminal groups.
No Polygon vulnerability was exploited
Researchers emphasized that DeadLock does not exploit any vulnerability in Polygon itself.
It also does not attack third-party smart contracts such as decentralized finance protocols, wallets, or bridges.
Instead, attackers are abusing the public, persistent nature of blockchain data to hide configuration information.
Group-IB compared the technique to earlier “EtherHiding” approaches, where criminals used blockchain networks to distribute malicious configuration data.
According to the firm’s analysis, several smart contracts linked to the campaign were deployed or updated between August and November 2025.
Researchers said activity remains limited so far, but the concept could be reused in many different forms by other threat actors.
Although Polygon users and developers face no direct risk from this specific campaign, Group-IB said the case serves as another reminder that public blockchains can be abused to support off-chain criminal activity in ways that are difficult to detect and dismantle.