- Group-IB published its report on January 15, noting this technique could make defenders’ takedowns more difficult.
- The malware reads on-chain data, so victims do not pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically rely on command-and-control (C2) servers to manage communications after compromising a system.
Security researchers now warn of a less visible approach: abusing blockchain infrastructure in a way that can be harder to disrupt.
In a report published January 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing Polygon smart contracts to store and rotate proxy server addresses.
These proxy servers act as intermediaries to relay communication between attackers and victims after systems are infected.
Because the information resides on-chain and can be updated at any time, researchers cautioned that this approach could make the group’s backend more resilient and more difficult to dismantle.
Smart contracts used to store proxy information
Group-IB reported that DeadLock does not depend on the usual fixed C2 server setup.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
That contract stores the current proxy address DeadLock uses for communication. The proxy acts as a middle layer that lets attackers keep contact without directly exposing their primary infrastructure.
Because smart contract data is publicly readable, the malware can obtain these details without submitting any blockchain transactions.
That also means victims do not need to pay gas fees or interact with wallets.
DeadLock simply reads the information, treating the blockchain as a persistent source of configuration data.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication channels.
Group-IB noted that the actors behind DeadLock can update the proxy address stored in the contract at any time.
This lets them rotate infrastructure without modifying the ransomware itself or pushing new versions into the wild.
In traditional ransomware incidents, defenders can sometimes disrupt operations by blocking known C2 servers.
With an on-chain proxy list, any listed proxy can be replaced simply by updating the stored contract value.
Once contact is established through the updated proxy, victims receive ransom demands along with threats to sell stolen data if payment is not made.
Why takedowns become harder
Group-IB warned that using blockchain data in this way significantly complicates disruption efforts.
There is no central server to seize, remove, or switch off.
Even if a specific proxy address is blocked, attackers can switch to another without redeploying the malware.
Because the smart contract remains accessible via distributed Polygon nodes worldwide, configuration data can persist even if the attackers’ own infrastructure changes.
Researchers said this gives ransomware operators a more resilient C2 mechanism compared with conventional hosting setups.
Small campaign with an inventive approach
DeadLock was first observed in July 2025 and so far remains relatively low-profile.
Group-IB said the operation has a limited number of confirmed victims.
The report also noted that DeadLock is not tied to known ransomware affiliate programs and does not appear to run a public data-leak site.
That likely helps explain why the group has attracted less attention than major ransomware brands, but researchers said the technical approach merits careful monitoring.
Group-IB warned that even if DeadLock remains small, established cybercriminal groups could copy the technique.
No Polygon vulnerability involved
Researchers emphasized DeadLock does not exploit any vulnerability within Polygon itself.
It also does not attack third-party smart contracts such as DeFi protocols, wallets, or bridges.
Rather, attackers are abusing the public and persistent nature of blockchain data to hide configuration information.
Group-IB compared the technique to earlier “EtherHiding” methods, where criminals used blockchain networks to distribute malicious configuration data.
According to the company’s analysis, several smart contracts related to the campaign were deployed or updated between August and November 2025.
Researchers said the activity remains limited so far, but the concept could be reused in many forms by other threat actors.
Although Polygon users and developers are not directly at risk from this specific campaign, Group-IB said the case is a reminder that public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.