- Group-IB published its report on January 15 and warned that the method could make disruption harder for defenders.
- The malware reads data on-chain, so victims do not need to pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups usually rely on command-and-control servers to manage communications after breaching a system.
Security researchers now report that a relatively low-profile strain is abusing blockchain infrastructure in a way that could be harder to block.
In a report published on January 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is using Polygon smart contracts (POL) to store and rotate proxy server addresses.
These proxy servers relay communications between attackers and victims after systems are infected.
Because the information is stored on-chain and can be updated at any time, researchers warned this approach could make the group’s backend more resilient and difficult to disrupt.
Smart contracts used to store proxy information
Group-IB reported that DeadLock does not rely on the usual fixed command-and-control server setup.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
That contract holds the current proxy address DeadLock uses to communicate. The proxy serves as an intermediary, allowing attackers to maintain contact without directly exposing their primary infrastructure.
Because smart contract data is publicly readable, the malware can fetch the details without sending any blockchain transaction.
This also means victims do not have to incur gas fees or interact with wallets.
DeadLock only reads the data, treating the blockchain as a persistent configuration data store.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication routes.
Group-IB said the actors behind DeadLock can update the proxy address stored in the contract whenever necessary.
That gives them the ability to rotate infrastructure without modifying the ransomware itself or releasing new samples into the wild.
In traditional ransomware incidents, defenders can sometimes block traffic by identifying known command-and-control servers.
But with a list of proxies on-chain, any proxy that is blocked can be replaced simply by updating the value stored in the contract.
Once contact is established through the updated proxy, victims receive ransom demands and threats that stolen data will be sold if payment is not made.
Why takedowns become more difficult
Group-IB warned that using blockchain data in this way makes disruption significantly more difficult.
There is no single central server that can be seized, taken down, or shut off.
Even if a specific proxy address is blocked, attackers can switch to another without redeploying the malware.
Because the smart contract remains accessible through Polygon’s distributed nodes worldwide, the configuration data can persist even if the attackers’ hosting infrastructure changes.
Researchers said this provides ransomware operators with a more resilient command-and-control mechanism compared with conventional hosting systems.
A small campaign with a clever method
DeadLock was first observed in July 2025 and has remained relatively low-profile.
Group-IB said the operation has a limited number of confirmed victims so far.
The report also noted that DeadLock does not appear to be tied to known ransomware affiliate programs and does not operate a public data-leak site.
That may explain why the group has attracted less attention than larger ransomware brands, but researchers said the technical approach warrants close monitoring.
Group-IB cautioned that while DeadLock remains small, its strategy could be copied by more established cybercriminal groups.
No Polygon vulnerability involved
Researchers emphasized that DeadLock is not exploiting a vulnerability in Polygon itself.
It is also not attacking third-party smart contracts such as DeFi protocols, wallets, or bridges.
Rather, the attackers are abusing the public, persistent nature of blockchain data to hide configuration information.
Group-IB compared the technique to prior “EtherHiding” approaches, where criminals used blockchain networks to distribute malicious configuration data.
Several smart contracts related to the campaign were deployed or updated between August and November 2025, according to the company’s analysis.
Researchers said activity remains limited for now, but the concept could be reused in many different ways by other threat actors.
Although Polygon users and developers do not face a direct risk from this specific campaign, Group-IB noted the case is a reminder that public blockchains can be misused to support off-chain criminal activities in ways that are difficult to detect and dismantle.