- Group-IB published its report on Jan. 15 and said the method could make disruption harder for defenders.
- The malware reads on-chain data, so victims do not pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups usually rely on command-and-control servers to manage communications after breaking into a system.
But security researchers now say a low-profile strain is using blockchain infrastructure in a way that could be harder to block.
In a report published on Jan. 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing Polygon (POL) smart contracts to store and rotate proxy server addresses.
These proxy servers are used to relay communication between attackers and victims after systems are infected.
Because the information sits on-chain and can be updated anytime, researchers warned that this approach could make the group’s backend more resilient and tougher to disrupt.
Smart contracts used to store proxy information
Group-IB said DeadLock does not depend on the usual setup of fixed command-and-control servers.
Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.
That contract stores the latest proxy address that DeadLock uses to communicate. The proxy acts as a middle layer, helping attackers maintain contact without exposing their main infrastructure directly.
Since the smart contract data is publicly readable, the malware can retrieve the details without sending any blockchain transactions.
This also means victims do not need to pay gas fees or interact with wallets.
DeadLock only reads the information, treating the blockchain as a persistent source of configuration data.
Rotating infrastructure without malware updates
One reason this method stands out is how quickly attackers can change their communication routes.
Group-IB said the actors behind DeadLock can update the proxy address stored inside the contract whenever necessary.
That gives them the ability to rotate infrastructure without modifying the ransomware itself or pushing new versions into the wild.
In traditional ransomware cases, defenders can sometimes block traffic by identifying known command-and-control servers.
But with an on-chain proxy list, any proxy that gets flagged can be replaced simply by updating the contract’s stored value.
Once contact is established through the updated proxy, victims receive ransom demands along with threats that stolen information will be sold if payment is not made.
Why takedowns become more difficult
Group-IB warned that using blockchain data this way makes disruption significantly harder.
There is no single central server that can be seized, removed, or shut down.
Even if a specific proxy address is blocked, the attackers can switch to another one without having to redeploy the malware.
Since the smart contract remains accessible through Polygon’s distributed nodes worldwide, the configuration data can continue to exist even if the infrastructure on the attackers’ side changes.
Researchers said this gives ransomware operators a more resilient command-and-control mechanism compared with conventional hosting setups.
A small campaign with an inventive method
DeadLock was first observed in July 2025 and has stayed relatively low profile so far.
Group-IB said the operation has only a limited number of confirmed victims.
The report also noted that DeadLock is not linked to known ransomware affiliate programmes and does not appear to operate a public data leak site.
While that may explain why the group has received less attention than major ransomware brands, researchers said its technical approach deserves close monitoring.
Group-IB warned that even if DeadLock remains small, its technique could be copied by more established cybercriminal groups.
No Polygon vulnerability involved
The researchers stressed that DeadLock is not exploiting any vulnerability in Polygon itself.
It is also not attacking third-party smart contracts such as decentralised finance protocols, wallets, or bridges.
Instead, the attackers are abusing the public and immutable nature of blockchain data to hide configuration information.
Group-IB compared the technique to earlier “EtherHiding” approaches, where criminals used blockchain networks to distribute malicious configuration data.
Several smart contracts connected to the campaign were deployed or updated between August and Nov. 2025, according to the firm’s analysis.
Researchers said the activity remains limited for now, but the concept could be reused in many different forms by other threat actors.
While Polygon users and developers are not facing direct risk from this specific campaign, Group-IB said the case is another reminder that public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.
