Group-IB published its report on Jan. 15 and said the method could make disruption harder for defenders.
\nThe malware reads on-chain data, so victims do not pay gas fees.
\nResearchers said Polygon is not vulnerable, but the tactic could spread.<\/p>\n
Ransomware groups usually rely on command-and-control servers to manage communications after breaking into a system.<\/p>\n
But security researchers now say a low-profile strain is using blockchain infrastructure in a way that could be harder to block.<\/p>\n
In a report published on Jan. 15<\/a>, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing Polygon (POL) smart contracts to store and rotate proxy server addresses.<\/p>\n These proxy servers are used to relay communication between attackers and victims after systems are infected.<\/p>\n Because the information sits on-chain and can be updated anytime, researchers warned that this approach could make the group\u2019s backend more resilient and tougher to disrupt.<\/p>\n Group-IB said DeadLock does not depend on the usual setup of fixed command-and-control servers.<\/p>\n Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.<\/p>\n That contract stores the latest proxy address that DeadLock uses to communicate. The proxy acts as a middle layer, helping attackers maintain contact without exposing their main infrastructure directly.<\/p>\n Since the smart contract data is publicly readable, the malware can retrieve the details without sending any blockchain transactions.<\/p>\n This also means victims do not need to pay gas fees or interact with wallets.<\/p>\n DeadLock only reads the information, treating the blockchain as a persistent source of configuration data.<\/p>\n One reason this method stands out is how quickly attackers can change their communication routes.<\/p>\n Group-IB said the actors behind DeadLock can update the proxy address stored inside the contract whenever necessary.<\/p>\n That gives them the ability to rotate infrastructure without modifying the ransomware itself or pushing new versions into the wild.<\/p>\n In traditional ransomware cases, defenders can sometimes block traffic by identifying known command-and-control servers.<\/p>\n But with an on-chain proxy list, any proxy that gets flagged can be replaced simply by updating the contract\u2019s stored value.<\/p>\n Once contact is established through the updated proxy, victims receive ransom demands along with threats that stolen information will be sold if payment is not made.<\/p>\n Group-IB warned that using blockchain data this way makes disruption significantly harder.<\/p>\n There is no single central server that can be seized, removed, or shut down.<\/p>\n Even if a specific proxy address is blocked, the attackers can switch to another one without having to redeploy the malware.<\/p>\n Since the smart contract remains accessible through Polygon\u2019s distributed nodes worldwide, the configuration data can continue to exist even if the infrastructure on the attackers\u2019 side changes.<\/p>\n Researchers said this gives ransomware operators a more resilient command-and-control mechanism compared with conventional hosting setups.<\/p>\n DeadLock was first observed in July 2025 and has stayed relatively low profile so far.<\/p>\n Group-IB said the operation has only a limited number of confirmed victims.<\/p>\n The report also noted that DeadLock is not linked to known ransomware affiliate programmes and does not appear to operate a public data leak site.<\/p>\n While that may explain why the group has received less attention than major ransomware brands, researchers said its technical approach deserves close monitoring.<\/p>\n Group-IB warned that even if DeadLock remains small, its technique could be copied by more established cybercriminal groups.<\/p>\n The researchers stressed that DeadLock is not exploiting any vulnerability in Polygon itself.<\/p>\n It is also not attacking third-party smart contracts such as decentralised finance protocols, wallets, or bridges.<\/p>\n Instead, the attackers are abusing the public and immutable nature of blockchain data to hide configuration information.<\/p>\n Group-IB compared the technique to earlier \u201cEtherHiding\u201d approaches, where criminals used blockchain networks to distribute malicious configuration data.<\/p>\n Several smart contracts connected to the campaign were deployed or updated between August and Nov. 2025, according to the firm\u2019s analysis.<\/p>\n Researchers said the activity remains limited for now, but the concept could be reused in many different forms by other threat actors.<\/p>\n While Polygon users and developers are not facing direct risk from this specific campaign, Group-IB said the case is another reminder that public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.<\/p>\n The post DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly<\/a> appeared first on CoinJournal<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" Group-IB published its report on Jan. 15 and said the method could make disruption harder for defenders. The malware reads on-chain data, so victims do not pay gas fees. Researchers said Polygon is not vulnerable, but the tactic could spread. Ransomware groups usually rely on command-and-control servers to manage communications after breaking into a system. […]<\/p>\n","protected":false},"author":0,"featured_media":6101,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[101],"tags":[],"class_list":{"0":"post-6100","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blockchain"},"acf":[],"_links":{"self":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/posts\/6100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/comments?post=6100"}],"version-history":[{"count":0,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/posts\/6100\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/media\/6101"}],"wp:attachment":[{"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/media?parent=6100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/categories?post=6100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/digkrypton.com\/index.php\/wp-json\/wp\/v2\/tags?post=6100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Smart contracts used to store proxy information<\/h2>\n
Rotating infrastructure without malware updates<\/h2>\n
Why takedowns become more difficult<\/h2>\n
A small campaign with an inventive method<\/h2>\n
No Polygon vulnerability involved<\/h2>\n