Group-IB revealed its report on Jan. 15 and mentioned the tactic may make disruption tougher for defenders.
The malware reads on-chain information, so victims don’t pay fuel charges.
Researchers mentioned Polygon is just not weak, however the tactic may unfold.
Ransomware teams normally depend on command-and-control servers to handle communications after breaking right into a system.
However safety researchers now say a low-profile pressure is utilizing blockchain infrastructure in a means that could possibly be tougher to dam.
In a report revealed on Jan. 15, cybersecurity agency Group-IB mentioned a ransomware operation often called DeadLock is abusing Polygon (POL) good contracts to retailer and rotate proxy server addresses.
These proxy servers are used to relay communication between attackers and victims after techniques are contaminated.
As a result of the data sits on-chain and may be up to date anytime, researchers warned that this strategy may make the group’s backend extra resilient and more durable to disrupt.
Sensible contracts used to retailer proxy info
Group-IB mentioned DeadLock doesn’t rely on the same old setup of fastened command-and-control servers.
As an alternative, as soon as a machine is compromised and encrypted, the ransomware queries a selected good contract deployed on the Polygon community.
That contract shops the most recent proxy handle that DeadLock makes use of to speak. The proxy acts as a center layer, serving to attackers keep contact with out exposing their principal infrastructure immediately.
For the reason that good contract information is publicly readable, the malware can retrieve the small print with out sending any blockchain transactions.
This additionally means victims don’t have to pay fuel charges or work together with wallets.
DeadLock solely reads the data, treating the blockchain as a persistent supply of configuration information.
Rotating infrastructure with out malware updates
One motive this methodology stands out is how shortly attackers can change their communication routes.
Group-IB mentioned the actors behind DeadLock can replace the proxy handle saved contained in the contract at any time when needed.
That provides them the power to rotate infrastructure with out modifying the ransomware itself or pushing new variations into the wild.
In conventional ransomware instances, defenders can generally block visitors by figuring out identified command-and-control servers.
However with an on-chain proxy listing, any proxy that will get flagged may be changed just by updating the contract’s saved worth.
As soon as contact is established via the up to date proxy, victims obtain ransom calls for together with threats that stolen info can be bought if fee is just not made.
Why takedowns grow to be harder
Group-IB warned that utilizing blockchain information this fashion makes disruption considerably tougher.
There is no such thing as a single central server that may be seized, eliminated, or shut down.
Even when a selected proxy handle is blocked, the attackers can swap to a different one with out having to redeploy the malware.
For the reason that good contract stays accessible via Polygon’s distributed nodes worldwide, the configuration information can live on even when the infrastructure on the attackers’ aspect adjustments.
Researchers mentioned this offers ransomware operators a extra resilient command-and-control mechanism in contrast with standard internet hosting setups.
A small marketing campaign with an ingenious methodology
DeadLock was first noticed in July 2025 and has stayed comparatively low profile to this point.
Group-IB mentioned the operation has solely a restricted variety of confirmed victims.
The report additionally famous that DeadLock is just not linked to identified ransomware affiliate programmes and doesn’t seem to function a public information leak website.
Whereas that will clarify why the group has acquired much less consideration than main ransomware manufacturers, researchers mentioned its technical strategy deserves shut monitoring.
Group-IB warned that even when DeadLock stays small, its method could possibly be copied by extra established cybercriminal teams.
No Polygon vulnerability concerned
The researchers confused that DeadLock is just not exploiting any vulnerability in Polygon itself.
Additionally it is not attacking third-party good contracts resembling decentralised finance protocols, wallets, or bridges.
As an alternative, the attackers are abusing the general public and immutable nature of blockchain information to cover configuration info.
Group-IB in contrast the method to earlier “EtherHiding” approaches, the place criminals used blockchain networks to distribute malicious configuration information.
A number of good contracts related to the marketing campaign had been deployed or up to date between August and Nov. 2025, based on the agency’s evaluation.
Researchers mentioned the exercise stays restricted for now, however the idea could possibly be reused in many various kinds by different menace actors.
Whereas Polygon customers and builders should not dealing with direct threat from this particular marketing campaign, Group-IB mentioned the case is one other reminder that public blockchains may be misused to help off-chain legal exercise in methods which can be troublesome to detect and dismantle.
