Group-IB researchers have uncovered a novel ransomware strain, named “DeadLock,” that uses Polygon smart contracts as a decentralized medium to store and rotate proxy addresses for its command-and-control (C2) operations. By embedding code within victim machines that queries a specific smart contract, attackers can dynamically update proxy endpoints on-chain, avoiding the vulnerabilities of centralized servers that can be blocked or seized.
The DeadLock campaign, first identified in July 2025, has maintained a low profile, with no known data leak sites or affiliate programs promoting it. Nevertheless, Group-IB highlights that the use of immutable blockchain transactions for proxy distribution represents an “innovative method” that poses significant challenges for traditional takedown strategies. The smart contract does not require victims to submit transactions or pay gas fees, as the malware performs only read operations.
Once a new proxy address is retrieved, the ransomware establishes encrypted channels with the victim’s environment to transmit ransom demands and threatened data exfiltration. The on-chain proxy rotation enhances resilience, as the smart contract remains accessible across distributed nodes even if individual addresses are blacklisted or removed from off-chain infrastructure.
Group-IB warns that the DeadLock approach could be readily adapted by other threat actors to hide infrastructure, citing prior “EtherHiding” incidents. The blockchain-based evasion tactic underscores the dual-use nature of smart contracts and highlights the need for cybersecurity defenses to evolve alongside emerging on-chain attack vectors. Organizations are advised to monitor public smart contract activity and implement on-chain threat intelligence in their security operations.
Comments (0)