The ransomware threat exposed by cybersecurity firm Group IB uses blockchain technology as an exploit. DeadLock relies on Polygon smart contracts to provide control over proxy servers by bypassing conventional security measures.
Group -IB published a post on X stating that the Polygon ransomware uses smart contracts to run proxy addresses. It’s a stealthy, under-reporting trick that is highly effective at bypassing conventional security protocols.
Blockchain becomes criminal infrastructure
DeadLock was released in July 2025 and kept an unusually low profile. No public data breach site, no links to affiliate programs, and the number of victims was limited, ensuring minimal exposure.
Groep-IB’s research revealed new tactics. Once a system is encrypted, the ransomware examines special Polygon smart contracts that contain the existing proxy addresses, allowing attackers and victims to communicate through these proxies.
The blockchain solution has significant strengths: attackers can change proxy addresses in real time and thus do not need to redeploy malware, leaving defense teams with virtually impossible takedown situations.
Smart contract rotation defies detection
Conventional command and control servers are prone to vulnerabilities that can be blocked by security services and confiscated by law enforcement agencies. DeadLock eliminates these weaknesses.
Data is stored in the chain. The information about the contracts is held by distributed nodes around the world, meaning there is no central server to take down, and the infrastructure is exceptionally resilient.
JavaScript code was found in HTML files by Group-IB. The code will query smart contracts from Polygon networks and automatically extract proxy URLs to send routing messages using those addresses to attackers.
Evolution from simple encryption to Blockchain
Early DeadLock samples were first published in June 2025 and contained ransom notes that only mentioned file encryption. Later iterations were much more advanced.
Explicit data theft warnings were added in August 2025. There was a risk that stolen data would be sold by the attackers, leaving victims with a dilemma: they had encrypted files and they could suffer data breaches.
The new models come with value-added services. Security reports specify how the breach will occur and the attackers will not promise to target anyone in the future, so the data is completely destroyed once payment is received.
Transactional analysis reveals patterns of infrastructure: a wallet created several smart contracts, and the same address provided funds for those operations on the FixedFloat exchange. Contract changes took place between August and November 2025.
Similar techniques are gaining popularity worldwide
North Korean hackers were the first to use similar techniques, and Google Threat Intelligence Group documented an EtherHiding technique that became public in February 2025.
EtherHiding infiltrates smart contracts in blockchains with malicious code. These payloads are stored on public ledgers such as Ethereum and BNB Smart Chain and leave few footprints.
Group IB researchers observed the maturity of DeadLock and this shows the changing competencies of criminals. Its low current effect hides a threatening future aspect.
Victims are left with encrypted files with the .dlock extension, as well as a window background replaced with ransom messages, all system icons customized, and constant monitoring provided via AnyDesk remote access software.
PowerShell scripts remove shadow copies and stop services, maximizing the effect of encryption, making it very difficult to recover without decryption keys.
You might also like: Nexo is fined $500,000 for risky crypto lending
Infrastructure tracking reveals patterns
The analysis of historical proxy servers revealed important information. WordPress sites, cPanel setups, and Shopware were compromised and used to run proxies against early infrastructure. Now recent servers are being classified as attacker-controlled infrastructure.
A few of the newest servers have the same SSH fingerprint and similar SSL certification. They both only support Vesta control panels and the Apache web servers support proxy requests.
Blockchain read-only operations are free. Attackers incur no transaction fees at all and the infrastructure is subject to minimal maintenance.
Group-IB monitored transactions with the smart contracts. Decrypting input data returned the historical proxy addresses, and the setProxy method is used to update the addresses.
No polygon vulnerability exploited
Researchers emphasize that DeadLock found no vulnerabilities in the Polygon platform and was not able to exploit any vulnerabilities of the Polygon platform. DeFi protocolsor break a wallet or bridge.
The method uses the publicity of the blockchain. Non-volatile data storage is an ideal infrastructure and the information about contracts is always available. The problem of geographical distribution also makes enforcement difficult.
There is no direct threat to Polygon users and no security risk to developers. The campaign is specific to Windows systems; blockchain is only used as infrastructure.
Early access techniques were discovered by Cisco Talos. CVE-2024-51324 allows input. The vulnerability in Baidu Antivirus allows process termination, rendering endpoint detection systems ineffective within a short period of time.
#Hackers #hide #blockchain #ransomware #evades #takedowns