- Group-IB published a report on January 15 and said the method could make disruption more difficult for defenders.
- The malware reads on-chain data, so victims do not pay gas fees.
- Researchers said Polygon is not vulnerable, but the tactic could spread.
Ransomware groups typically use command and control servers to manage communications after infiltrating a system.
But security researchers now say unnoticed variants are using blockchain infrastructure in ways that could be harder to block.
Cybersecurity firm Group-IB said in a report released on January 15 that a ransomware operation known as DeadLock is abusing Polygon (POL) smart contracts to store and rotate proxy server addresses.
These proxy servers are used to relay communications between attackers and victims after the system is infected.
Because the information is on-chain and can be updated at any time, the researchers warned that this approach could make the group’s backend more resilient and harder to disrupt.
Smart contract used to store proxy information
Group-IB said DeadLock does not rely on the typical setup of a fixed command and control server.
Instead, once a system is compromised and encrypted, the ransomware queries specific smart contracts deployed on the Polygon network.
That contract stores the latest proxy address that DeadLock uses for communication. Proxies act as a middle layer, helping attackers maintain contact without directly exposing the underlying infrastructure.
Smart contract data is publicly readable, allowing malware to retrieve details without sending blockchain transactions.
This also means that victims do not need to pay gas fees or interact with their wallets.
DeadLock only reads information and treats the blockchain as a persistent source of configuration data.
Infrastructure rotation without malware updates
One of the reasons this method stands out is how quickly an attacker can change the communication path.
Group-IB said the actor behind DeadLock can update proxy addresses stored within the contract whenever necessary.
This gives them the ability to replace their infrastructure without having to modify the ransomware itself or release new versions.
With traditional ransomware, defenders can sometimes identify known command and control servers and block their traffic.
However, with an on-chain proxy list, any flagged proxy can be replaced simply by updating the stored value of the contract.
Once contact is made through the updated proxy, the victim is presented with a ransom demand and a threat to sell the stolen information if payment is not made.
Why takedowns are becoming more difficult
Group-IB warned that using blockchain data in this way makes disruption much more likely.
There is no single central server that can be taken over, removed, or shut down.
Even if a specific proxy address is blocked, an attacker can switch to another proxy address without redistributing malware.
Smart contracts will remain accessible globally through Polygon’s distributed nodes, allowing configuration data to continue to exist even if the infrastructure on the attacker’s side changes.
Researchers said this gives ransomware operators a more resilient command and control mechanism compared to traditional hosting setups.
Small campaigns with creative methods
DeadLock was first observed in July 2025 and has kept a relatively low profile until now.
Group-IB said the number of confirmed victims in the operation was limited.
The report also notes that DeadLock is not connected to any known ransomware affiliate programs and does not appear to operate any public data exfiltration sites.
While this may explain why the group receives less attention than major ransomware brands, researchers said the group’s technical approach is worth monitoring closely.
Group-IB warned that even though DeadLock is small in scale, its technology could be copied by more established cybercriminal groups.
No polygon vulnerabilities involved
The researchers emphasized that DeadLock does not exploit vulnerabilities in Polygon itself.
It also does not attack third-party smart contracts, such as decentralized finance protocols, wallets, or bridges.
Instead, attackers are abusing the public and immutable nature of blockchain data to hide configuration information.
Group-IB compared this technique to its previous “EtherHiding” approach, in which criminals used blockchain networks to distribute malicious configuration data.
According to the company’s analysis, several smart contracts linked to the campaign were deployed or updated between August and November 2025.
The researchers said that although activity is limited for now, the concept could be reused in various forms by other threat actors.
Although Polygon users and developers do not face direct risk from this particular campaign, Group-IB said this case is another reminder that public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.