DeadLock, a ransomware group that first emerged in July 2025, has made news again, and this time it is for abusing Polygon blockchain smart contracts to manage and rotate proxy server addresses, according to research published by cybersecurity firm Group-IB.
The ransomware operation uses blockchain-based smart contracts to store the group’s proxy server URL, allowing frequent rotation that makes it difficult for defenders to permanently block infrastructure.
After encrypting a victim’s systems, DeadLock drops an HTML file that acts as a wrapper for the decentralized messaging platform, Session.
How does the DeadLock ransomware work on Polygon?
Embedded JavaScript code within the file queries a specific Polygon smart contract to obtain the current proxy URL, which then relays encrypted messages between the victim and the attacker’s Session ID.
These read-only blockchain calls generate no transactions or fees, making them cost-free for the attackers to maintain.
Group-IB researchers noted that the exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can apply infinite variants of this technique, with imagination being the only limit.
The technique is not well documented and under-reported but its usage is gradually gaining traction in the wild, according to security researchers.
Investigation by Cisco Talos revealed that DeadLock gains initial access by exploiting CVE-2024-51324, a Baidu Antivirus vulnerability, using a technique known as “bringing your own vulnerable driver” to terminate endpoint detection and response processes.
DeadLock comes up with new extortion tactics
DeadLock is different from most ransomware operations because it abandons the usual double extortion approach and does not have a data leak site where it could publicize attacks.
Instead, the group threatens to sell stolen data on underground markets while offering victims security reports and promises not to re-target them if ransom is paid.
Group-IB’s infrastructure tracking has not drawn any threads between DeadLock and any known ransomware affiliate programs. In fact, the group maintains a relatively low profile. However, they found smart contract copies that were first created and updated in August 2025 and later updated in November 2025.
Group-IB stated that it successfully “tracked its infrastructure through blockchain transactions, revealing funding patterns and active servers.”
Nation-state actors adopt similar techniques
Google Threat Intelligence Group observed North Korean threat actor UNC5342 using a related technique called EtherHiding to deliver malware and facilitate cryptocurrency theft since February 2025.
According to Google, “EtherHiding involves embedding malicious code, often in the form of JavaScript payloads, within a smart contract on a public blockchain like BNB Smart Chain or Ethereum.”
Polygon happens to be a layer-2 blockchain that’s built on Ethereum’s layer-1 infrastructure.
While DeadLock remains low volume and low impact, security researchers warn that it applies innovative methods showcasing a skill set that might become dangerous if organizations do not take the threat it poses seriously.
Apart from calling on businesses to be proactive in detecting malware, Group-IB recommended that they should add more layers of security, such as multifactor authentication and credential-based solutions.
The cybersecurity firm also stated that businesses should have a data backup, train their employees, patch up vulnerabilities, and, very importantly, “never pay the ransom” but contact incident response experts as quickly as possible if they ever get attacked.
