Safety researchers say a low-profile ransomware group is utilizing Polygon sensible contracts to cover and rotate its command-and-control infrastructure.
Abstract
- DeadLock ransomware, first noticed in July 2025, shops rotating proxy addresses inside Polygon sensible contracts to evade takedowns.
- The approach depends solely on studying on-chain information and doesn’t exploit vulnerabilities in Polygon or different sensible contracts.
- Researchers warn the tactic is affordable, decentralized, and troublesome to dam, despite the fact that the marketing campaign has restricted confirmed victims thus far.
Cybersecurity researchers are warning {that a} lately recognized ransomware pressure is utilizing Polygon sensible contracts in an uncommon approach that might make its infrastructure more durable to disrupt.
In a report printed on Jan. 15, researchers at cybersecurity agency Group-IB stated the ransomware, referred to as DeadLock, is abusing publicly readable sensible contracts on the Polygon (POL) community to retailer and rotate proxy server addresses used to speak with contaminated victims.
DeadLock was first noticed in July 2025 and has remained comparatively low profile since then. Group-IB stated the operation has a restricted variety of confirmed victims and isn’t linked to any recognized ransomware affiliate packages or public information leak websites.
Regardless of its low visibility, the agency warned that the methods getting used are extremely creative and will pose critical dangers if copied by extra established teams.
How the approach works
As a substitute of counting on conventional command-and-control servers, which might usually be blocked or taken offline, DeadLock embeds code that queries a selected Polygon sensible contract after a system has been contaminated and encrypted. That contract shops the present proxy tackle used to relay communication between the attackers and the sufferer.
As a result of the information is saved on-chain, attackers can replace the proxy tackle at any time, permitting them to rotate infrastructure shortly with out redeploying malware. Victims don’t must ship transactions or pay fuel charges, because the ransomware solely performs learn operations on the blockchain.
As soon as contact is established, victims obtain ransom calls for together with threats that stolen information will likely be offered if cost will not be made. Group-IB famous that this method makes the ransomware’s infrastructure way more resilient.
There isn’t a central server to close down, and the contract information stays obtainable throughout distributed nodes worldwide, making takedowns considerably tougher.
No Polygon vulnerability concerned
The researchers careworn that DeadLock will not be exploiting flaws in Polygon itself or in third-party sensible contracts corresponding to decentralized finance protocols, wallets, or bridges. The ransomware is solely abusing the general public and immutable nature of blockchain information to cover configuration data, a technique just like earlier “EtherHiding” methods.
A number of sensible contracts linked to the marketing campaign had been deployed or up to date between August and Nov. 2025, based on Group-IB’s evaluation. Whereas the exercise stays restricted for now, the agency warned that the idea may very well be reused in numerous variations by different risk actors.
Whereas Polygon customers and builders aren’t dealing with direct threat from the marketing campaign, researchers say the case highlights how public blockchains might be misused to help off-chain felony exercise in methods which are troublesome to detect and dismantle.
