Cybersecurity experts have identified a low-profile ransomware group employing innovative tactics to evade detection and takedown efforts. The group, known as DeadLock, has been utilizing Polygon smart contracts to obscure and rotate its command-and-control infrastructure, complicating efforts to dismantle their operations.
A report from cybersecurity firm Group-IB, published on January 15, reveals that DeadLock has been active since July 2025, although it has maintained a relatively inconspicuous profile. The firm noted that confirmed victims are limited, and the group does not seem to be affiliated with any known ransomware programs or public data leak sites. However, the inventive techniques employed by DeadLock could present serious risks if adopted by more prominent ransomware factions.
The method behind DeadLock”s operation is particularly striking. Instead of conventional command-and-control servers—which are often vulnerable to being blocked or taken offline—the ransomware embeds code that queries a specific Polygon smart contract after a target system is compromised and its files are encrypted. This smart contract stores the current proxy address that attackers use to communicate with their victims.
By leveraging the immutable and publicly accessible nature of blockchain data, DeadLock can update this proxy address at will, allowing for rapid infrastructure rotation without needing to redeploy the malware itself. Victims do not need to engage in any financial transactions or pay gas fees, as the ransomware only performs read operations on the blockchain. Once the connection is established, victims are faced with ransom demands and threats regarding the potential sale of stolen data should they fail to comply.
Group-IB emphasizes that DeadLock does not exploit vulnerabilities within the Polygon network or third-party smart contracts, such as those used for decentralized finance (DeFi) protocols, wallets, or bridges. Instead, the ransomware exploits the public nature of blockchain data to conceal configuration information, reminiscent of earlier techniques like “EtherHiding.”
Several smart contracts associated with this campaign were either deployed or updated between August and November 2025, according to the analysis by Group-IB. While the current activity level remains limited, researchers caution that the underlying concept could be adapted by various threat actors, further complicating the landscape of cybersecurity.
While users and developers on the Polygon network are not directly at risk from this campaign, the case serves as a critical reminder of how public blockchains can be misused to facilitate off-chain criminal activities, making detection and disruption significantly more challenging.
