DeadLock ransomware hides proxy addresses inside Polygon smart contracts

TL;DR

Researchers at Group-IB say the DeadLock ransomware operation is using Polygon smart contracts to conceal and rotate its proxy server addresses, complicating defenders' efforts to block its infrastructure. The group, first seen in July 2025, does not run a public data-leak site and instead threatens to sell stolen data on underground markets.

What happened

Group-IB researchers reported that the DeadLock ransomware gang has begun storing its proxy server URL inside Polygon blockchain smart contracts. After encrypting a victim's systems, the ransomware drops an HTML file that serves as a wrapper for the decentralized messenger Session and directs victims to use that channel to communicate. By placing the address of the proxy in smart contracts, the group can change where victims connect frequently without relying on conventional hosting, which makes it harder for defenders to take down or block infrastructure long term. DeadLock was first identified in July 2025 and appears to favor an encryption-only model rather than operating a public data leak site; researchers say it threatens to sell stolen data on underground markets if victims refuse to pay. Group-IB also noted similar smart-contract techniques have been observed in other attacker activity, and some earlier reporting linked DeadLock to tactics such as bring-your-own-vulnerable-driver (BYOVD) and attempts to disable endpoint detection products.

Why it matters

• Storing C2-related data in smart contracts creates resilient, hard-to-takedown infrastructure that can evade traditional takedown efforts.
• Frequent rotation of proxy addresses via blockchain makes persistent blocking by defenders more difficult.
• Use of decentralized messengers and blockchain tooling signals a shift in ransomware tradecraft away from central hosting and public leak pressure.
• Techniques are already being observed across different threat actors, suggesting this could become a wider problem for incident responders.

Key facts

• DeadLock was first observed in July 2025, according to Group-IB.
• The group does not use a public data leak site (DLS); it threatens to sell data on underground markets if victims refuse to pay.
• After encryption, DeadLock drops an HTML file that acts as a wrapper for the Session messenger and instructs victims to use it to contact operators.
• Researchers say DeadLock stores its proxy server URL inside Polygon smart contracts to hide and rotate its C2 endpoint.
• Storing proxy data on-chain allows frequent changes to the contact address, complicating permanent blocking of infrastructure.
• Group-IB highlighted that similar smart-contract hiding methods have been seen in other operations, including activity tracked by Google Threat Intelligence Group.
• Earlier reporting from Cisco Talos linked DeadLock to techniques such as BYOVD and exploiting vulnerabilities to disable endpoint detection, but Group-IB says typical initial access methods remain unclear.
• Group-IB declined to provide further technical details in the write-up shared with The Register.

What to watch next

• Whether more ransomware groups adopt smart-contract-based methods to store or rotate C2 addresses, increasing resilience of criminal infrastructure.
• not confirmed in the source: How law enforcement and blockchain platforms will respond to on-chain storage of criminal infrastructure data.
• not confirmed in the source: Whether DeadLock will move to public data-leak sites or change extortion methods beyond threatening to sell data.

Quick glossary

• Smart contract: Self-executing code deployed on a blockchain that runs when predefined conditions are met; used for automating interactions and storing data on-chain.
• Polygon: A blockchain platform compatible with Ethereum tooling often used for deploying smart contracts and decentralized applications.
• Command-and-control (C2): Infrastructure or channels attackers use to send commands to compromised systems and receive data from them.
• Session (messenger): A decentralized messaging application designed to provide private, serverless communications; used here as an operator–victim contact channel.
• Double extortion: A ransomware tactic where attackers both encrypt systems and threaten to leak stolen data publicly to pressure victims into paying.

Reader FAQ

How does DeadLock hide its control server addresses?
According to Group-IB, DeadLock stores its proxy server URL inside Polygon smart contracts and rotates those addresses frequently.

Does DeadLock publish stolen data on a leak site?
Group-IB reports the group does not operate a public data-leak site; it claims to threaten to sell data on underground markets instead.

How does DeadLock initially breach victims' networks?
Group-IB says the typical initial access methods are not yet known; earlier Cisco Talos reporting linked the group to BYOVD and exploiting vulnerabilities to disable EDRs.

Can defenders still block DeadLock’s infrastructure?
Group-IB notes that using on-chain storage and frequent rotation of proxy addresses makes permanent blocking of the group’s infrastructure more difficult.

RESEARCH 'Imagination the limit': DeadLock ransomware gang using smart contracts to hide their work New crooks on the block get crafty with blockchain to evade defenses Connor Jones Wed 14 Jan 2026 //…

Sources

• 'Imagination the limit': DeadLock ransomware gang using smart contracts to hide their work

Related posts

• US warns visa bans for UK officials amid Ofcom probe of X deepfakes
• Eurail data breach exposes passports, bank details; users urged to act
• Belgian hospitals shut servers, refuse ambulances and transfer critical patients