DeadLock Ransomware Weaponizes Polygon Smart Contracts for “Unstoppable” C2
New findings from Group-IB reveal ransomware operators are using Polygon smart contracts to rotate command-and-control servers, making takedowns nearly impossible.
Ransomware operators have found a new bulletproof vest for their infrastructure: the Polygon blockchain. Cybersecurity firm Group-IB reported on Jan. 15 that the DeadLock ransomware family is now using Polygon smart contracts to store and rotate proxy server addresses, effectively rendering traditional IP-blocking defense futile.
This shift marks a sophisticated evolution in cybercrime logistics. Instead of hard-coding command-and-control (C2) servers, which authorities can seize, DeadLock malware queries a specific smart contract on the Polygon network to fetch the current active proxy IP. If a server is blacklisted, the attackers simply send a transaction to update the contract state with a new IP. The malware, already deployed on victim machines, automatically redirects to the new destination without needing an update.
The “EtherHiding” Blueprint
The technique mirrors a tactic known as "EtherHiding," previously employed by North Korean threat actors on Ethereum. However, DeadLock’s migration to Polygon (POL) appears driven by cost efficiency. While Ethereum mainnet gas fees can make frequent contract updates expensive, Polygon’s fees are negligible. With POL trading at roughly $0.15, attackers can rotate their infrastructure continuously for pennies, maintaining high availability for their extortion operations.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," Group-IB researchers noted.
Infrastructure of Impunity
The technical implementation relies on read-only calls to the blockchain. Since reading data from a smart contract does not require a transaction or gas fees, the malware creates no on-chain noise when it checks in for instructions. This makes the activity nearly invisible until the moment of encryption.
DeadLock, first identified in July 2025, has avoided major scrutiny by eschewing public affiliate programs and data-leak sites. Instead, it directs victims to the encrypted messaging app Session for negotiation, further reducing its digital footprint. The group funds its on-chain operations through FixedFloat, an automated crypto exchange that allows for rapid, anonymous swapping.
For defenders, the challenge is structural. You cannot "take down" a smart contract on a decentralized network. As long as the Polygon blockchain produces blocks, DeadLock’s directory remains online.
