TL;DR
- DeadLock ransomware uses Polygon smart contracts to hide proxy server addresses.
- The technique mimics previous Ethereum-based attacks used by North Korean hackers.
- The malware changes IP addresses regularly to avoid detection by security systems.
A cybersecurity firm identified a new ransomware method using blockchain technology. Group-IB reported the finding on Thursday. The malware, called DeadLock, uses Polygon smart contracts to distribute proxy server addresses. This technique helps the ransomware evade detection by security systems.
DeadLock first appeared in July 2025. It remained under the radar due to a low number of victims. The malware lacks a public program for affiliates and does not operate a public data leak site. Group-IB stated the ransomware applies innovative methods that show an evolving skillset.
šØ DeadLock Ransomware: When Blockchain Meets Cybercrime
Group-IB has uncovered a sophisticated new threat rewriting the ransomware playbook. DeadLock leverages Polygon smart contracts to rotate proxy addresses, a stealthy, under-reported technique that bypasses traditionalā¦ pic.twitter.com/rlPu9gZd5F
— Group-IB Global (@GroupIB) January 15, 2026
The method mirrors a previous campaign disclosed by Google
That technique, called EtherHiding, used Ethereum smart contracts to hide malware. North Korean hackers employed EtherHiding last year. Both methods repurpose public blockchains as covert channels that are difficult to block or dismantle.
DeadLock uses smart contracts to deliver a list of proxy addresses. These proxies are servers that change a user’s IP address regularly. Group-IB researchers found JavaScript code within an HTML file that interacts with a smart contract on the Polygon network.
The ransomware retrieves an RPC list from the contract
This list contains endpoints for interacting with the Polygon blockchain. These endpoints act as gateways connecting applications to the network’s nodes. The use of smart contracts allows for infinite variations of the technique.
DeadLock renames encrypted files with a .dlock extension. It also replaces the desktop background with a ransom note. Newer versions warn victims that sensitive data was stolen. The malware threatens to sell or leak the data if the ransom is unpaid. Researchers have identified at least three variants of DeadLock so far.
Earlier versions relied on potentially compromised servers. Researchers now believe the group operates its own infrastructure. The key change involves how DeadLock retrieves and manages its server addresses through the blockchain.
The most recent version embeds direct communication channels. It drops an HTML file that acts as a wrapper around the encrypted messaging app Session. This file’s main purpose is to facilitate direct talks between the attacker and the victim. The ransomware’s initial access vectors and other attack stages remain unknown currently.
Group-IB advised organizations to take the threat seriously. The firm noted that while the impact is currently low, the evolving methods could become more dangerous. The use of blockchain technology presents a persistent challenge for traditional cybersecurity defenses.
