Stealth Attack: ’DeadLock’ Ransomware Now Hides in Polygon Smart Contracts—Here’s What You Need to Know
Polygon's blockchain just became a digital hideout for ransomware. A new strain called 'DeadLock' is weaponizing smart contracts to execute attacks while staying virtually invisible to traditional security scanners.
How the Invisibility Cloak Works
The malware doesn't just encrypt files—it deploys its payload through a Polygon smart contract. The contract acts as a command-and-control center, issuing instructions and receiving payments in MATIC. Because the malicious code lives on-chain, it bypasses endpoint detection that scans local systems. The ransom note appears only after encryption, delivered via the contract itself.
Security researchers tracking the strain confirm it's already hit dozens of targets. The attack leaves almost no footprint on infected machines—just a call to a contract address. Tracing it means following the blockchain breadcrumbs, a process slower than most security teams can afford.
The New Defense Playbook
This isn't your grandfather's ransomware. Defending against it requires monitoring outbound calls to blockchain networks, not just inbound traffic. Some firms are now deploying blockchain analytics tools alongside traditional security—watching for suspicious smart contract interactions in real-time.
Polygon's core team has been notified, but decentralisation means there's no 'off switch.' The contract's code is immutable once deployed. The only fix is awareness and new defensive layers.
One cynical take? Wall Street spends millions on blockchain for settlement efficiency, while cybercriminals use it for operational efficiency—finally, a real-world use case everyone can understand. The lesson is clear: in the race between security and innovation, the bad guys are reading the same whitepapers as the good guys.
DeadLock Ransomware: When Blockchain Meets CybercrimeGroup-IB has uncovered a sophisticated new threat rewriting the ransomware playbook. DeadLock leverages Polygon smart contracts to rotate proxy addresses, a stealthy, under-reported technique that bypasses traditional… pic.twitter.com/rlPu9gZd5F — Group-IB Global (@GroupIB) January 15, 2026
That profile, however, covers a more technologically sophisticated strategy that researchers believe is showing a more global change in the way cybercriminals are using public blockchains for criminal ends.
How DeadLock Hides Ransomware Infrastructure Inside Polygon Smart Contracts
Group-IB’s analysis shows that DeadLock uses smart contracts deployed on the Polygon network to store and rotate proxy server addresses.
These proxies act as intermediaries between infected systems and the ransomware operators, allowing command-and-control traffic to shift endpoints without relying on centralized infrastructure that can be seized or blocked.
By querying the smart contract, the malware retrieves the current proxy address through a simple read operation that leaves no obvious transactional footprint and incurs no network cost.
Researchers said this technique mirrors earlier campaigns, such as EtherHiding, disclosed last year, in which North Korean threat actors used the ethereum blockchain to conceal and distribute malware payloads.
In both cases, public and decentralized ledgers were turned into resilient communication channels that are difficult for defenders to disrupt. DeadLock’s use of Polygon extends that concept by embedding proxy management directly into a smart contract, allowing attackers to update infrastructure on demand.
Once deployed, DeadLock encrypts files and appends a “.dlock” extension, alters system icons, and replaces the victim’s wallpaper with ransom instructions.
Over time, the group’s ransom notes have evolved, with early samples referencing only file encryption, while later versions explicitly stated that sensitive data had been stolen and threatened its sale if payment was not made.
The most recent ransom notes also promise “added services,” including a breakdown of how the network was breached and assurances that the victim will not be targeted again.
This Ransomware Doesn’t Just Lock Files — It Opens a Chat With Hackers
Group-IB identified at least three distinct DeadLock samples from mid-2025, each showing incremental changes in tactics.
Analysis of associated PowerShell scripts suggests the malware aggressively disables non-essential services, deletes volume shadow copies to prevent recovery, and whitelists a limited set of processes, notably including AnyDesk
Investigators believe AnyDesk is used as the primary remote access tool during attacks, a finding consistent with separate digital forensics investigations.
A key element of DeadLock’s operation is an HTML file dropped on infected systems that embeds an encrypted session messenger interface. Victims can communicate directly with attackers through this file without installing additional software.
The embedded JavaScript retrieves proxy addresses from the Polygon smart contract, then routes encrypted messages through those servers to a session ID controlled by the ransomware operators.
Transaction analysis shows that the same wallet created multiple identical smart contracts and repeatedly updated proxy addresses by calling a function labeled “setProxy.”
The wallet was funded through an exchange-linked address shortly before the contracts were deployed, indicating deliberate preparation.
Historical tracking of these transactions allows defenders to reconstruct past proxy infrastructure, although the decentralized design complicates rapid takedown efforts.
The finding is part of an overall increase in crypto-related cybercrime, as over $3.4 billion was stolen by hacks and exploits as of early December 2025, with state-linked North Korean groups accounting for over $2 billion of that total.
