DeadLock Ransomware Group Exploits Polygon Smart Contracts for Stealth Attacks
Polygon's smart contracts just got weaponized—and the crypto world didn't see it coming.
The DeadLock ransomware group has engineered a chilling new attack vector, turning Polygon's blockchain infrastructure into a cloak for digital extortion. Instead of relying on noisy, traceable payment rails, they're embedding ransom demands directly into smart contract logic—silent, automated, and devastatingly efficient.
How the Attack Bypasses Traditional Defenses
Security protocols built for yesterday's threats are crumbling. DeadLock's method hijacks the very automation that makes DeFi tick. Imagine a liquidity pool that doesn't just swap tokens—it holds your files hostage until a crypto ransom is paid. The contract executes; the payment routes; the decryption key releases. All on-chain. All seemingly legitimate.
It's a stark reminder: In crypto, the most elegant code can serve the darkest purposes. The industry's obsession with 'trustless' systems forgot to account for trustless criminals.
The new attack cuts through perimeter security like a hot knife through butter. It doesn't need a phishing email or a malware-laden download. It just needs one unsuspecting interaction with a compromised—or maliciously created—smart contract. Your wallet signature becomes your ransom note.
A Cynical Nod to Finance
Wall Street bankers used to worry about insider trading; now, crypto's biggest threat is insider coding. The 'greater fool theory' just got a tech upgrade: you're not just betting on the next fool to buy the token, but praying the next contract you interact with isn't built to rob you blind.
This isn't a bug. It's a feature of a system where value and vulnerability are written in the same language. The Polygon exploit isn't an anomaly—it's a blueprint. And every blockchain touting its smart contract capabilities just got a new item on its risk assessment. The race to patch has begun, but in the decentralized world, the fixes are never as fast as the breaks.
How does the DeadLock ransomware work on Polygon?
Embedded JavaScript code within the file queries a specific Polygon smart contract to obtain the current proxy URL, which then relays encrypted messages between the victim and the attacker’s Session ID.
These read-only blockchain calls generate no transactions or fees, making them cost-free for the attackers to maintain.
Group-IB researchers noted that the exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can apply infinite variants of this technique, with imagination being the only limit.
The technique is not well documented and under-reported but its usage is gradually gaining traction in the wild, according to security researchers.
Investigation by Cisco Talos revealed that DeadLock gains initial access by exploiting CVE-2024-51324, a Baidu Antivirus vulnerability, using a technique known as “bringing your own vulnerable driver” to terminate endpoint detection and response processes.
DeadLock comes up with new extortion tactics
DeadLock is different from most ransomware operations because it abandons the usual double extortion approach and does not have a data leak site where it could publicize attacks.
Instead, the group threatens to sell stolen data on underground markets while offering victims security reports and promises not to re-target them if ransom is paid.
Group-IB’s infrastructure tracking has not drawn any threads between DeadLock and any known ransomware affiliate programs. In fact, the group maintains a relatively low profile. However, they found smart contract copies that were first created and updated in August 2025 and later updated in November 2025.
Group-IB stated that it successfully “tracked its infrastructure through blockchain transactions, revealing funding patterns and active servers.”
Nation-state actors adopt similar techniques
Google Threat Intelligence Group observed North Korean threat actor UNC5342 using a related technique called EtherHiding to deliver malware and facilitate cryptocurrency theft since February 2025.
According to Google, “EtherHiding involves embedding malicious code, often in the FORM of JavaScript payloads, within a smart contract on a public blockchain like BNB Smart Chain or Ethereum.”
Polygon happens to be a layer-2 blockchain that’s built on Ethereum’s layer-1 infrastructure.
While DeadLock remains low volume and low impact, security researchers warn that it applies innovative methods showcasing a skill set that might become dangerous if organizations do not take the threat it poses seriously.
Apart from calling on businesses to be proactive in detecting malware, Group-IB recommended that they should add more layers of security, such as multifactor authentication and credential-based solutions.
The cybersecurity firm also stated that businesses should have a data backup, train their employees, patch up vulnerabilities, and, very importantly, “never pay the ransom” but contact incident response experts as quickly as possible if they ever get attacked.
If you're reading this, you’re already ahead. Stay there with our newsletter.
