DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly

The post DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly appeared on BitcoinEthereumNews.com.

Group-IB published its report on Jan. 15 and said the method could make disruption harder for defenders. The malware reads on-chain data, so victims do not pay gas fees. Researchers said Polygon is not vulnerable, but the tactic could spread. Ransomware groups usually rely on command-and-control servers to manage communications after breaking into a system. But security researchers now say a low-profile strain is using blockchain infrastructure in a way that could be harder to block. In a report published on Jan. 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing Polygon (POL) smart contracts to store and rotate proxy server addresses. These proxy servers are used to relay communication between attackers and victims after systems are infected. Because the information sits on-chain and can be updated anytime, researchers warned that this approach could make the group’s backend more resilient and tougher to disrupt. Smart contracts used to store proxy information Group-IB said DeadLock does not depend on the usual setup of fixed command-and-control servers. Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network. That contract stores the latest proxy address that DeadLock uses to communicate. The proxy acts as a middle layer, helping attackers maintain contact without exposing their main infrastructure directly. Since the smart contract data is publicly readable, the malware can retrieve the details without sending any blockchain transactions. This also means victims do not need to pay gas fees or interact with wallets. DeadLock only reads the information, treating the blockchain as a persistent source of configuration data. Rotating infrastructure without malware updates One reason this method stands out is how quickly attackers can change their communication routes. Group-IB said the actors behind DeadLock can update the proxy address stored inside…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ January 16, 2026 8:26 am