DeadLock Ransomware Using Polygon Smart Contracts to Evade Detection

The ransomware family’s abuse of Polygon smart contracts echoes techniques recently seen in Ethereum-based attacks.

A newly discovered strain of ransomware is using Polygon smart contracts for proxy server address rotation and distribution to infiltrate devices. The malware, dubbed DeadLock, was first identified in July 2025 and has so far attracted little attention because it lacks a public affiliate program and a data‑leak site and has infected only a limited number of victims, according to the company.

“Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously,” Group-IB said in a blog.

DeadLock's use of smart contracts to deliver proxy addresses is “an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit,” the firm noted. Group-IB pointed to a recent report by the Google Threat Intelligence Group highlighting the use of a similar technique called “EtherHiding” employed by North Korean hackers.

What is EtherHiding?

EtherHiding is a campaign disclosed last year in which DPRK hackers used the Ethereum blockchain to conceal and deliver malicious software. Victims are typically lured through compromised websites—often WordPress pages—that load a small snippet of JavaScript. That code then pulls the hidden payload from the blockchain, allowing attackers to distribute malware in a way that is highly resilient to takedowns.

Both EtherHiding and DeadLock repurpose public, decentralized ledgers as covert channels that are difficult for defenders to block or dismantle. DeadLock takes advantage of rotating proxies, which are servers that regularly change the IP of a user, making it harder to track or block. While Group‑IB admitted that “initial access vectors and other important stages of the attacks remain unknown at this point,” it said DeadLock infections rename encrypted files with a “.dlock” extension and replace desktop backgrounds with ransom notes.

Newer versions also warn victims that sensitive data has been stolen and could be sold or leaked if a ransom is not paid. At least three variants of the malware have been identified so far. Earlier versions relied on allegedly compromised servers, but researchers now believe the group operates its own infrastructure. The key innovation, however, lies in how DeadLock retrieves and manages server addresses.

Disclaimer: This article was prepared by an external contributor. The material is for informational purposes only and should not be considered financial or investment advice. Always do your own research before making any decisions.

Stella Monaghan

Decentralized governance and digital asset researcher·

Holds a degree in public policy from a U.S. university. Decentralized governance researcher with 5+ years of experience. Certified in DAO frameworks and digital asset regulation. Published in independent media such as CoinBureau.com. Participated in DAOcamp and spoke at Midwest Web3 Policy Roundtable 2024.

Important Note: Official commercial inquiries should be submitted through this form. We do not initiate unsolicited commercial offers. Please be cautious of fraudulent emails or messages from individuals claiming to represent this website. Any questions or verification requests should be directed through this form.

DeadLock Ransomware Using Polygon Smart Contracts to Evade Detection