Deadlock Ransomware Uses Polygon Smart Contracts For Proxy Rot...

A ransomware operation known as DeadLock has been observed abusing Polygon blockchain smart contracts to manage and rotate proxy server addresses.

DeadLock first appeared in July 2025 and has maintained a relatively low profile since then. It is not linked to known ransomware affiliate programs and does not operate a public data leak site.

Despite the limited number of reported victims, Group-IB researchers said its technical approach deserves attention for its novelty and potential reuse by other threat actors.

The latest DeadLock samples observed by the cybersecurity firm include an HTML file used to communicate with victims through the Session encrypted messaging platform.

Instead of relying on hard-coded servers, the malware retrieves proxy addresses stored inside a Polygon smart contract.

Group-IB noted that retrieving data from the blockchain relies on read-only calls that do not generate transactions or incur network fees, a design choice that complicates traditional blocking approaches.

The  JavaScript code found within the calls queries a specific Polygon smart contract to obtain the current proxy URL. That proxy then relays encrypted messages between the victim and the attacker’s Session ID.

Decentralized storage of proxy addresses on the Polygon blockchain

Use of smart contract functions to update infrastructure on demand

Read more on blockchain abuse in cybercrime: Malicious npm Packages Exploit Ethereum Smart Contracts

Source: InfoSecurity Magazine