ransomware evasion using blockchain

How exactly do cybercriminals stay one step ahead of security teams? Simple. They get creative. A newly discovered ransomware family called DeadLock is doing just that by leveraging Polygon blockchain smart contracts to hide their tracks.

First spotted in July 2025 by Group-IB, DeadLock isn’t your average ransomware operation. No flashy data leak site. No affiliate program. Just a quiet threat actor causing outsized problems for victims across Italy, Spain, and India.

Here’s where it gets interesting. DeadLock stores its command and control infrastructure on the blockchain. Yeah, that’s right. Good luck blocking that domain or IP address. The ransomware queries Polygon smart contracts to retrieve proxy server addresses, making traditional blocking methods about as effective as a screen door on a submarine.

The attackers rotate their proxy addresses frequently, and they’ve built in fallbacks with multiple RPC endpoints. Smart. Annoying, but smart.

When DeadLock infects a system, it drops an HTML file that serves as a wrapper for the Session messenger. The JavaScript code queries the Polygon contract for the current proxy URL, which then relays encrypted messages to the attacker’s Session ID. They even offer helpful instructions to download Session and AnyDesk for “remote management.” How thoughtful.

Files get encrypted with the .dlock extension. Wallpaper? Changed. Shadow copies? Gone. Services? Stopped by PowerShell scripts. And of course, there’s the ransom note threatening to sell your data if you don’t pay up.

This approach mirrors the EtherHiding technique used by UNC5342 and shows how criminals are increasingly exploiting blockchain technology for malicious purposes. This news has already impacted the market, with MATIC price down by 9.52% as investors react to the malicious use of the platform.

The scariest part? DeadLock’s infrastructure is virtually immune to takedowns. Block one server, and they switch to another via their smart contracts. No transactions needed, just read-only calls that don’t even cost fees.

Security teams, take note. The game just got harder. The ransomware also exhibits extreme stealth with low detection rates that make it especially dangerous for unprepared organizations.

Leave a Reply
You May Also Like

Berachain Validators Halt Network for Emergency Hard Fork to Fix Balancer V2 Exploits — Bold Move?

Berachain’s bold move to halt its network raises eyebrows as it battles a $12 million exploit. Can the emergency hard fork restore security and user trust?

Mt. Gox Hacker-Linked Wallet Stealthily Moves 2,300 Bitcoin

A mysterious wallet linked to the Mt. Gox hack is moving thousands of Bitcoin in stealthy transactions. Who’s really behind it? The plot thickens.

FBI Seizes RAMP Forum — A Stunning Blow to Russian Cybercrime

The FBI’s jaw-dropping takedown of RAMP Forum signals a seismic shift in the cybercrime realm. What happens now for the world of ransomware?

Free Bitcoin Cloud Mining Sites 2025: Fast Daily Crypto Earnings — Too Good to Trust?

Is free Bitcoin cloud mining a hidden goldmine or a deceptive trap? Learn how to navigate the risks before you invest your hard-earned money.