How exactly do cybercriminals stay one step ahead of security teams? Simple. They get creative. A newly discovered ransomware family called DeadLock is doing just that by leveraging Polygon blockchain smart contracts to hide their tracks.
First spotted in July 2025 by Group-IB, DeadLock isn’t your average ransomware operation. No flashy data leak site. No affiliate program. Just a quiet threat actor causing outsized problems for victims across Italy, Spain, and India.
Here’s where it gets interesting. DeadLock stores its command and control infrastructure on the blockchain. Yeah, that’s right. Good luck blocking that domain or IP address. The ransomware queries Polygon smart contracts to retrieve proxy server addresses, making traditional blocking methods about as effective as a screen door on a submarine.
The attackers rotate their proxy addresses frequently, and they’ve built in fallbacks with multiple RPC endpoints. Smart. Annoying, but smart.
When DeadLock infects a system, it drops an HTML file that serves as a wrapper for the Session messenger. The JavaScript code queries the Polygon contract for the current proxy URL, which then relays encrypted messages to the attacker’s Session ID. They even offer helpful instructions to download Session and AnyDesk for “remote management.” How thoughtful.
Files get encrypted with the .dlock extension. Wallpaper? Changed. Shadow copies? Gone. Services? Stopped by PowerShell scripts. And of course, there’s the ransom note threatening to sell your data if you don’t pay up.
This approach mirrors the EtherHiding technique used by UNC5342 and shows how criminals are increasingly exploiting blockchain technology for malicious purposes. This news has already impacted the market, with MATIC price down by 9.52% as investors react to the malicious use of the platform.
The scariest part? DeadLock’s infrastructure is virtually immune to takedowns. Block one server, and they switch to another via their smart contracts. No transactions needed, just read-only calls that don’t even cost fees.
Security teams, take note. The game just got harder. The ransomware also exhibits extreme stealth with low detection rates that make it especially dangerous for unprepared organizations.
