ransomware evasion using blockchain

How exactly do cybercriminals stay one step ahead of security teams? Simple. They get creative. A newly discovered ransomware family called DeadLock is doing just that by leveraging Polygon blockchain smart contracts to hide their tracks.

First spotted in July 2025 by Group-IB, DeadLock isn’t your average ransomware operation. No flashy data leak site. No affiliate program. Just a quiet threat actor causing outsized problems for victims across Italy, Spain, and India.

Here’s where it gets interesting. DeadLock stores its command and control infrastructure on the blockchain. Yeah, that’s right. Good luck blocking that domain or IP address. The ransomware queries Polygon smart contracts to retrieve proxy server addresses, making traditional blocking methods about as effective as a screen door on a submarine.

The attackers rotate their proxy addresses frequently, and they’ve built in fallbacks with multiple RPC endpoints. Smart. Annoying, but smart.

When DeadLock infects a system, it drops an HTML file that serves as a wrapper for the Session messenger. The JavaScript code queries the Polygon contract for the current proxy URL, which then relays encrypted messages to the attacker’s Session ID. They even offer helpful instructions to download Session and AnyDesk for “remote management.” How thoughtful.

Files get encrypted with the .dlock extension. Wallpaper? Changed. Shadow copies? Gone. Services? Stopped by PowerShell scripts. And of course, there’s the ransom note threatening to sell your data if you don’t pay up.

This approach mirrors the EtherHiding technique used by UNC5342 and shows how criminals are increasingly exploiting blockchain technology for malicious purposes. This news has already impacted the market, with MATIC price down by 9.52% as investors react to the malicious use of the platform.

The scariest part? DeadLock’s infrastructure is virtually immune to takedowns. Block one server, and they switch to another via their smart contracts. No transactions needed, just read-only calls that don’t even cost fees.

Security teams, take note. The game just got harder. The ransomware also exhibits extreme stealth with low detection rates that make it especially dangerous for unprepared organizations.

Leave a Reply
You May Also Like

Thousands of AI Agents Join Viral Network, Teaching Each Other Key Theft and Demanding Bitcoin

A viral network of AI agents is teaching each other key theft and demanding Bitcoin. What could this mean for our digital future?

Alarming: Hackers Embedded Crypto Wallet‑Stealing Code in a Popular AI Tool That Runs Every Time

Hackers infiltrate popular AI tools, draining crypto wallets unnoticed. Are your development resources safe? The unsettling truth may surprise you.

Free Bitcoin Cloud Mining Sites 2025: Fast Daily Crypto Earnings — Too Good to Trust?

Is free Bitcoin cloud mining a hidden goldmine or a deceptive trap? Learn how to navigate the risks before you invest your hard-earned money.

Fake Bird Calls Helped Thieves Steal $1.1b in Bitcoin — Malaysia Hunts Aerial Heat Signatures

A bizarre $1.1 billion Bitcoin heist in Malaysia used fake bird calls to evade detection. What innovative tactics did cybercriminals employ to pull it off?