TL;DR
- DeadLock ransomware makes use of Polygon good contracts to cover proxy server addresses.
- The approach mimics earlier Ethereum-based assaults utilized by North Korean hackers.
- The malware modifications IP addresses frequently to keep away from detection by safety methods.
A cybersecurity agency recognized a brand new ransomware methodology utilizing blockchain know-how. Group-IB reported the discovering on Thursday. The malware, known as DeadLock, makes use of Polygon good contracts to distribute proxy server addresses. This system helps the ransomware evade detection by safety methods.
DeadLock first appeared in July 2025. It remained beneath the radar attributable to a low variety of victims. The malware lacks a public program for associates and doesn’t function a public knowledge leak website. Group-IB said the ransomware applies revolutionary strategies that present an evolving skillset.
🚨 DeadLock Ransomware: When Blockchain Meets Cybercrime
Group-IB has uncovered a classy new risk rewriting the ransomware playbook. DeadLock leverages Polygon good contracts to rotate proxy addresses, a stealthy, under-reported approach that bypasses conventional… pic.twitter.com/rlPu9gZd5F
— Group-IB World (@GroupIB) January 15, 2026
The tactic mirrors a earlier marketing campaign disclosed by Google
That approach, known as EtherHiding, used Ethereum good contracts to cover malware. North Korean hackers employed EtherHiding final 12 months. Each strategies repurpose public blockchains as covert channels which are troublesome to dam or dismantle.
DeadLock makes use of good contracts to ship a listing of proxy addresses. These proxies are servers that change a person’s IP handle frequently. Group-IB researchers discovered JavaScript code inside an HTML file that interacts with a wise contract on the Polygon community.
The ransomware retrieves an RPC listing from the contract
This listing accommodates endpoints for interacting with the Polygon blockchain. These endpoints act as gateways connecting purposes to the community’s nodes. Using good contracts permits for infinite variations of the approach.
DeadLock renames encrypted information with a .dlock extension. It additionally replaces the desktop background with a ransom notice. Newer variations warn victims that delicate knowledge was stolen. The malware threatens to promote or leak the information if the ransom is unpaid. Researchers have recognized not less than three variants of DeadLock thus far.
Earlier variations relied on doubtlessly compromised servers. Researchers now imagine the group operates its personal infrastructure. The important thing change entails how DeadLock retrieves and manages its server addresses by means of the blockchain.
The latest model embeds direct communication channels. It drops an HTML file that acts as a wrapper across the encrypted messaging app Session. This file’s fundamental function is to facilitate direct talks between the attacker and the sufferer. The ransomware’s preliminary entry vectors and different assault levels stay unknown presently.
Group-IB suggested organizations to take the risk critically. The agency famous that whereas the influence is presently low, the evolving strategies may turn out to be extra harmful. Using blockchain know-how presents a persistent problem for conventional cybersecurity defenses.
