A newly discovered ransomware strain is weaponizing blockchain technology to build resilient command-and-control infrastructure that security teams struggle to dismantle.

Group-IB cybersecurity researchers disclosed Thursday that DeadLock ransomware, first identified in July 2025, stores proxy server addresses inside Polygon smart contracts.

The technique allows operators to continuously rotate connection points between victims and attackers, making traditional blocking methods ineffective.

DeadLock has maintained an unusually low profile despite its technical sophistication - operating without an affiliate program or public data leak site.

What Makes DeadLock Different

Unlike typical ransomware gangs that publicly shame victims, DeadLock threatens to sell stolen data through underground markets.

The malware embeds JavaScript code within HTML files that communicate with smart contracts on the Polygon network.

These contracts function as decentralized repositories for proxy addresses, which the malware retrieves through read-only blockchain calls that generate no transaction fees.

Researchers identified at least three DeadLock variants, with newer versions incorporating Session encrypted messaging for direct victim communication.

Read also: CME Group Adds Cardano, Chainlink And Stellar Futures To Crypto Derivatives Suite

Why Blockchain-Based Attacks Matter

The approach mirrors "EtherHiding," a technique Google's Threat Intelligence Group documented in October 2025 after observing North Korean state actors using similar methods.

"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique," Group-IB analyst Xabier Eizaguirre noted.

Blockchain-stored infrastructure proves difficult to eliminate because decentralized ledgers cannot be seized or taken offline like traditional servers.

DeadLock infections rename files with a ".dlock" extension and deploy PowerShell scripts to disable Windows services and delete shadow copies.

Earlier attacks reportedly exploited vulnerabilities in Baidu Antivirus and used bring-your-own-vulnerable-driver techniques to terminate endpoint detection processes.

Group-IB acknowledges gaps remain in understanding DeadLock's initial access methods and full attack chain, though researchers confirmed the group recently reactivated operations with new proxy infrastructure.

The technique's adoption by both nation-state actors and financially motivated cybercriminals signals a concerning evolution in how adversaries leverage blockchain's resilience for malicious purposes.

Read also: Solana ETF Inflows Hit $23.6M Four-Week Peak As Network Metrics Show Decline