DeadLock: How Cybercriminals Use Polygon in Cyberattacks

Key points:

• DeadLock is ransomware that uses Polygon smart contracts to secretly control its infrastructure.
• This approach makes it difficult to detect and block attacks, as the blockchain cannot be shut down centrally.

Group-IB has reported a new type of ransomware that uses the Polygon blockchain to manage its infrastructure. This malware is called DeadLock.

Source: X.com

DeadLock was first detected in July 2025. For a long time, it remained virtually unnoticed: the project has no affiliate program or website for publishing stolen data, and the number of victims is still small. Nevertheless, experts consider the threat indicative.

Smart Contracts as an Attack Tool

According to Group-IB, attackers are using Polygon smart contracts to transmit and regularly change proxy server addresses. This complicates the detection and blocking of malicious activity. This approach allows for constant change of entry points, effectively bypassing traditional security measures.

Analysts compare DeadLock to EtherHiding, a company previously reported by the Google Threat Intelligence Group. In that case, North Korean hackers used the Ethereum blockchain to covertly deliver malicious code through compromised websites, most often WordPress. Both schemes share the use of public blockchains as a hidden communication channel. Disabling or "closing" such a channel is extremely difficult, as decentralized ledgers have no single point of control.

How the ransomware works

After infection, DeadLock encrypts files, appending the .dlock extension, and changes the desktop wallpaper to a ransom note. Newer versions further threaten victims with the leakage of confidential data. To date, experts have identified at least three variants of this malware.

How crypto ransomware operate: the tactics of the Embargo and BlackCat groups

Criminals also learn and develop themselves to increase their income and maintain a high degree of anonymity. We explain how the BlackCat ransomware group has evolved

Читать дальше

Initially, DeadLock used hacked servers, but researchers now believe the group has switched to its own infrastructure. The key innovation remains the mechanism for obtaining server addresses via a smart contract.

Furthermore, the latest version includes a built-in communication channel. An HTML file is created on the victim's device, which serves as a shell for the encrypted Session messenger. This allows the attackers to communicate directly with victims without the need for third-party services. Experts emphasize that while DeadLock has not yet become a widespread threat, the technologies it uses could become widespread if companies do not take such attacks seriously.