- Trending
- Comments
- Latest
A ransomware operation named DeadLock is storing command-and-control infrastructure on Polygon’s public blockchain, allowing attackers to update their server addresses without redeploying malware—a technique that cybersecurity researchers warn could make ransomware campaigns far harder to shut down if adopted by larger criminal groups.
The method, detailed January 15 by cybersecurity firm Group-IB, exploits blockchain immutability rather than any Polygon vulnerability: once attackers publish data to a smart contract, it’s replicated across thousands of nodes worldwide, effectively creating an indestructible communication channel that law enforcement cannot seize or disable through traditional takedown methods.
Unlike traditional ransomware operations that depend on fixed command-and-control servers, DeadLock takes advantage of the publicly readable nature of Polygon smart contracts. After infecting a system, the malware queries a specific smart contract on the Polygon network to retrieve the current proxy address used for communication with attackers.
Group-IB researchers explained that this setup allows attackers to update infrastructure rapidly.
“DeadLock embeds code that queries a specific Polygon smart contract after a system has been infected and encrypted,” — Group-IB researchers, Cybersecurity Report.
Because the ransomware only reads on-chain data, victims do not need to send transactions or pay gas fees, lowering friction for the attackers.
The use of Polygon smart contracts means there is no single server to seize or shut down. Once deployed, the contract’s data is replicated across thousands of nodes worldwide, giving the attackers a resilient communication channel that is difficult for defenders to disrupt.
Researchers emphasized that the campaign does not rely on flaws in the Polygon protocol itself.
“The technique relies only on reading on-chain data and does not exploit vulnerabilities in Polygon or other smart contracts,” — Group-IB researchers, Cybersecurity Report.
In other words, Polygon smart contracts are being abused for their transparency and immutability, not because of a security weakness.
DeadLock was first observed in July 2025 and remains relatively low profile. Group-IB said it has no confirmed ties to major ransomware affiliate programs or public data leak sites. Several of the smart contracts linked to the campaign were deployed or updated between August and November 2025, suggesting ongoing experimentation rather than a large-scale rollout.
Despite the limited scope, researchers warned that the approach echoes earlier techniques such as “EtherHiding,” where attackers stored malicious configuration data on public blockchains. The difference now, analysts say, is the growing maturity and accessibility of Polygon smart contracts, which make the method cheaper and easier to replicate.
From a defensive standpoint, the DeadLock case underscores how Polygon smart contracts complicate traditional takedown strategies. Law enforcement agencies and security firms often disrupt ransomware by seizing servers or domains. With on-chain storage, those options are largely unavailable.
“There is no central server to shut down, and the contract data remains available across distributed nodes worldwide,” — Group-IB researchers, Cybersecurity Report.
This decentralization forces defenders to shift focus from infrastructure takedowns to endpoint protection and early detection.
The researchers stressed that Polygon users and developers are not directly at risk from the campaign. However, the misuse of Polygon smart contracts illustrates how neutral technologies can be repurposed for illicit activity. As public blockchains continue to expand, security teams may need new tools and legal frameworks to address crimes that straddle on-chain and off-chain systems.
For now, DeadLock remains a relatively small operation. But experts caution that the real danger lies in imitation. If larger ransomware groups adopt similar methods using Polygon smart contracts, takedowns could become slower, more complex, and more costly.
