A new ransomware strain named DeadLock has cybersecurity researchers buzzing, and not just because it encrypts your files. First spotted in July 2025, this threat has largely flown under the radar thanks to a particularly sneaky trick: it uses Polygon smart contracts to manage its infrastructure.
According to a report from threat intelligence firm Group-IB, DeadLock doesn’t rely on traditional, centralized servers for its command-and-control operations. Instead, it stores and rotates proxy addresses directly on the Polygon blockchain. The malware simply queries a smart contract to retrieve the latest proxy address—a read operation that leaves no transactional footprint and costs nothing. This makes the ransomware’s communication channel incredibly resilient and difficult for defenders to disrupt.
This technique mirrors earlier campaigns, like the EtherHiding operation that used the Ethereum blockchain, but DeadLock’s use of Polygon makes the infrastructure even more decentralized. Once it infects a system, DeadLock encrypts files with a “.dlock” extension, changes system icons, and replaces the wallpaper with ransom instructions. Over time, the ransom notes have evolved from simple file encryption threats to explicitly stating that data has been stolen and will be sold if payment isn’t made. The latest notes even promise “added services,” like a breakdown of how the breach occurred and assurances of future immunity.
DeadLock’s operation is sophisticated. Group-IB identified at least three distinct samples from mid-2025, each showing incremental improvements. The malware aggressively disables non-essential services, deletes volume shadow copies to prevent recovery, and whitelists a limited set of processes—including AnyDesk, which investigators believe is used for remote access during attacks.
Perhaps most notably, DeadLock drops an HTML file on infected systems that embeds an encrypted messenger interface. Victims can communicate directly with the attackers through this file without installing additional software. The embedded JavaScript retrieves proxy addresses from the Polygon smart contract and routes encrypted messages through those servers to a session ID controlled by the ransomware operators.
Transaction analysis reveals that the same wallet created multiple identical smart contracts and repeatedly updated proxy addresses by calling a function labeled “setProxy.” The wallet was funded through an exchange-linked address shortly before the contracts were deployed, indicating deliberate preparation. While historical tracking of these transactions allows defenders to reconstruct past proxy infrastructure, the decentralized design complicates rapid takedown efforts.
This development is part of a broader trend of increasing crypto-related cybercrime. As of early December 2025, over $3.4 billion has been stolen through hacks and exploits, with state-linked North Korean groups accounting for over $2 billion of that total. DeadLock’s use of blockchain technology to stay invisible marks a significant evolution in ransomware tactics, blending cybercrime with the very technology designed to create trustless systems.
