DeadLock ransomware is hiding in plain sight, and it's using Polygon's smart contracts as its secret hideout.
Cybersecurity firm Group-IB discovered this new ransomware strain in July, and it's taking a creative approach to staying online. Instead of relying on traditional servers that can be taken down, DeadLock stores its proxy addresses directly on the Polygon blockchain. This lets the malware rotate its command-and-control infrastructure dynamically, making it nearly impossible to disrupt.
The ransomware hasn't caused widespread chaos yet—it's kept a low profile with limited victims and no ties to known leak sites. But Group-IB warns that its methods are "innovative" and could be dangerous if organizations underestimate it. This marks one of the first widely reported cases of Polygon being abused for malicious purposes.
Once infected, victims get a ransom note threatening to sell their stolen data if they don't pay. The malware's code interacts with a specific smart contract address, pulling down fresh proxy servers as needed. Since blockchain data lives forever across a distributed network, there's no central server to shut down.
Group-IB notes that this technique offers "infinite variants," limited only by the attackers' imagination. It's not entirely new, though—similar tactics have been seen before. In October, Google reported "EtherHiding," where North Korean hackers embedded malicious code in Ethereum smart contracts to create a decentralized command-and-control server.
DeadLock adds an HTML file with an embedded Session private messenger for victims to contact the threat actors. It's a reminder that blockchain's immutability cuts both ways—while it secures transactions, it can also provide a permanent home for malware infrastructure.
