Ransomware group uses Polygon smart contracts to evade takedowns

Security researchers say a low-profile ransomware group is using Polygon smart contracts to hide and rotate its command-and-control infrastructure.

Cybersecurity researchers are warning that a recently identified ransomware strain is using Polygon smart contracts in an unusual way that could make its infrastructure harder to disrupt.

In a report published on Jan. 15, researchers at cybersecurity firm Group-IB said the ransomware, known as DeadLock, is abusing publicly readable smart contracts on the Polygon (POL) network to store and rotate proxy server addresses used to communicate with infected victims.

DeadLock was first observed in July 2025 and has remained relatively low profile since then. Group-IB said the operation has a limited number of confirmed victims and is not linked to any known ransomware affiliate programs or public data leak sites.

Despite its low visibility, the firm warned that the techniques being used are highly inventive and could pose serious risks if copied by more established groups.

How the technique works

Instead of relying on traditional command-and-control servers, which can often be blocked or taken offline, DeadLock embeds code that queries a specific Polygon smart contract after a system has been infected and encrypted. That contract stores the current proxy address used to relay communication between the attackers and the victim.

Because the data is stored on-chain, attackers can update the proxy address at any time, allowing them to rotate infrastructure quickly without redeploying malware. Victims do not need to send transactions or pay gas fees, as the ransomware only performs read operations on the blockchain.

Once contact is established, victims receive ransom demands along with threats that stolen data will be sold if payment is not made. Group-IB noted that this approach makes the ransomware’s infrastructure far more resilient.

There is no central server to shut down, and the contract data remains available across distributed nodes worldwide, making takedowns significantly more difficult.

No Polygon vulnerability involved

The researchers stressed that DeadLock is not exploiting flaws in Polygon itself or in third-party smart contracts such as decentralized finance protocols, wallets, or bridges. The ransomware is simply abusing the public and immutable nature of blockchain data to hide configuration information, a method similar to earlier “EtherHiding” techniques.

Several smart contracts linked to the campaign were deployed or updated between August and Nov. 2025, according to Group-IB’s analysis. While the activity remains limited for now, the firm warned that the concept could be reused in countless variations by other threat actors.

While Polygon users and developers are not facing direct risk from the campaign, researchers say the case highlights how public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.