Hackers Hide Behind Blockchain: New Ransomware Evades Takedowns

DeadLock ransomware relies on Polygon smart contracts to spin proxy servers to produce a nearly unshuttable infrastructure. 

The ransomware threat exposed by cybersecurity firm Group-IB uses blockchain technology as an exploit. DeadLock relies on Polygon smart contracts to provide control over proxy servers by circumventing conventional security defenses.  

Group -IB has published a post on X stating that the ransomware uses Polygon smart contracts to spin proxy addresses. It is a low-profile, underreporting trick that is very effective in circumventing conventional security protocols.  

Blockchain Becomes Criminal Infrastructure

DeadLock was released in July 2025 and maintained an unusually low profile. No public data-leak site, no affiliate program links, and the number of the victims was a limited one that ensured that exposure was minimal.  

The investigation by Group-IB revealed new tactics. Once a system has been encrypted, the ransomware probes special Polygon smart contracts containing the existing proxy addresses, allowing attackers and victims to communicate using these proxies.  

The blockchain solution has significant strengths: attackers can change proxy addresses in real-time, and thus do not have to re-deploy malware, leaving the defense teams with practically impossible take-down situations.  

Smart Contract Rotation Defies Detection

Conventional command and control servers are prone to vulnerabilities that can be blocked by security agencies and confiscated by law enforcement agencies. DeadLock eradicates these weaknesses.  

Data is stored on‑chain. The information on the contracts is kept by distributed nodes across the globe, resulting in no central server, which can be shut down, and the infrastructure is exceptionally resilient.  

JavaScript code was found in HTML files by Group-IB. The code will query Polygon network smart contracts and auto-extract proxy URLs to send routing messages using those addresses to attackers.  

Evolution From Simple Encryption to Blockchain

Early DeadLock samples were first published in June 2025 and contained ransom notes that only mentioned file encryption. Later iterations were much more advanced.  

In August 2025, explicit warnings of data theft were added. There was a risk of stolen data being sold by the attackers, which put the victims in a dilemma: they had encrypted files, and they could suffer data breaches.  

The new models come with value-added services. Security reports specify how the breach will occur, and the attackers will not promise to target anyone in the future, ensuring that the data is entirely destroyed once payment is received.  

Transactional analysis reveals patterns of infrastructure: a wallet made several smart contracts, and the same address provided funds to those operations on the FixedFloat exchange. Contract amendments took place between August and November 2025.  

Similar Techniques Gain Traction Globally

North Korean hackers were the first to use similar techniques, and Google Threat Intelligence Group has recorded an EtherHiding technique that became known in February 2025.  

EtherHiding infiltrates smart contracts in blockchains with malicious code. These payloads are stored in public ledgers like Ethereum and BNB Smart Chain and leave few footprints.  

Group-IB investigators observed the maturity of DeadLock, and it shows the changing competencies of criminals. Its low present effect hides a threatening future aspect.  

Victims are left with encrypted files with a .dlock extension, as well as window wallpaper that has been substituted with ransom messages, all the system icons modified, and constant control provided through AnyDesk remote access software.  

PowerShell scripts remove shadow copies and stop services maximizes the effect of encryption, making it highly challenging to recover without decryption keys.  

You might also like: Nexo Slapped with $500K Fine for Risky Crypto Loans

Infrastructure Tracking Reveals Patterns

The analysis of historical proxy servers revealed important information. WordPress sites, cPanel setups, and Shopware were compromised and used to run proxies with early infrastructure. Now, recent servers are designated as attacker-controlled infrastructure.  

A pair of the latest servers has the same SSH fingerprint and similarSSL certification. They both only support Vesta control panels, and the Apache web servers support proxy requests.  

Blockchain read-only operations are free. Attackers do not incur transaction charges at all, and infrastructure is held to minimal maintenance.  

Group-IB monitored transactions to the smart contracts. Decoding of input data provided the historical proxy addresses, and the setProxy method is used to update the addresses.  

No Polygon Vulnerability Exploited

Researchers highlight that DeadLock has not found any Polygon platform vulnerabilities, was not able to exploit any vulnerabilities of DeFi protocols, or breach a wallet or bridge.  

The method exploits the publicity of the blockchain. Non-volatile storage of data is an ideal infrastructure, and the information of contracts is always available. The problem of geographic distribution also complicates enforcement.  

There is no direct threat to users of Polygon and no security threat to developers. The campaign is specific to Windows systems; blockchain is only used as infrastructure.  

Early access techniques were discovered by Cisco Talos. CVE-2024-51324 allows entries. The vulnerability in Baidu Antivirus permits the termination of processes, which renders endpoint detection systems ineffective within a short time.

The post Hackers Hide Behind Blockchain: New Ransomware Evades Takedowns appeared first on Live Bitcoin News.