DeadLock ransomware uses Polygon smart contracts to evade tracking.
AI Summary1 min read
TL;DR
DeadLock ransomware uses Polygon smart contracts to hide proxy servers, evading detection by interacting with the network via embedded JavaScript. It rotates addresses to create covert channels, similar to EtherHiding, and includes variants with encrypted communication tools.
Tags
EthereumYPolygonLayer 1Layer 2Smart ContractsDeadLock ransomwarePolygon smart contractscybersecurity evasionproxy server rotationEtherHiding
According to Mars Finance, Group-IB monitoring indicates that the DeadLock ransomware family is exploiting the Polygon smart contract to distribute and rotate proxy server addresses to evade security detection. This malware, first discovered in July 2025, uses embedded JavaScript code that interacts with the Polygon network within HTML files, leveraging a list of RPCs as a gateway to obtain attacker-controlled server addresses. This technique, similar to the previously discovered EtherHiding, aims to utilize decentralized ledgers to build difficult-to-hide covert communication channels. DeadLock currently has at least three variants, with the latest version embedding the encrypted communication application Session for direct communication with victims.