Security researchers are warning about a quiet but clever ransomware group that’s using blockchain technology in a new way to hide its tracks.
The ransomware, called DeadLock, was first spotted in July 2025. It hasn’t made big headlines yet and has only a small number of confirmed victims. But experts say the method it’s using could become a serious problem if bigger ransomware groups copy it.
According to a report released on January 15 by cybersecurity firm Group-IB, DeadLock is using smart contracts on the Polygon network to hide and rotate the servers it uses to talk to infected computers.
Normally, ransomware relies on command-and-control servers. These servers can often be tracked down and shut off by law enforcement or security teams. DeadLock does something different.
After a system is infected and locked, the malware checks a specific smart contract on Polygon. Inside that contract is a proxy address that acts as a middleman between the attackers and the victim. If the attackers want to change that address, they just update the smart contract.
Because this information is stored on the blockchain, it’s always available and spread across thousands of computers around the world. There’s no single server to shut down.
Even more concerning, the ransomware only reads data from the blockchain. Victims don’t send transactions or pay gas fees. That makes the setup cheap, simple, and hard to block.
Once communication starts, victims receive ransom demands along with threats that stolen data will be sold if they don’t pay. Group-IB says this setup makes DeadLock’s infrastructure far more durable than traditional ransomware systems.
The researchers were careful to point out one important thing: Polygon itself is not being hacked. There’s no bug or weakness being exploited. The attackers are simply taking advantage of the fact that blockchain data is public, permanent, and easy to access.
Several smart contracts linked to DeadLock were created or updated between August and November 2025. While the campaign is still small, researchers say the idea behind it could be reused in many different ways by other criminal groups.
For now, Polygon users and developers aren’t directly at risk. But the case shows how public blockchains can be misused to support criminal activity outside the chain, in ways that are very hard to spot and even harder to shut down.
In short, DeadLock may be flying under the radar today—but the technique it’s using could change how ransomware operates in the future if it spreads.
