DeadLock ransomware uses Polygon smart contracts to evade tracking

According to monitoring by Group-IB, the ransomware family DeadLock is using Polygon smart contracts to distribute and rotate proxy server addresses to evade security detection.

This malware was first discovered in July 2025, embedding JS code that interacts with the Polygon network within HTML files, using an RPC list as a gateway to obtain server addresses controlled by the attacker. This technique is similar to the previously discovered EtherHiding, aiming to leverage decentralized ledgers to construct covert communication channels that are difficult to block. DeadLock currently has at least three variants, with the latest version also embedding the encrypted communication application Session to directly communicate with victims.