{"id":5691,"date":"2026-01-16T08:40:41","date_gmt":"2026-01-16T08:40:41","guid":{"rendered":"https:\/\/cryptonews.uk.com\/?p=5691"},"modified":"2026-01-16T08:40:41","modified_gmt":"2026-01-16T08:40:41","slug":"deadlock-ransomware-abuses-polygon-blockchain-to-rotate-proxy-servers-quietly","status":"publish","type":"post","link":"https:\/\/cryptonews.uk.com\/?p=5691","title":{"rendered":"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly"},"content":{"rendered":"

<\/p>\n

\n
\n
\n\"DeadLock\n<\/picture> <\/div>\n<\/p><\/div>\n
    \n
  • Group-IB published its report on Jan. 15 and said the method could make disruption harder for defenders.<\/li>\n
  • The malware reads on-chain data, so victims do not pay gas fees.<\/li>\n
  • Researchers said Polygon is not vulnerable, but the tactic could spread.<\/li>\n<\/ul>\n

    Ransomware groups usually rely on command-and-control servers to manage communications after breaking into a system.<\/p>\n

    But security researchers now say a low-profile strain is using blockchain infrastructure in a way that could be harder to block.<\/p>\n

    In a report published on Jan. 15, cybersecurity firm Group-IB said a ransomware operation known as DeadLock is abusing Polygon (POL) smart contracts to store and rotate proxy server addresses.<\/p>\n

    These proxy servers are used to relay communication between attackers and victims after systems are infected.<\/p>\n

    Because the information sits on-chain and can be updated anytime, researchers warned that this approach could make the group\u2019s backend more resilient and tougher to disrupt.<\/p>\n

    Smart contracts used to store proxy information<\/h2>\n

    Group-IB said DeadLock does not depend on the usual setup of fixed command-and-control servers.<\/p>\n

    Instead, once a machine is compromised and encrypted, the ransomware queries a specific smart contract deployed on the Polygon network.<\/p>\n

    That contract stores the latest proxy address that DeadLock uses to communicate. The proxy acts as a middle layer, helping attackers maintain contact without exposing their main infrastructure directly.<\/p>\n

    Since the smart contract data is publicly readable, the malware can retrieve the details without sending any blockchain transactions.<\/p>\n

    This also means victims do not need to pay gas fees or interact with wallets.<\/p>\n

    DeadLock only reads the information, treating the blockchain as a persistent source of configuration data.<\/p>\n

    Rotating infrastructure without malware updates<\/h2>\n

    One reason this method stands out is how quickly attackers can change their communication routes.<\/p>\n

    Group-IB said the actors behind DeadLock can update the proxy address stored inside the contract whenever necessary.<\/p>\n

    That gives them the ability to rotate infrastructure without modifying the ransomware itself or pushing new versions into the wild.<\/p>\n

    In traditional ransomware cases, defenders can sometimes block traffic by identifying known command-and-control servers.<\/p>\n

    But with an on-chain proxy list, any proxy that gets flagged can be replaced simply by updating the contract\u2019s stored value.<\/p>\n

    Once contact is established through the updated proxy, victims receive ransom demands along with threats that stolen information will be sold if payment is not made.<\/p>\n

    Why takedowns become more difficult<\/h2>\n

    Group-IB warned that using blockchain data this way makes disruption significantly harder.<\/p>\n

    There is no single central server that can be seized, removed, or shut down.<\/p>\n

    Even if a specific proxy address is blocked, the attackers can switch to another one without having to redeploy the malware.<\/p>\n

    Since the smart contract remains accessible through Polygon\u2019s distributed nodes worldwide, the configuration data can continue to exist even if the infrastructure on the attackers\u2019 side changes.<\/p>\n

    Researchers said this gives ransomware operators a more resilient command-and-control mechanism compared with conventional hosting setups.<\/p>\n

    A small campaign with an inventive method<\/h2>\n

    DeadLock was first observed in July 2025 and has stayed relatively low profile so far.<\/p>\n

    Group-IB said the operation has only a limited number of confirmed victims.<\/p>\n

    The report also noted that DeadLock is not linked to known ransomware affiliate programmes and does not appear to operate a public data leak site.<\/p>\n

    While that may explain why the group has received less attention than major ransomware brands, researchers said its technical approach deserves close monitoring.<\/p>\n

    Group-IB warned that even if DeadLock remains small, its technique could be copied by more established cybercriminal groups.<\/p>\n

    No Polygon vulnerability involved<\/h2>\n

    The researchers stressed that DeadLock is not exploiting any vulnerability in Polygon itself.<\/p>\n

    It is also not attacking third-party smart contracts such as decentralised finance protocols, wallets, or bridges.<\/p>\n

    Instead, the attackers are abusing the public and immutable nature of blockchain data to hide configuration information.<\/p>\n

    Group-IB compared the technique to earlier \u201cEtherHiding\u201d approaches, where criminals used blockchain networks to distribute malicious configuration data.<\/p>\n

    Several smart contracts connected to the campaign were deployed or updated between August and Nov. 2025, according to the firm\u2019s analysis.<\/p>\n

    Researchers said the activity remains limited for now, but the concept could be reused in many different forms by other threat actors.<\/p>\n

    While Polygon users and developers are not facing direct risk from this specific campaign, Group-IB said the case is another reminder that public blockchains can be misused to support off-chain criminal activity in ways that are difficult to detect and dismantle.<\/p>\n

    \n
    \n
    Share this article<\/h6>\n
    \n
    Categories<\/h6>\n
    \n
    Tags<\/h6>\n<\/p><\/div>\n<\/p><\/div>\n

    Crime,Blockchain News,Polygon#DeadLock #ransomware #abuses #Polygon #blockchain #rotate #proxy #servers #quietly1768552841<\/p>\n","protected":false},"excerpt":{"rendered":"

    Group-IB published its report on Jan. 15 and said the method could make disruption harder for defenders. The malware reads on-chain data, so victims do not pay gas fees. Researchers said Polygon is not vulnerable, but the tactic could spread. Ransomware groups usually rely on command-and-control servers to manage communications after breaking into a system.<\/p>\n","protected":false},"author":1,"featured_media":5692,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":{"0":"post-5691","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-eurozone"},"yoast_head":"\nDeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly - Crypto News: Latest Cryptocurrency News and Analysis<\/title>\n<meta name=\"description\" content=\"DeadLock ransomware uses Polygon smart contracts to rotate proxy servers, making disruption harder, researchers say.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cryptonews.uk.com\/?p=5691\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly\" \/>\n<meta property=\"og:description\" content=\"DeadLock ransomware uses Polygon smart contracts to rotate proxy servers, making disruption harder, researchers say.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cryptonews.uk.com\/?p=5691\" \/>\n<meta property=\"og:site_name\" content=\"Crypto News: Latest Cryptocurrency News and Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-16T08:40:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1-1024x683.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"\u884c\u653f\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"\u884c\u653f\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/cryptonews.uk.com\/?p=5691\",\"url\":\"https:\/\/cryptonews.uk.com\/?p=5691\",\"name\":\"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly - Crypto News: Latest Cryptocurrency News and Analysis\",\"isPartOf\":{\"@id\":\"https:\/\/cryptonews.uk.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/cryptonews.uk.com\/?p=5691#primaryimage\"},\"image\":{\"@id\":\"https:\/\/cryptonews.uk.com\/?p=5691#primaryimage\"},\"thumbnailUrl\":\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1.png\",\"datePublished\":\"2026-01-16T08:40:41+00:00\",\"author\":{\"@id\":\"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf\"},\"description\":\"DeadLock ransomware uses Polygon smart contracts to rotate proxy servers, making disruption harder, researchers say.\",\"breadcrumb\":{\"@id\":\"https:\/\/cryptonews.uk.com\/?p=5691#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/cryptonews.uk.com\/?p=5691\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cryptonews.uk.com\/?p=5691#primaryimage\",\"url\":\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1.png\",\"contentUrl\":\"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/cryptonews.uk.com\/?p=5691#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/cryptonews.uk.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/cryptonews.uk.com\/#website\",\"url\":\"https:\/\/cryptonews.uk.com\/\",\"name\":\"Crypto News: Latest Cryptocurrency News and Analysis\",\"description\":\"Latest Crypto & Bitcoin News\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/cryptonews.uk.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf\",\"name\":\"\u884c\u653f\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/cryptonews.uk.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g\",\"caption\":\"\u884c\u653f\"},\"sameAs\":[\"http:\/\/demo3.aiwalls.com\/coinbase\"],\"url\":\"https:\/\/cryptonews.uk.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly - Crypto News: Latest Cryptocurrency News and Analysis","description":"DeadLock ransomware uses Polygon smart contracts to rotate proxy servers, making disruption harder, researchers say.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cryptonews.uk.com\/?p=5691","og_locale":"en_US","og_type":"article","og_title":"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly","og_description":"DeadLock ransomware uses Polygon smart contracts to rotate proxy servers, making disruption harder, researchers say.","og_url":"https:\/\/cryptonews.uk.com\/?p=5691","og_site_name":"Crypto News: Latest Cryptocurrency News and Analysis","article_published_time":"2026-01-16T08:40:41+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1-1024x683.png","type":"image\/png"}],"author":"\u884c\u653f","twitter_card":"summary_large_image","twitter_misc":{"Written by":"\u884c\u653f","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/cryptonews.uk.com\/?p=5691","url":"https:\/\/cryptonews.uk.com\/?p=5691","name":"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly - Crypto News: Latest Cryptocurrency News and Analysis","isPartOf":{"@id":"https:\/\/cryptonews.uk.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cryptonews.uk.com\/?p=5691#primaryimage"},"image":{"@id":"https:\/\/cryptonews.uk.com\/?p=5691#primaryimage"},"thumbnailUrl":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1.png","datePublished":"2026-01-16T08:40:41+00:00","author":{"@id":"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf"},"description":"DeadLock ransomware uses Polygon smart contracts to rotate proxy servers, making disruption harder, researchers say.","breadcrumb":{"@id":"https:\/\/cryptonews.uk.com\/?p=5691#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cryptonews.uk.com\/?p=5691"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cryptonews.uk.com\/?p=5691#primaryimage","url":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1.png","contentUrl":"https:\/\/cryptonews.uk.com\/wp-content\/uploads\/2026\/01\/20260116_1234_Image-Generation_simple_compose_01kf2sx0kfe8rbaznmd32940ph-1.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/cryptonews.uk.com\/?p=5691#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cryptonews.uk.com\/"},{"@type":"ListItem","position":2,"name":"DeadLock ransomware abuses Polygon blockchain to rotate proxy servers quietly"}]},{"@type":"WebSite","@id":"https:\/\/cryptonews.uk.com\/#website","url":"https:\/\/cryptonews.uk.com\/","name":"Crypto News: Latest Cryptocurrency News and Analysis","description":"Latest Crypto & Bitcoin News","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cryptonews.uk.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/cryptonews.uk.com\/#\/schema\/person\/822778c5844e0d16d43dce6630f4f1bf","name":"\u884c\u653f","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cryptonews.uk.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e4c2d23409b09e004cef3facbe677e95c5401f9e29680f3a311e0130c5748089?s=96&d=mm&r=g","caption":"\u884c\u653f"},"sameAs":["http:\/\/demo3.aiwalls.com\/coinbase"],"url":"https:\/\/cryptonews.uk.com\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/posts\/5691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5691"}],"version-history":[{"count":0,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/posts\/5691\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=\/wp\/v2\/media\/5692"}],"wp:attachment":[{"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptonews.uk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}