DeadLock Ransomware Uses Polygon Smart Contracts to Evade Tracking

According to Group-IB monitoring, the DeadLock ransomware family is utilizing Polygon smart contracts to distribute and rotate proxy server addresses in order to evade security detection. This malware was first discovered in July 2025. It embeds JavaScript code that interacts with the Polygon network within HTML files, using RPC lists as gateways to obtain server addresses controlled by the attackers. This technique is similar to the previously discovered EtherHiding, aiming to leverage decentralized ledgers to build covert communication channels that are difficult to block. DeadLock has currently spawned at least three variants, with the latest version also embedding the encrypted communication application Session to directly communicate with victims.