Group-IB research reveals how attackers use blockchain "read-only" calls to maintain bulletproof infrastructure at zero cost.
DeadLock, a ransomware group that emerged in July 2025, is abusing Polygon blockchain smart contracts to manage and rotate proxy server addresses. This method allows the group to frequently update its infrastructure, making it nearly impossible for defenders to block it permanently.
1. Infection: Exploits CVE-2024-51324 (Baidu Antivirus) to terminate security processes.
2. Blockchain Query: Embedded JS code calls a Polygon smart contract to fetch the latest proxy URL.
3. Communication: Relays encrypted messages via Session ID (decentralized messaging).
Result: Read-only calls generate no gas fees, making infrastructure maintenance free for the attacker.
DeadLock abandons the typical "double extortion" (data leak sites). Instead, they threaten to sell data on underground markets directly while offering victims "security reports" and promises of no future attacks if the ransom is paid.
Keywords: News|Polygon