DeadLock ransomware uses Polygon smart contracts to evade tracking

MarsBitNews · 2026-01-15T18:13:04+00:00

The ransomware family DeadLock uses Polygon smart contracts to distribute proxy servers in order to evade security detection. The malware embeds JS code to obtain the attacker-controlled server address, and multiple variants have appeared. The latest version also includes an encrypted communication application called Session.

MarsBitNews

2026-01-15 18:13:04

Abstract generation in progress

Mars Finance News, according to Group-IB monitoring, the ransomware family DeadLock is utilizing Polygon smart contracts to distribute and rotate proxy server addresses in order to evade security detection. The malware was first discovered in July 2025, embedding JS code that interacts with the Polygon network within HTML files, using RPC lists as gateways to obtain attacker-controlled server addresses. This technique is similar to the previously discovered EtherHiding, aiming to leverage decentralized ledgers to build covert communication channels that are difficult to block. DeadLock currently has at least three variants, with the latest version also embedding the encrypted communication app Session to directly communicate with victims.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.