DeadLock ransomware operators used Polygon smart contracts to store and rotate proxy server addresses, a technique first detected in July 2025 and later documented in mid-January 2026. The method let attackers retrieve C2 endpoints via on-device JavaScript without creating on-chain transactions, which materially complicates conventional detection and takedown workflows.
This approach shifts ransomware operational security by exploiting the persistence and public availability of blockchain state, rather than relying on infrastructure that can be seized or sinkholed. Security firms tied the behavior to scripted, read-only contract storage lookups that leave minimal network and ledger-level exhaust, reducing the visibility defenders typically depend on.
How the on-chain configuration worked
Analysts concluded the group embedded proxy addresses directly inside deployed Polygon contracts and queried them using client-side JavaScript. Because the interaction was limited to read calls, the malware did not generate gas costs or visible on-chain transactions, and instead depended on RPC gateways to resolve contract state into usable proxy endpoints.
That design delivered two clear advantages for the operators: defenders could not follow transaction trails to map infrastructure, and the attackers could rotate endpoints quickly when needed. In the reporting, Group-IB described the pattern as “storing and dynamically rotating proxy server addresses directly within smart contracts,” positioning it as a resilient command-and-control architecture that is harder to disrupt than traditional proxy chains.
Why defenders need to adjust playbooks
Reports also indicated DeadLock has produced multiple variants since the technique was first identified in July 2025, suggesting an iterative development cadence rather than a one-off experiment. The newest variants were described as adding an encrypted communications client for victim interaction after compromise, a change analysts said tightens operational security and reduces forensic visibility.
Using public smart contracts as a covert configuration store forces a rethink of defensive priorities, because proxy lists can be rotated in on-chain storage and retrieved through reads that do not surface as ledger activity. Traditional IP blocklists and transaction monitoring offer limited signal for read-only contract queries, and removing a single server does not break the chain if clients can be repointed through contract updates; as a result, incident response and compliance functions may need to expand playbooks to include smart-contract monitoring and RPC behavior telemetry, and product stakeholders may need tighter controls around RPC providers and contract-read sources.
One report characterized the technique as a reuse of a known pattern that creates “hard to block covert communication channels,” emphasizing strategic reuse of public-ledger properties rather than an exploit of Polygon itself. In practical terms, this is a stress test for operational hygiene across security, compliance, and infrastructure teams, and near-term responses by exchanges, node operators, and regulators will help determine whether the pattern stays niche or becomes a more durable ransomware playbook.