DeadLock ransomware, playing hide-and-seek with Polygon smart contracts, has crafted a nearly unshuttable fortress. 🏰💻
The dastardly scheme, as unveiled by the cybersecurity sleuths at Group-IB, leverages blockchain technology like a mischievous pickpocket sneaking past the security guards. DeadLock uses Polygon smart contracts to commandeer control of proxy servers, sidestepping traditional security measures with the finesse of a fox on the prowl.
The clever rascals at Group-IB, in a post on X, exposed this low-profile, under-the-radar tactic that manages to slip past conventional security protocols like a ghost in a haunted house. 🕵️♂️👻
Blockchain: The New Playground for Mischievous Miscreants
Released in July 2025, DeadLock barely caused a whisper of a stir. No flashy sites plastered with exposed data, no flashy affiliate links. The victim list was as small as a mouse in a cupboard, keeping its mischief under wraps.
Upon encrypting a system, DeadLock spies its way into special Polygon smart contracts with proxy addresses, allowing attackers to whisper sweet nothings-or threats, as it were-to their victims.
The solution boasts formidable strengths: attackers can switch proxy addresses on a whim, dodging bug bounty hunters without having to redeploy their malware-leaving defense teams with their heads in the sand scrambling to get them.
Smarter Than a Third Grader, Yet Still Slippery
Traditional command and control servers, those easy prey, are prone to ambush by security agencies. But not DeadLock. It casts them aside like yesterday’s newspaper. No strings attached or central server, as data roams free with a band of globally distributed nodes, creating a fortress that laughs in the face of defeat.
A little snippet of JavaScript found lurking in HTML files by those good folks at Group-IB will contact the Polygon network’s smart contracts, fetching proxy URLs as if they were just picking up scraps from the bakery-messengers for their misdeeds.
Evolution: From Simple Locks to Blockchain Keys
DeadLock’s early antics in June 2025 were as thrilling as a bedtime story about file encryption. But grip tightly to your seats, for August brought escalations, with dark hints of data theft. To add to the fun, victims now face a tantalizing choice between encrypted chaos and the threat of a public data parade.
Newer models of DeadLock came with bonuses like security reports and promises from attackers that whispered: “We’ll leave you alone, but only if you cough up.” Payments ensured data destruction, like a bad fairytale promise with a twist.
A transactional waltz revealed smart contracts made with a singular wallet, with the party’s cherry on top funded by the same address on a merry-go-round of exchanges from August to November 2025.
A Heist the World Watches Enviously
Before DeadLock, it was North Korean hackers who stole the show with a special technique. Google’s brainiacs clocked it as “EtherHiding,” a marauding menace using smart contracts to hide nuggets of nastiness on Ethereum blockchains like Easter eggs at a children’s festival-almost invisible to prying eyes.
Group-IB’s keen detectives noted DeadLock’s evolution-it’s a low-key titan with a threatening shadow lurking. Victims find themselves in a ludicrous predicament with files branded by a .dlock stamp, wallpaper featuring ransom messages instead of flowers, all icons ringing marionette bells, and the ever-watchful eye of AnyDesk software.
Mischief ensues as PowerShell scripts scamper through systems, tossing out shadow copies and shutting services, locking files behind a solid encryption wall, with keys hidden in thieves’ quarters beyond the reach of mere mortals.
Tracking the Villains Through Their Crumbs
The breadcrumb trail left historical proxy servers to reveal the trail of breadcrumbs: early infrastructures were set up through compromised WordPress sites, cPanel setups, and Shopware. Recent proxies were clearly marked with the attackers’ digital sigil. The Sherlockian sleuths at Group-IB noticed servers sharing a Sherlockian SSH fingerprint and similarSSL certifications.
Each with a penchant for Vesta control panels and proxy-friendly Apache servers, these villainous vessels orchestrated their devious plans while avoiding pesky transaction charges, as covert operations were maintained with the bare minimum effort.
Group-IB, much like caterpillars morphed into digital detectives, followed the money. Decoded inputs revealed past proxy homes, and the sneaky setProxy method was used to change addresses like a chameleon in springtime.
No Slick Exploits
Researchers found that poor DeadLock couldn’t find any trick up the slot machine of the Polygon platform. It didn’t go poking at any DeFi oracles or try to shake a bridge, no vulnerabilities were found or abused. It simply danced to the music of blockchain publicity and the perpetual persistence of contract data.
The real kicker? No harm done to Polygon users nor developers-the Windows systems were left to chatter like gossiping townsfolk, while blockchain stood tall, just as the indispensable infrastructure, horn solutions in hand.
Those clever early access techniques by Cisco Talos-I have to tip my hat-revealed vulnerabilities in Baidu Antivirus that could render systems’ defenses as useless as a chocolate teapot, overthrowing process terminations to leave endpoint detection systems helpless.
Read More
- Clash Royale Best Boss Bandit Champion decks
- Vampire’s Fall 2 redeem codes and how to use them (June 2025)
- World Eternal Online promo codes and how to use them (September 2025)
- Best Arena 9 Decks in Clast Royale
- How to find the Roaming Oak Tree in Heartopia
- Mobile Legends January 2026 Leaks: Upcoming new skins, heroes, events and more
- Solo Leveling Season 3 release date and details: “It may continue or it may not. Personally, I really hope that it does.”
- ATHENA: Blood Twins Hero Tier List
- M7 Pass Event Guide: All you need to know
- Sunday City: Life RolePlay redeem codes and how to use them (November 2025)
2026-01-17 03:19