A new sophisticated threat in the blockchain world has been uncovered, potentially becoming another blueprint for more decentralized cybercrime infrastructure and the latest ransomware playbook.
Researchers at cybersecurity company Group-IB found that DeadLock, a ransomware family discovered in July 2025, is now using smart contracts, or self-executing programs, on the popular Polygon (POL) blockchain to rotate and distribute proxy server addresses.
This is similar to what Cybernews reported in October 2025, when security researchers at Google uncovered that a North Korean threat actor uses transactions on public blockchains like Ethereum (ETH) and BNB Chain (BNB) to store and retrieve malicious payloads.
Another recent campaign used Ethereum smart contracts to host URLs containing malicious commands that download second-stage malware. Group-IB highlighted this, noting that all these examples show that the abuse of smart contracts for malicious purposes could become an emerging trend.
Meanwhile, in DeadLock’s case, the researchers found JavaScript code within an HTML file that interacts with a smart contract on Polygon.
“This RPC [Remote Procedure Call] list contains the available endpoints for interacting with the Polygon network or blockchain, acting as gateways that connect applications to the blockchain’s existing nodes,” they added, noting that DeadLock appears to have reactivated its operations by setting up a new proxy server.
According to the researchers, this exploitation of smart contracts to deliver proxy addresses is “an interesting method” where criminals can apply infinite variants of the technique – “imagination is the limit.”
As protection measures, they recommend adding more layers of security, such as multi-factor authentication and credential-based access solutions, maintaining a data backup strategy, controlling and patching vulnerabilities early, training employees, using threat detection software, and never paying a ransom.
“Even if one attacker returns your data, another will find out about your willingness to pay, which will lead to an increase in the number of attempted attacks on your company,” they concluded.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked