The Blockchain Ghost: DeadLock Ransomware Uses Smart Contracts to Defy Bans

The DeadLock syndicate, which emerged within the cyber threat landscape during the summer of 2025, persists as one of the most clandestine and technologically sophisticated entities. Analysts at Group-IB have documented a highly unconventional operational paradigm: the group eschews the traditional dual-extortion model, refraining from publicizing victim data or maintaining a dedicated leak site. Instead, their coercive tactics are limited to the threat of auctioning exfiltrated intelligence on illicit shadow forums.

However, the focal point of the investigation lies elsewhere. DeadLock leverages Polygon blockchain smart contracts to obfuscate its command-and-control infrastructure. This methodology facilitates the dynamic rotation of proxy server addresses used for negotiations, rendering traditional defensive blocking virtually futile. Technically, this is orchestrated via an HTML artifact deposited on the compromised host, which prompts the victim to install the decentralized messaging platform Session, serving as the primary conduit for communication between the afflicted party and the adversaries.

According to a representative from Group-IB’s analytical division, the deployment of smart contracts for such purposes presents formidable challenges, as the schema permits the generation of an inexhaustible array of concealed address variants. This innovation has previously garnered interest from other threat actors; for instance, in late 2025, Google Threat Intelligence reported that North Korean state-sponsored operatives had utilized a synonymous technique, dubbed EtherHiding, since early that year. In those instances, malicious code was embedded directly within smart contracts, providing an almost invincible operational foundation.

While Group-IB has yet to definitively ascertain DeadLock’s initial ingress vector, preliminary observations from Cisco Talos suggest the potential utilization of BYOVD (Bring Your Own Vulnerable Driver) tactics—deploying susceptible drivers to dismantle antivirus processes and circumvent defensive mechanisms.

At present, the utilization of smart contracts remains the most meticulously scrutinized aspect of DeadLock’s operations. Their integration underscores the burgeoning influence of blockchain technologies within the cybercriminal arsenal, necessitating an adaptation from defenders who must now navigate increasingly resilient forms of detection evasion.