Beware: New ‘DeadLock’ Ransomware Weaponizes Polygon Smart Contracts to Stay Invisible
Cybersecurity researchers have gotten excited by a newly found ransomware pressure referred to as LifelessLock that abuses Polygon sensible contracts to silently service its infrastructure and bypass standard detection instruments, as a current report by menace intelligence agency Group-IB depicts.
LifelessLock, first noticed in July 2025, has thus far remained largely below the radar as a result of it doesn’t have a publicly dealing with associates program, it doesn’t have a knowledge leak web site, and its victims have been related to comparatively few confirmed victims.
LifelessLock Ransomware: When Blockchain Meets Cybercrime
Group-IB has uncovered a classy new menace rewriting the ransomware playbook. LifelessLock leverages Polygon sensible contracts to rotate proxy addresses, a stealthy, under-reported approach that bypasses conventional… pic.twitter.com/rlPu9gZd5F
— Group-IB Global (@GroupIB) January 15, 2026
That profile, nonetheless, covers a extra technologically refined technique that researchers imagine is exhibiting a extra international change in the way in which cybercriminals are utilizing public blockchains for felony ends.
How LifelessLock Hides Ransomware Infrastructure Inside Polygon Smart Contracts
Group-IB’s evaluation reveals that LifelessLock makes use of sensible contracts deployed on the Polygon community to retailer and rotate proxy server addresses.
These proxies act as intermediaries between contaminated methods and the ransomware operators, permitting command-and-control site visitors to shift endpoints with out counting on centralized infrastructure that may be seized or blocked.
By querying the smart contract, the malware retrieves the present proxy tackle by way of a easy learn operation that leaves no apparent transactional footprint and incurs no community price.
Researchers stated this system mirrors earlier campaigns, comparable to EtherHiding, disclosed final yr, wherein North Korean menace actors used the Ethereum blockchain to conceal and distribute malware payloads.
In each instances, public and decentralized ledgers have been was resilient communication channels which can be tough for defenders to disrupt. LifelessLock’s use of Polygon extends that idea by embedding proxy administration instantly into a wise contract, permitting attackers to replace infrastructure on demand.
Once deployed, LifelessLock encrypts recordsdata and appends a “.dlock” extension, alters system icons, and replaces the sufferer’s wallpaper with ransom directions.
Over time, the group’s ransom notes have developed, with early samples referencing solely file encryption, whereas later variations explicitly acknowledged that delicate information had been stolen and threatened its sale if fee was not made.
The most up-to-date ransom notes additionally promise “added companies,” together with a breakdown of how the community was breached and assurances that the sufferer won’t be focused once more.
This Ransomware Doesn’t Just Lock Files — It Opens a Chat With Hackers
Group-IB recognized at the least three distinct LifelessLock samples from mid-2025, every exhibiting incremental modifications in techniques.
Analysis of related PowerShell scripts suggests the malware aggressively disables non-essential companies, deletes quantity shadow copies to stop restoration, and whitelists a restricted set of processes, notably together with AnyDesk
Investigators imagine AnyDesk is used as the first distant entry software throughout assaults, a discovering according to separate digital forensics investigations.
A key aspect of LifelessLock’s operation is an HTML file dropped on contaminated methods that embeds an encrypted session messenger interface. Victims can talk instantly with attackers by way of this file with out putting in extra software program.
The embedded JavaScript retrieves proxy addresses from the Polygon smart contract, then routes encrypted messages by way of these servers to a session ID managed by the ransomware operators.
Transaction evaluation reveals that the identical pockets created a number of equivalent sensible contracts and repeatedly up to date proxy addresses by calling a operate labeled “setProxy.”
The pockets was funded by way of an exchange-linked tackle shortly earlier than the contracts have been deployed, indicating deliberate preparation.
Historical monitoring of those transactions permits defenders to reconstruct previous proxy infrastructure, though the decentralized design complicates speedy takedown efforts.
The discovering is a part of an total improve in crypto-related cybercrime, as over $3.4 billion was stolen by hacks and exploits as of early December 2025, with state-linked North Korean teams accounting for over $2 billion of that complete.
The submit Beware: New ‘DeadLock’ Ransomware Weaponizes Polygon Smart Contracts to Stay Invisible appeared first on Cryptonews.
