Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.
First spotted in July 2025, the DeadLock group has attacked a wide range of organizations while almost managing to stay under the radar.
It abandons the usual double extortion approach in which cybercrooks steal data, encrypt systems, and threaten to post it online for all to see if the victim refuses to pay a ransom.
For starters, it does not have a data leak site (DLS) where it could publicize attacks. In cases where victims refuse to pay, it cannot lean on reputational damage to push for a fee. Instead, researchers say the group threatens to sell the data on the underground market, a tactic experts have previously said could just be hot air.
But for the researchers at Group-IB, the old-school encryption-only model is not the most notable aspect of the DeadLock operation. Its use of Polygon smart contracts to obscure its command-and-control (C2) infrastructure is an unusual move that's slowly gaining popularity.
Once a victim's systems are encrypted, DeadLock drops an HTML file that acts as a wrapper for the decentralized messenger Session. This file replaces an instruction for the victim to download Session to communicate with DeadLock.
By using blockchain-based smart contracts to store the group's proxy server URL - the one victims connect to before communicating with the criminals - it allows DeadLock to rotate this address frequently, making it difficult for defenders to permanently block its infrastructure.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," said Xabier Eizaguirre, threat intelligence analyst at Group-IB, in a write-up shared with The Register.
Eizaguirre also noted that analysts recently observed North Korean state-sponsored attackers using similar techniques.
In October, Google Threat Intelligence Group (GTIG) reported North Korean attackers had been using methods it dubbed "EtherHiding" since February 2025.
Attacks involved hiding malware inside smart contracts – an evolution in tradecraft that GTIG threat hunters said represented a new kind of bulletproof hosting.
DeadLock's use of smart contracts to conceal its infrastructure is what researchers know most about the group at present.
Details such as how it typically gains access to victim networks are not yet known, Group-IB said, although earlier reports from Cisco Talos linked the group to using bring your own vulnerable driver (BYOVD) techniques and exploiting vulnerabilities to kill EDR processes.
The Register asked Group-IB for more information, including about why researchers don't know much more about how it carries out attacks. ®
Source: The register