DeadLock Ransomware Group Utilizes Polygon Smart Contracts

Stealthy Group Taps Blockchain 'EtherHiding' to Facilitate Victim Communications Mathew J. Schwartz (euroinfosec) • January 14, 2026

A newly emerged digital extortion group is using blockchain smart contracts to store proxy server addresses for facilitating ransomware negotiations with victim organizations.

See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions

The DeadLock ransomware group - it dates to July 2025 - has been using smart contracts on Polygon, a cryptocurrency blockchain platform designed to run alongside the ethereum blockchain.

Known as "EtherHiding," the technique embeds malicious instructions in blockchain smart contracts. In many cases, such activities leave no trace. Devotees have included a North Korean nation-state group targeting developers and cryptocurrency firms and a financially motivated cybercrime group (see: Hackers Use Blockchain to Hide Malware in Plain Sight).

Researchers at ReversingLabs last fall detailed a campaign that used smart contracts to relay a URL to an infected endpoint, used by ...