'Imagination the limit': DeadLock ransomware gang using smart contracts to hide their work

Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.

First spotted in July 2025, the DeadLock group has attacked a wide range of organizations while almost managing to stay under the radar.

It abandons the usual double extortion approach in which cybercrooks steal data, encrypt systems, and threaten to post it online for all to see if the victim refuses to pay a ransom.

For starters, it does not have a data leak site (DLS) where it could publicize attacks. In cases where victims refuse to pay, it cannot lean on reputational damage to push for a fee. Instead, researchers say the group threatens to sell the data on the underground market, a tactic experts have previously said could just be hot air.

But for the researchers at Group-IB, the old-school encryption-only model is not the most notable ...