New Ransomware Exploits Polygon Smart Contracts to Evade Detection

Cybersecurity researchers have uncovered a novel ransomware operation, dubbed “DeadLock,” that clandestinely exploits Polygon smart contracts to manage its command-and-control infrastructure. Despite its limited apparent impact thus far, the technique’s sophistication poses significant risks for organizations unprepared for blockchain-based threats.

Key Takeaways

DeadLock leverages Polygon smart contracts to store and rotate proxy addresses, making its infrastructure resilient and hard to disrupt.
The malware interacts with specific smart contracts to dynamically update communication channels, complicating detection and mitigation efforts.
Its low profile has kept it under the radar, but the innovative approach signals a dangerous evolution in blockchain-enabled cyberattacks.
Similar tactics, such as North Korean hacking groups employing “EtherHiding,” demonstrate the growing trend of covert malware deployment on public blockchains.

Tickers mentioned: None

Sentiment: Alert

Price impact: Neutral, as the threat pertains primarily to cybersecurity concerns rather than immediate market movements.

Trading idea (Not Financial Advice): Hold, as the broader market remains unaffected by this specific threat but should remain vigilant about blockchain-based vulnerabilities.

Market context: Rising cyber threats exploiting blockchain technology emphasize the need for enhanced security protocols within the crypto ecosystem.

Unveiling DeadLock’s Covert Operations

Cybersecurity firm Group-IB has reported the discovery of DeadLock, a ransomware strain first identified in July that uses a highly stealthy approach involving Polygon smart contracts. The malware exploits on-chain code to store and rotate proxy server addresses, facilitating communication with infected victims. As outlined by Group-IB, the malware interacts with a targeted smart contract, employing functions that permit the dynamic updating of command-and-control infrastructure—eschewing traditional centralized servers.

After infection and encryption, victims are typically met with ransom demands and threats to sell stolen data. The on-chain storage of proxy addresses ensures the infrastructure remains resilient against takedown attempts, as blockchain data is replicated across distributed nodes globally forever, making disruption exceedingly difficult.

HTML file with an embedded private messenger used to contact the threat actor. Source: Group-IB

Group-IB highlighted that this method allows for virtually unlimited variations, owing to the programmable nature of smart contracts. This adaptability means malicious actors can continually refine their techniques, potentially facilitating a wide range of blockchain-enabled cyberattacks.

Broader Threat Landscape: “EtherHiding” and State-Sponsored Actors

The use of smart contracts for malicious purposes is not new. Google previously reported a tactic called “EtherHiding,” employed by North Korean threat actors such as UNC5342, which embeds malicious payloads within blockchain transactions to serve as decentralized command-and-control servers. These methods leverage the resilience and permanence of blockchain technology to hide malware and evade traditional detection mechanisms.

This approach essentially turns the blockchain into a decentralized and highly resilient command-and-control (C2) server.

As the use of blockchain for malicious purposes evolves, cybersecurity professionals emphasize the importance of vigilant monitoring and robust security measures to counteract these emerging threats, which continue to blur the line between legitimate blockchain activity and covert cyberattacks.