DeadLock Ransomware: Smart Contracts for Malicious Purposes


DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.

This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.

Read more…
Source: Group IB


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • React2Shell RCE flaw exploited by Chinese hackers hours after disclosure

    December 8, 2025

    Just as the experts predicted, cybercriminals are now actively exploiting the critical severity vulnerability in React Server Components (RSC) that was discovered late last week. To make matters worse, the crooks observed abusing the bug seem to be working for the Chinese government. Late last week, the React team published a security advisory detailing a pre-authentication ...

  • AI-Automated Threat Hunting Brings GhostPenguin Out of the Shadows

    December 8, 2025

    Hunting high-impact, advanced malware is a difficult task. It becomes even harder and more time-consuming when defenders focus on low-detection or zero-detection samples. Every day, a huge number of files are sent to platforms like VirusTotal, and the relevant ones often get lost in all that noise. Identifying malware with low or no detections is ...

  • How phishers hide banking scams behind free Cloudflare Pages

    December 8, 2025

    During a recent investigation, we uncovered a phishing operation that combines free hosting on developer platforms with compromised legitimate websites to build convincing banking and insurance login portals. These fake pages don’t just grab a username and password–they also ask for answers to secret questions and other “backup” data that attackers can use to bypass multi-factor ...

  • Petco’s security lapse affected customers’ SSNs, drivers’ licenses and more

    December 8, 2025

    Last week, pet products and services giant Petco confirmed that it experienced a data breach involving customers’ personal information, without specifying what type of data was affected. On Friday, in a legally required filing with Texas’ attorney general’s office, Petco reported that the affected data included: names, Social Security numbers, driver’s license numbers, financial information such ...

  • Poland detains three Ukrainians over possession of hacking equipment

    December 8, 2025

    A Polish court has ordered three Ukrainian nationals held on charges of computer fraud and possessing hardware and software designed to commit crimes, including a suspected attempt to damage IT data deemed crucial to national defence. The three men, aged 43, 42 and 39, were detained after a roadside check in Warsaw, Polish state news agency ...

  • New Prompt Injection Attack Vectors Through MCP Sampling

    December 5, 2025

    This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools. We show that, without proper safeguards, malicious MCP servers can exploit the sampling feature for ...