A fresh strain of ransomware called DeadLock is using Polygon smart contracts for proxy server address rotation and distribution, cybersecurity firm Group‑IB warned. First identified in July 2025, DeadLock has attracted little attention due to its lack of a public affiliate program and data-leak site, with only a limited number of victims so far. Group‑IB noted that although it's low profile and low impact, it applies innovative methods showcasing an evolving skillset that could become dangerous if not taken seriously—think of it as the quiet kid in class who’s suddenly acing advanced calculus.
DeadLock's use of smart contracts to deliver proxy addresses is described as an interesting method where attackers can apply infinite variants of this technique. The firm pointed to a similar technique called "EtherHiding" used by North Korean hackers, as highlighted in a recent report by the Google Threat Intelligence Group. EtherHiding, which hides in blockchain smart contracts to enable cryptocurrency theft, has been used by financially motivated threat actors since at least September 2023. It involves luring victims through compromised websites that load JavaScript, which pulls hidden payloads from the blockchain for malware distribution resilient to takedowns—because nothing says "innovation" like hiding your loot in plain sight on a public ledger.
Both EtherHiding and DeadLock repurpose public, decentralized ledgers as covert channels that are difficult for defenders to block. DeadLock takes advantage of rotating proxies to change IP addresses, making tracking or blocking harder. Meanwhile, research from Kaspersky shows hackers inserting infostealer malware into pirated mods for Roblox and other games, with a new variety called Stealka distributed on platforms like GitHub, SourceForge, Softpedia, and sites.google.com. Disguised as unofficial mods, cheats, and cracks for Windows-based games and apps, Stealka exfiltrates sensitive login and browser data—because if you’re going to steal data, might as well do it while pretending to be a free cheat code for Minecraft.
Group‑IB admitted that initial access vectors and other important stages of the attacks remain unknown, but DeadLock infections rename encrypted files with a ".dlock" extension and replace desktop backgrounds with ransom notes. Newer versions warn victims that sensitive data has been stolen and could be sold or leaked if a ransom is not paid. At least three variants have been identified; earlier versions relied on allegedly compromised servers, but researchers now believe the group operates its own infrastructure. The key innovation lies in how DeadLock retrieves and manages server addresses: Group‑IB researchers uncovered JS code in an HTML file that interacts with a smart contract over the Polygon network, containing a list of available endpoints acting as gateways to the blockchain's nodes—because why use a simple server when you can turn the blockchain into your personal address book?
The most recent version also embeds communication channels between victim and attacker via an HTML file wrapper around the encrypted messaging app Session, facilitating direct communication. Separately, Elon Musk’s X is taking action against projects that financialize users’ attention using digital assets, with Head of Product Nikita Bier declaring that apps rewarding users for posting on X will no longer be allowed, citing AI slop and reply spam. X has revoked API access for so-called InfoFi projects to improve user experience. The Sui blockchain recovered from a nearly six-hour outage where no new blocks were produced, with the Sui Core team implementing a fix after a "network stall." Finally, Ethereum co-founder Vitalik Buterin is pushing the network to adopt quantum-resistant cryptography now, before quantum computing becomes a threat, arguing that Ethereum’s base layer must pass the "walkaway test" to avoid a losing race for security—because in crypto, the only thing scarier than hackers is quantum computers with a grudge.
