In January 2026, cybersecurity experts (including Group-IB and Cisco Talos) raised the alarm: a new group of extortionists, DeadLock, invented a revolutionary way to hide their infrastructure by using the Polygon network.
The main feature of DeadLock is the EtherHiding technique. Instead of hardcoding the addresses of their command servers (C2) directly into the virus code (which can be easily blocked by antivirus software), the attackers place them in Polygon smart contracts. The malware accesses the blockchain, reads the current address of the proxy server, and only then establishes a connection with the hackers.
Why is this dangerous?
* Impossibility of blocking: Blockchain is decentralized. You cannot just 'turn off' a smart contract or block access to the Polygon network without affecting thousands of legitimate services.
* Dynamic rotation: Hackers instantly change the IP addresses of their servers by simply updating the data in the contract.
* Anonymity: To communicate with victims, DeadLock uses the Session messenger, which operates through HTML gateways managed by the same blockchain contract.
In addition to 'blockchain-masking', DeadLock uses the BYOVD method (exploiting vulnerable drivers) to disable antivirus software and remove shadow copies of the system. This makes their attacks some of the hardest to repel in 2026.
Subscribe to #MiningUpdates to know the enemy face-to-face and protect your assets!
#deadlock #PolygonNetwork #CyberSecurity2026 #BlockchainCrime #ransomware