First aid guide: Don’t panic if your BTC is stolen, leave a message on the chain first

  • On-chain messages in blockchain serve as a unique communication tool, recently used in security incidents like fund recovery, such as SlowMist's success in retrieving $8.44 million for KiloEx through dialogue with attackers.
  • Bitcoin's OP_RETURN instruction enables users to embed 80 bytes of custom data in transactions, creating tamper-proof on-chain messages without affecting UTXO status.
  • Steps to send Bitcoin on-chain messages:
    • Encode text into HEX format (max 80 bytes).
    • Construct a transaction with OP_RETURN output using wallets like Bitcoin Core or imToken.
    • Broadcast the transaction with mining fees for block confirmation.
    • View the message via block explorers (e.g., mempool.space).
  • Applications:
    • Negotiations in security incidents (e.g., attackers/projects leaving messages).
    • Address "marking," like Chainalysis' 2022 case where a user flagged Russian-linked addresses, burning $300k in BTC for emphasis.
  • Caution: On-chain messages can be exploited for scams (e.g., malicious links). Always verify sources and consult security experts during incidents.
  • Key takeaway: OP_RETURN offers anonymous, immutable communication but requires vigilance to avoid risks. Strengthening security practices is critical for users and projects.
Summary

Author:Lisa

Editor: Sherry

background

On-chain messages, as a special communication method in the blockchain world, have been frequently used in various security incidents in recent years. For example, SlowMist recently assisted KiloEx in conducting multiple rounds of communication with the attacker through on-chain messages, and finally successfully facilitated the return of all stolen funds of US$8.44 million. In an anonymous environment, on-chain messages can be used as an effective tool to establish initial dialogues and lay the foundation for subsequent fund recovery.

In our previous article "On-chain messages in the first aid guide for stolen funds", we introduced in detail the message method on Ethereum. The Bitcoin network also supports on-chain messages, but the implementation methods of the two are slightly different. The core tool for Bitcoin on-chain messages is the OP_RETURN instruction. It allows users to embed 80 bytes of custom data in transactions. This part of data will not be used by nodes for transaction verification, nor will it affect the status of UTXO. It is purely used to record information and will be fully recorded in the blockchain.

How to use OP_RETURN to leave messages on the chain

Step 1: Encode the message content

First, convert the text information to be sent into hexadecimal (HEX) format. The OP_RETURN instruction on the Bitcoin chain only accepts HEX format data.

For example, if you want to leave a message:

This is a test.

The converted HEX is:

54686973206973206120746573742e

This can be done using an online format conversion tool or via a Python script:

text = "Hello, this is a test."hex_text = text.encode("utf-8").hex()print(hex_text)

The message content must be less than 160 hexadecimal characters, or 80 bytes. If the length exceeds this limit, it is recommended to simplify the message or send it in multiple messages.

First aid guide: Don’t panic if your BTC is stolen, leave a message on the chain first

Step 2: Construct a transaction with OP_RETURN

Next, you need to use a Bitcoin wallet or tool that supports custom transactions to create a transaction with an OP_RETURN output.

Taking Bitcoin Core as an example, use createrawtransaction to manually add OP_RETURN output:

bitcoin-cli createrawtransaction '[{"txid":"your_input_txid","vout":0}]' '[{"data":"54686973206973206120746573742e"}]'

The transaction constructed in this way will not actually transfer the money, but will only write the message on the chain.

Take the imToken wallet as an example. Enter the BTC wallet transfer interface and turn on "Advanced Mode". Enter the hexadecimal information in the "OP_RETURN" input box. Click "Next" to complete the transaction information confirmation. Enter the transaction password to successfully send the transaction with OP_RETURN information. Please make sure that "Input amount = Output amount + Miner's fee".

First aid guide: Don’t panic if your BTC is stolen, leave a message on the chain first

Step 3: Broadcast the transaction

The signed transaction is broadcasted through the Bitcoin network. Since OP_RETURN transactions do not actually transfer funds, they must include mining fees to be processed and wait for miners to pack them into blocks. Once the transaction is confirmed, the message will be permanently stored in the Bitcoin blockchain.

Step 4: View the message content

After completing the transaction, you will get a TXID, which can be viewed through the block browser. The browser will usually automatically decode the OP_RETURN hexadecimal data back to ASCII, for example:

First aid guide: Don’t panic if your BTC is stolen, leave a message on the chain first

 (https://mempool.space/tx/f4ac7abcb689df30ec5e8d829733622f389ca91367c47b319bc582e653cd8cab)

OP_RETURN Application

In security incidents, some attackers will use OP_RETURN to leave messages on the chain, actively expressing their intention to return funds to the project party, or the project party and the white hat team will also use this method to shout to the attackers and try to establish contact. In addition to being used in negotiation scenarios, OP_RETURN is also used for "marking" operations. For example, Chainalysis once disclosed that on the eve of the outbreak of the Russo-Ukrainian war in 2022, an unidentified Bitcoin user used OP_RETURN to leave messages on the chain and marked nearly 1,000 addresses suspected of being associated with Russian security departments. These messages are written in Russian and directly point out that these addresses may be involved in cyber attacks or espionage:

  • "GRU to SVR. Used for hacking!"
  • "GRU to GRU. Used for hacking!"
  • "GRU to FSB. Used for hacking!"
  • "Help Ukraine with money from the GRU Khakir"

First aid guide: Don’t panic if your BTC is stolen, leave a message on the chain first

 (https://mempool.space/address/1CMugHhsSf8Bzrp142BpvUynWBR1RiqMCk)

When this user posted these warnings, he did not just leave a message, but also burned a large amount of Bitcoin. Due to the characteristics of OP_RETURN output, any Bitcoin sent to such transactions will be burned and cannot be used. According to statistics, this user burned more than $300,000 worth of Bitcoin in this series of operations.

Summarize

On-chain messages, especially OP_RETURN in the Bitcoin network, provide an anonymous, public and tamper-proof communication method, which is widely used in the initial contact and information transmission of fund recovery. However, it should be noted that on-chain messages may also be used by attackers to guide victims to visit malicious links or perform risky operations (such as entering private key decryption, etc.), so be sure to remain vigilant and avoid viewing and processing suspicious information on untrusted devices. When encountering a security incident, it is recommended to contact a professional security team as soon as possible to assist in analysis and improve the success rate of fund recovery. At the same time, users and project parties should continue to strengthen their security awareness to avoid becoming targets of attack.

Share to:

Author: 慢雾科技

This article represents the views of PANews columnist and does not represent PANews' position or legal liability.

The article and opinions do not constitute investment advice

Image source: 慢雾科技. Please contact the author for removal if there is infringement.

Follow PANews official accounts, navigate bull and bear markets together
App内阅读