Author:Lisa
Editor: Sherry
background
On-chain messages, as a special communication method in the blockchain world, have been frequently used in various security incidents in recent years. For example, SlowMist recently assisted KiloEx in conducting multiple rounds of communication with the attacker through on-chain messages, and finally successfully facilitated the return of all stolen funds of US$8.44 million. In an anonymous environment, on-chain messages can be used as an effective tool to establish initial dialogues and lay the foundation for subsequent fund recovery.
In our previous article "On-chain messages in the first aid guide for stolen funds", we introduced in detail the message method on Ethereum. The Bitcoin network also supports on-chain messages, but the implementation methods of the two are slightly different. The core tool for Bitcoin on-chain messages is the OP_RETURN instruction. It allows users to embed 80 bytes of custom data in transactions. This part of data will not be used by nodes for transaction verification, nor will it affect the status of UTXO. It is purely used to record information and will be fully recorded in the blockchain.
How to use OP_RETURN to leave messages on the chain
Step 1: Encode the message content
First, convert the text information to be sent into hexadecimal (HEX) format. The OP_RETURN instruction on the Bitcoin chain only accepts HEX format data.
For example, if you want to leave a message:
This is a test.
The converted HEX is:
54686973206973206120746573742e
This can be done using an online format conversion tool or via a Python script:
text = "Hello, this is a test."hex_text = text.encode("utf-8").hex()print(hex_text)
The message content must be less than 160 hexadecimal characters, or 80 bytes. If the length exceeds this limit, it is recommended to simplify the message or send it in multiple messages.
Step 2: Construct a transaction with OP_RETURN
Next, you need to use a Bitcoin wallet or tool that supports custom transactions to create a transaction with an OP_RETURN output.
Taking Bitcoin Core as an example, use createrawtransaction to manually add OP_RETURN output:
bitcoin-cli createrawtransaction '[{"txid":"your_input_txid","vout":0}]' '[{"data":"54686973206973206120746573742e"}]'
The transaction constructed in this way will not actually transfer the money, but will only write the message on the chain.
Take the imToken wallet as an example. Enter the BTC wallet transfer interface and turn on "Advanced Mode". Enter the hexadecimal information in the "OP_RETURN" input box. Click "Next" to complete the transaction information confirmation. Enter the transaction password to successfully send the transaction with OP_RETURN information. Please make sure that "Input amount = Output amount + Miner's fee".
Step 3: Broadcast the transaction
The signed transaction is broadcasted through the Bitcoin network. Since OP_RETURN transactions do not actually transfer funds, they must include mining fees to be processed and wait for miners to pack them into blocks. Once the transaction is confirmed, the message will be permanently stored in the Bitcoin blockchain.
Step 4: View the message content
After completing the transaction, you will get a TXID, which can be viewed through the block browser. The browser will usually automatically decode the OP_RETURN hexadecimal data back to ASCII, for example:
(https://mempool.space/tx/f4ac7abcb689df30ec5e8d829733622f389ca91367c47b319bc582e653cd8cab)
OP_RETURN Application
In security incidents, some attackers will use OP_RETURN to leave messages on the chain, actively expressing their intention to return funds to the project party, or the project party and the white hat team will also use this method to shout to the attackers and try to establish contact. In addition to being used in negotiation scenarios, OP_RETURN is also used for "marking" operations. For example, Chainalysis once disclosed that on the eve of the outbreak of the Russo-Ukrainian war in 2022, an unidentified Bitcoin user used OP_RETURN to leave messages on the chain and marked nearly 1,000 addresses suspected of being associated with Russian security departments. These messages are written in Russian and directly point out that these addresses may be involved in cyber attacks or espionage:
- "GRU to SVR. Used for hacking!"
- "GRU to GRU. Used for hacking!"
- "GRU to FSB. Used for hacking!"
- "Help Ukraine with money from the GRU Khakir"
(https://mempool.space/address/1CMugHhsSf8Bzrp142BpvUynWBR1RiqMCk)
When this user posted these warnings, he did not just leave a message, but also burned a large amount of Bitcoin. Due to the characteristics of OP_RETURN output, any Bitcoin sent to such transactions will be burned and cannot be used. According to statistics, this user burned more than $300,000 worth of Bitcoin in this series of operations.
Summarize
On-chain messages, especially OP_RETURN in the Bitcoin network, provide an anonymous, public and tamper-proof communication method, which is widely used in the initial contact and information transmission of fund recovery. However, it should be noted that on-chain messages may also be used by attackers to guide victims to visit malicious links or perform risky operations (such as entering private key decryption, etc.), so be sure to remain vigilant and avoid viewing and processing suspicious information on untrusted devices. When encountering a security incident, it is recommended to contact a professional security team as soon as possible to assist in analysis and improve the success rate of fund recovery. At the same time, users and project parties should continue to strengthen their security awareness to avoid becoming targets of attack.
