SlowMist: Emergency Response Guide for Stolen Funds — On-Chain Messaging (BTC Edition)
Author: Lisa
Editor: Sherry
Background
On-chain messaging, as a unique communication method in the blockchain world, has been frequently used in various security incidents in recent years. For instance, SlowMist recently assisted KiloEx in initiating multiple rounds of dialogue with an attacker via on-chain messages, ultimately facilitating the full return of $8.44 million in stolen funds. In an anonymous environment, on-chain messaging serves as an effective tool for establishing initial communication, laying the groundwork for fund recovery efforts.
In our previously published article “Establishing On-Chain Communication After an Incident”, we introduced how on-chain messaging works on Ethereum. The Bitcoin network also supports on-chain messaging, but the implementation differs slightly. The core tool for on-chain messaging on Bitcoin is the OP_RETURN instruction. It allows users to embed up to 80 bytes of custom data into a transaction. This data is not used for transaction validation, nor does it affect the UTXO state—it is purely for information recording and will be permanently stored on the blockchain.
How to Use OP_RETURN for On-Chain Messaging
Step 1: Encode the Message Content
First, convert the message text into hexadecimal (HEX) format. The OP_RETURN instruction on the Bitcoin blockchain only accepts data in HEX format.
For example, if you want to leave the message:
This is a test.
The converted HEX would be:
54686973206973206120746573742e
You can use an online conversion tool or a Python script to complete this process:
text = "Hello, this is a test."
hex_text = text.encode("utf-8").hex()
print(hex_text)The message must be less than 160 hexadecimal characters, i.e., 80 bytes. If the message exceeds this length, consider simplifying it or sending it across multiple transactions.
Step 2: Construct a Transaction with OP_RETURN
Next, use a Bitcoin wallet or tool that supports custom transactions to create a transaction containing an OP_RETURN output.
For example, using Bitcoin Core, you can manually add an OP_RETURN output with the createrawtransaction command:
bitcoin-cli createrawtransaction '[{"txid":"your_input_txid","vout":0}]' '[{"data":"54686973206973206120746573742e"}]'This transaction will not transfer any actual funds — it will only write the message to the blockchain.
Alternatively, in the imToken wallet, go to the BTC wallet’s transfer screen and enable “Advanced Mode.” Enter the hexadecimal message in the “OP_RETURN” input box. Click “Next” to confirm the transaction details, and after entering your transaction password, the transaction will be successfully sent with the OP_RETURN data. Be sure to ensure that input amount = output amount + miner fee.
Step 3: Broadcast the Transaction
Broadcast the signed transaction through the Bitcoin network. Since an OP_RETURN transaction doesn’t involve actual fund transfers, a miner fee is required for processing. Once the transaction is confirmed by miners and added to a block, the message will be permanently stored on the Bitcoin blockchain.
Step 4: View the Message Content
After the transaction is complete, a TXID will be generated. You can use a block explorer to view the transaction. Block explorers often automatically decode the OP_RETURN hexadecimal data back into ASCII. For example:
Applications of OP_RETURN
In security incidents, some attackers use OP_RETURN to leave messages on-chain to express willingness to return funds to the project team. Similarly, project teams and white hat groups also use this method to reach out to attackers in hopes of establishing communication. In addition to negotiation scenarios, OP_RETURN is also used for tagging operations. For example, Chainalysis revealed that shortly before the outbreak of the Russia-Ukraine war in 2022, an unidentified Bitcoin user used OP_RETURN messages to tag nearly 1,000 addresses suspected to be linked to Russian intelligence agencies. These messages, written in Russian, directly alleged that the addresses were involved in cyberattacks or espionage activities:
- “GRU to SVR. Used for hacking!”
- “GRU to GRU. Used for hacking!”
- “GRU to FSB. Used for hacking!”
- “Help Ukraine with money from the GRU Khakir”
The user didn’t just post warnings — they also burned a large amount of Bitcoin in the process. Due to the nature of OP_RETURN outputs, any Bitcoin sent to these types of transactions is effectively burned and becomes unusable. It is estimated that the user destroyed over $300,000 worth of Bitcoin during this series of operations.
Conclusion
On-chain messaging — especially using OP_RETURN on the Bitcoin network — provides an anonymous, public, and tamper-proof communication channel. It is widely used in the early stages of fund recovery for initiating contact and sharing information. However, it’s important to remain vigilant, as attackers may also use on-chain messages to lure victims into clicking malicious links or performing risky actions (such as entering private keys for decryption). Always avoid viewing or handling suspicious messages on untrusted devices. In the event of a security incident, it is recommended to contact a professional security team immediately to analyze the situation and improve the chances of successful fund recovery. At the same time, users and project teams should continuously strengthen their security awareness to avoid becoming targets of attacks.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
