background

According to the data from the “Summary of Blockchain Security and Anti-Money Laundering in the First Half of 2023” released by SlowMist, in the first half of 2023, there were 10 incidents in which all or part of the lost funds could be recovered after being attacked. The 10 incidents totaled approximately $232 million in stolen funds, of which $219 million was returned, accounting for 94 percent of the stolen funds. In 3 of these 10 incidents, funds were returned in full.

Returning funds after being stolen may become a new trend. Whether it is to give a bounty or get back the stolen funds through reasonable negotiations, there are two main ways to pass messages: one is to speak out on the project party’s media platform, and the other is for the attacker to communicate with the project party through messages on the chain .

For example, on March 13, 2023, the DeFi lending protocol Euler Finance was attacked, and the attacker made a profit of about 197 million US dollars. On March 20, the attacker sent Euler an on-chain message [2] They now hope to “reach an agreement” with Euler, the report said. “We want to make it easy for everyone affected, we don’t intend to keep something that doesn’t belong to us. Establish secure communication and let’s make an agreement,” the attacker wrote.

A few hours later, Euler replied on-chain [3] Said: "Message received, let’s discuss privately on Blockscan with one of your EOAs at the Euler Deployer address, email contact@euler.foundation or any other channel of your choice. Please reply which way you would prefer. "

Interestingly, on March 15th, a 0x2af user sent an on-chain message to the hacker [4] , requesting to return 78 wstETH of his life savings, the user said, “Please consider returning 90% / 80%. I am just a user, and my life savings are only 78 wstETH deposited in Euler. I am not a giant whale or a million Rich man. You can’t imagine how bad I am right now. Totally ruined. I’m pretty sure $20 million is enough to change your life, and you’ll bring happiness back to a lot of people affected.” Subsequently, the hacker sent 100 ETH to it. Immediately afterwards, many addresses imitated the user’s behavior and sent messages to hackers.

Of course, there are also cases of phishing messages on the chain. On March 22, 2023, after the attack was completed, the Euler hacker transferred 100 ETH to the Ronin hacker who stole more than 625 million US dollars in order to confuse the public and evade investigation. The Ronin hacker pushed the boat along the way, followed the plan, and then returned 2 ETH, and sent a message on the chain to the Euler hacker, asking him to decrypt an encrypted message. But experts say the message was a phishing scam attempting to steal the private keys to Euler’s attacker’s wallet. Is it true? Slow Mist once wrote an analysis on this matter, you can check it out if you are interested. Minutes after the hacked Ronin wallet sent a message to the hacked Euler wallet, developers at Euler Finance attempted to intervene with their own messages, warning Euler hackers of alleged decryption software, saying “the easiest way is to return the funds.” Euler’s developers in another transaction [7] “Do not under any circumstances attempt to view this message. Do not enter your private key anywhere. As a reminder, your machine may also be compromised.”

What is a message on the chain?

As we all know, both the Bitcoin and Ethereum mainnets are essentially a globally distributed ledger system. Take Ethereum as an example. At present, there are more than tens of thousands of Ethereum nodes copying all the data on the Ethereum mainnet, which means that any news, transactions and other information on the Ethereum mainnet will be copied tens of thousands of times, which also ensures that the blockchain Information cannot be tampered with. Compared to the Bitcoin network, the fees on the Ethereum mainnet are cheaper

", so most people will use the Ethereum mainnet as the first choice to leave a message. As just said, the essence of the blockchain is a distributed ledger. When we make a transfer transaction, we can leave a message by the way. These messages will be recorded on the ledgers of all nodes. They cannot be modified and will be permanently on the blockchain. leave traces.

Satoshi Nakamoto was the first to take the lead in leaving a message on the blockchain. On January 4, 2009, Satoshi Nakamoto left the headline of The Times on the genesis block, “EThe Times 03/Jan/2009 Chancellor on brink of second bailout for banks”, until today, we still This message can be found on the link.

How to leave a message on the chain?

Basics: Unencrypted Messages

Leave a message by transfer

Connect the wallet, fill in the receiving address and transfer amount (can be 0 ETH), enter the content you want to leave a message after 0x in Data, then click Next, and finally Confirm.

Note: The message information needs to be hexadecimal data, so it can be converted in advance through some conversion tools or websites. like:

Send message via mobile wallet

You need to use an Ethereum wallet (such as MetaMask, imToken wallet) with some ETH to complete the transaction and pay the Gas fee. For example, open the imToken wallet, enter a transfer address for transfer transactions, click Advanced Mode, and enter a message in hexadecimal format, please remember to bring “0x” at the beginning.

Leave a message via Etherscan IDM tool

Using this tool, you don’t need to input the processed hexadecimal data in Input Data, you can directly input the content you want to leave a message, it will automatically process it into hexadecimal data for you, and the result is shown as follows:

Advanced: Encrypted message

The unencrypted message is introduced above, and there is also an encrypted message correspondingly. Let’s look at an example first:

(

Address 0x313 sent an on-chain message to the address marked as TransitFinance Funds Receiver: “Please use your address’ private key to decrypt this message”, and attached a large piece of information that needs to be decrypted to see.

How is the encrypted message on the chain realized?

encryption

First, search by clicking on the transaction hash via Etherscan:

Next, get the raw transaction hex data for the transaction hash:

Then, get the public key based on the raw transaction hex data:

Next, enter SecretMessage and publicKey and run the following code:

pip install eciespyfrom ecies import encryptimport binasciisecretMessage = b’My name is Satoshi’publicKey = "publicKey"encrypted = encrypt(publicKey, secretMessage)encrypted = binascii.hexlify(encrypted)print(“Encrypted:”, encrypted)

Finally, send using the tools above.

decryption

Enter PrivateKey and encrypted and run the following code:

pip install eciespyfrom ecies import decryptencrypted = b’encrypted’PrivateKey = “PrivateKey” decrypted = decrypt(PrivateKey, encrypted) print(“Decrypted:”, decrypted) Example of slow fog assisted chain shouting

As a blockchain threat intelligence security company, SlowMist often receives assistance requests from project parties or individual users. Here is an example. On October 2, 2022, the cross-chain trading platform aggregator Transit Swap was hacked, and the stolen assets exceeded 28.9 million US dollars. At the request of the project party, we assist the project party in negotiating with the attacker.

Here are some of the negotiating process:

(

(

According to an official statement on October 12, 2022, “White Hats have returned funds worth $24 million.”

Summarize

This article mainly introduces the relevant knowledge and usage of messages on the chain. Messages on the chain are one of the methods of anonymous communication. On the one hand, due to the immutability and transparency of the information on the chain, this is equivalent to passively accepting the “scrutiny” of the public, which may be able to avoid a certain party from regretting afterwards; on the other hand On the one hand, this also provides a platform for communication between the victim and the attacker, which increases privacy and provides opportunities for the victim to reduce financial losses, but beware of phishing information attached to the message.

In addition to leaving messages on the chain, users and project parties can still increase the possibility of recovering funds through the following methods:

Immediately notify relevant agencies: Report and complain to local law enforcement agencies, financial regulators, and relevant blockchain project teams. Provide detailed information and evidence, and cooperate with the investigation of relevant agencies;

Contact the trading platform: If the stolen funds occurred on a trading platform, contact them immediately and provide details about the incident. The trading platform may take steps to investigate and assist in solving the problem;

Collaborate with the community: Make the incident public and collaborate with relevant community members to share information and experiences. Other users may provide useful information about attackers or attack techniques;

Seek professional help: Consult a professional blockchain security company or lawyer for legal and technical professional help. They can provide advice and guidance on where possible recovering funds or taking other appropriate legal steps. You can also contact the SlowMist AML team by submitting the form.

Of course, the most important thing is to take preventive measures to reduce the risk of funds being stolen, including using safe and reliable wallets and trading platforms; protecting private keys and access credentials; avoiding clicking suspicious links and downloading software from unknown sources; and being security conscious and knowledge updates.