The anonymous vigilante reportedly discovered 986 unique Bitcoin addresses between March and April 2022, which they claim were used by Russian security agencies.

According to research by Chainalysis, a vigilante hacker destroyed approximately $300,000 worth of Bitcoin from nearly a thousand addresses allegedly linked to Russian intelligence agencies in 2022 through the OP_RETURN function.

The anonymous vigilante reportedly discovered 986 unique Bitcoin addresses between March and April 2022, which they claim were used by Russian security agencies.

They leaked the address using the text storage feature of the OP_RETURN function, which is used to mark BTC transactions as invalid, and destroyed most of the BTC contained in the address.

The vigilantes also sent some BTC to an address used to collect donations for Ukraine, with the following message:

“Helping Ukraine with GRU Khakir’s money.”

They use three other messages to mark the address:

"GRU to SVR, for hacking!"

"GRU vs. GRU, for hacking!"

“GRU to FSB, for hacking!”

GRU is Russia's Foreign Military Intelligence Service; SVR is the Foreign Intelligence Service; FSB is the Federal Security Service, all three are intelligence agencies.

Russian Links

While the Civil Police did not provide specific evidence to support their allegations of links to Russian intelligence via OP_RETURN messages, Chainalysis research found that two of the addresses were mentioned in a now-deleted blog post by Russian cybersecurity firm HYAS.

According to the blog post, SVR used these three addresses: 1DLA46sXYps3PdS3HpGfdt9MbQpo6FytPm and 1L5QKvh2Fc86j947rZt12rX1EFrCGb2uPf to "purchase infrastructure used in the infamous Solarwinds hack."

Additionally, a third address was also confirmed to be linked to Russia and was reportedly used by the GRU in a disinformation campaign targeting American politicians.

Chainalysis said:

“The fact that the OP_RETURN messages appear to be accurate for three of the addresses also lends credibility to the claims against the others.”

'Pure intentions'

According to Chainalysis, the OP_RETURN hacker burned hundreds of thousands of dollars in an apparent attempt to “leak” addresses to the public.

“Our hypothesis is that the OP_RETURN sender did this to increase the likelihood that the transaction and the allegations associated with it would be discovered.”

The research firm added that the fact that the hackers were willing to give up the money further supports their claim that the addresses were used by Russian security agencies.

Furthermore, after destroying hundreds of BTC, the hackers began donating the remaining BTC to Ukraine to clarify their “pure intentions” and “support for Ukrainian causes.”