SlowMist: Stolen First Aid Guide - Message on Chain

background
According to the data of "Blockchain Security and Anti-Money Laundering Summary in the First Half of 2023" released by SlowMist, there were 10 incidents in the first half of 2023 where all or part of the lost funds were recovered after the attack. The total amount of stolen funds in these 10 incidents was about 232 million US dollars, of which 219 million US dollars were returned, accounting for 94% of the stolen funds. In these 10 incidents, the funds were fully returned in 3 incidents.
The return of stolen funds may become a new trend. Whether it is giving a bounty or getting back the stolen funds through reasonable negotiations, there are two main ways to convey the message: one is to speak on the project party’s media platform, and the other is for the attacker to communicate with the project party through on-chain messages.
For example, on March 13, 2023, the DeFi lending protocol Euler Finance was attacked, and the attacker made a profit of approximately US$197 million. On March 20, the attacker claimed in an on-chain message to Euler [2] that they now wanted to "reach an agreement" with Euler. The attacker wrote: "We want to make it easier for everyone affected and do not intend to keep anything that does not belong to us. Establish secure communication and let's reach an agreement."
A few hours later, Euler responded on-chain [3]: “Message received, let’s discuss privately on Blockscan via the Euler Deployer address and one of your EOAs, via email contact@euler.foundation or any other channel of your choice. Please reply which method you would like to choose.”
Interestingly, on March 15, 0x2af user sent an on-chain message to the hacker [4], requesting the return of his life savings of 78 wstETH. The user said, "Please consider returning 90% / 80%. I am just a user. My life savings are only 78 wstETH deposited in Euler. I am not a whale or a millionaire. You can't imagine how bad my situation is now. It's all ruined. I'm sure $20 million is enough for you to change your life, and you can make many affected people happy again." Subsequently, the hacker sent him 100 ETH. Soon after, many addresses imitated the user's behavior and sent messages to the hacker.
Of course, there are also cases of phishing messages on the chain. On March 22, 2023, after the attack was completed, the Euler hacker transferred 100 ETH to the Ronin hacker who stole more than 625 million US dollars in order to confuse the public and evade investigation. The Ronin hacker took advantage of the situation and immediately returned 2 ETH and sent an on-chain message to the Euler hacker, asking him to decrypt an encrypted message. But experts say the message is a phishing scam that attempts to steal the private key of the Euler attacker's wallet. Is this true? SlowMist has written an analysis of this matter, which you can check out if you are interested. A few minutes after the Ronin hacker wallet sent a message to the Euler hacker wallet, the developers of Euler Finance tried to intervene with their own message. They warned the Euler hacker to be wary of the so-called decryption software, saying that "the easiest way is to return the funds." Euler’s developers went on to say in another transaction [7]: “Do not under any circumstances attempt to view this message. Do not enter your private key anywhere. Be warned, your machine may also be compromised.”
What is a message on the chain?
As we all know, both Bitcoin and Ethereum mainnet are essentially a ledger system distributed globally. Take Ethereum as an example. Currently, there are more than 10,000 Ethereum nodes replicating all the data on the Ethereum mainnet, which means that any message, transaction and other information on the Ethereum mainnet will be replicated tens of thousands of times, which also ensures that the blockchain information cannot be tampered with. Compared with the Bitcoin network, the fees on the Ethereum mainnet are cheaper.
", so most people will choose Ethereum mainnet as the first choice for leaving messages. As just mentioned, the essence of blockchain is a distributed ledger. When we make transfer transactions, we can leave messages. These messages will be recorded in the ledgers of all nodes. They cannot be modified and will leave permanent traces on the blockchain.
The first to take the lead in leaving a message on the blockchain was Satoshi Nakamoto. On January 4, 2009, Satoshi Nakamoto left the headline of the Times on the Genesis Block, "EThe Times 03/Jan/2009 Chancellor on brink of second bailout for banks". To this day, we can still find this message on the chain.
How to leave a message on the chain? Basics: Unencrypted message
Transfer message via https://app.mycrypto.com/send
Connect your wallet, fill in the receiving address and transfer amount (can be 0 ETH), enter the message you want to leave after 0x in Data, then click Next, and finally Confirm.
Note: The message information needs to be hexadecimal data, so you can convert it in advance through some conversion tools or websites. For example:
Transfer message via mobile wallet
You need to use an Ethereum wallet with some ETH (such as MetaMask, imToken wallet) to complete the transaction and pay the Gas fee. For example, open the imToken wallet, enter a transfer address for the transfer transaction, click Advanced Mode, enter the message in hexadecimal format, and remember to start with "0x".
Leave a message via Etherscan IDM tool
When using this tool, you do not need to enter the processed hexadecimal data in Input Data. You can directly enter the content you want to leave a message, and it will automatically process it into hexadecimal data for you. The result is shown below:
Advanced: Encrypted Messages
The above introduces unencrypted messages, and there are also encrypted messages. Let's take a look at an example:
(https://bscscan.com/tx/0xfa1fa7cdfa3c5fe2cfaf61e14caf4b5174302d3801b09bb650d3f90ec706c3e9)
Address 0x313 sent an on-chain message to an address marked as TransitFinance Funds Receiver: "Please use the private key of your address to decrypt this message", and attached a long message that needs to be decrypted to be seen.
How is encrypted on-chain messaging implemented?
encryption
First, search for the transaction hash via Etherscan:
Next, get the raw transaction hexadecimal data of the transaction hash:
Then, get the public key based on the raw transaction hex data:
Next, enter the SecretMessage and publicKey and run the following code:
# pip install eciespyfrom ecies import encryptimport binasciisecretMessage = b'My name is Satoshi'publicKey = "publicKey"encrypted = encrypt(publicKey, secretMessage)encrypted = binascii.hexlify(encrypted)print("Encrypted:", encrypted)
Finally, send it using the tools above.
Decryption
Enter PrivateKey and encrypted and run the following code:
# pip install eciespyfrom ecies import decryptencrypted = b'encrypted'PrivateKey = "PrivateKey"decrypted = decrypt(PrivateKey, encrypted)print("Decrypted:", decrypted)SlowMist Assisted Chain Call Example
As a blockchain threat intelligence security company, SlowMist often receives requests for assistance from project owners or individual users. Here is an example. On October 2, 2022, the cross-chain trading platform aggregator Transit Swap was hacked, and more than 28.9 million US dollars were stolen. At the request of the project owner, we assisted the project owner in negotiating with the attacker.
The following is part of the negotiation process:
 (https://bscscan.com/tx/0x7491671cfab5066d5a36299cf295e721611bae6ff61a847a32b11d1cf716c274) (https://bscscan.com/tx/0xfa1fa7cdfa3c5fe2cfaf61e14caf4b5174302d3801b09bb650d3f90ec706c3e9)
According to an official statement on October 12, 2022, "White Hat has returned $24 million worth of funds."
 Summarize
This article mainly introduces the relevant knowledge and usage of on-chain messages. On-chain messages are one of the ways of anonymous communication. On the one hand, due to the immutability and transparency of on-chain information, it is equivalent to passively accepting the "scrutiny" of the public, which may prevent one party from regretting it later to a certain extent; on the other hand, it also provides a communication platform between victims and attackers, increases privacy, and provides opportunities for victims to reduce financial losses, but you should also be careful whether there is phishing information in the message.
In addition to leaving messages on the chain, users and project owners can still increase the possibility of recovering funds in the following ways:
Immediately notify relevant agencies: Report the case and file a complaint with local law enforcement agencies, financial regulators, and relevant blockchain project teams. Provide detailed information and evidence, and cooperate with the investigation of relevant agencies;
Contact the exchange: If the theft of funds occurred on a certain exchange, contact them immediately and provide detailed information about the incident. The exchange may take steps to investigate and assist in resolving the issue;
Collaborate with the community: Make the incident public and collaborate with relevant community members to share information and experiences. Other users may provide useful information about the attacker or attack technique;
Seek professional help: Consult a professional blockchain security company or lawyer to seek professional help in legal and technical matters. They can provide relevant advice and guidance to help recover funds as much as possible or take other appropriate legal measures. You can also contact the SlowMist AML team by submitting a form.
Of course, the most important thing is to take preventive measures to reduce the risk of funds being stolen, including using safe and reliable wallets and trading platforms; protecting private keys and access credentials; avoiding clicking on suspicious links and downloading software from unknown sources; and maintaining security awareness and knowledge updates.