SlowMist Chain Message for Emergency Response Guide After Being Hacked

Background

According to the “Summary of Blockchain Security and Anti-Money Laundering in the First Half of 2023” [1] released by SlowMist, there were a total of 10 incidents in the first half of 2023 in which the stolen funds were fully or partially recovered after being attacked. The total amount of stolen funds in these 10 incidents was approximately $232 million, of which $219 million was returned, accounting for 94% of the stolen funds. In these 10 incidents, the funds were fully refunded in 3 cases.

It may become a new trend for stolen funds to be returned. Whether it is through offering a bounty or negotiating with the attacker to retrieve the stolen funds, there are two main ways to communicate the message: one is to make a statement on the project’s media platform, and the other is for the attacker and the project to communicate through on-chain messages.

For example, on March 13, 2023, the DeFi lending protocol Euler Finance was attacked, and the attacker made a profit of approximately $197 million. On March 20th, the attacker claimed in an on-chain message [2] to Euler that they now want to “reach an agreement” with Euler. The attacker wrote: “We want to make it easier for everyone affected and do not intend to keep anything that does not belong to us. Let’s establish secure communication and reach an agreement.”

A few hours later, Euler replied on-chain [3]: “The message has been received, let’s privately discuss through the Euler Deployer address and one of your EOA on Blockscan, via email contact@euler.foundation or any other channel of your choice. Please reply with your preferred method.”

Interestingly, on March 15th, user 0x2af sent an on-chain message [4] to the hacker, requesting the return of their life savings of 78 wstETH. The user said, “Please consider returning 90% / 80%. I am just a user, and my life savings are only the 78 wstETH deposited in Euler. I am not a whale or a millionaire. You cannot imagine how bad my situation is right now, it’s all destroyed. I am sure $20 million is enough for you to change your life, and you can bring happiness to many affected people.” Subsequently, the hacker sent 100 ETH to the user. Following this, many addresses imitated the actions of this user and sent messages to the hacker.

Of course, there are also cases of phishing through on-chain messages. On March 22, 2023, after the attack was completed, the Euler hacker transferred 100 ETH to the Ronin hacker who stole over $625 million. The Ronin hacker took advantage of the situation and reciprocated with 2 ETH and sent an on-chain message [5] to the Euler hacker, asking for the decryption of an encrypted message. However, experts claimed that this message was a phishing scam attempting to steal the private key of the Euler attacker’s wallet. Is this really the case? SlowMist has written an analysis on this matter, which you can refer to if you are interested. A few minutes after the Ronin hacker wallet sent a message to the Euler hacker wallet, Euler Finance developers attempted to intervene with their own message [6], warning the Euler hacker to be cautious of the so-called decryption software and stating, “The simplest way is to return the funds.” Euler’s developers continued in another transaction [7], “Under no circumstances should you attempt to view this message. Do not enter your private key anywhere. Reminder, your machine may also be compromised.”

What is On-Chain Messaging?

As we all know, whether it’s the Bitcoin or Ethereum mainnet, they are essentially a globally distributed ledger system. Taking Ethereum as an example, currently, there are over tens of thousands of Ethereum nodes replicating all the data on the Ethereum mainnet. This means that any messages, transactions, or other information on the Ethereum mainnet will be replicated tens of thousands of times, ensuring the immutability of the blockchain information. Compared to the Bitcoin network, the fees on the Ethereum mainnet are “cheaper,” so most people choose the Ethereum mainnet as their first choice for leaving messages. As mentioned earlier, the essence of blockchain is a distributed ledger, and we can leave messages while conducting transfer transactions. These messages will be recorded on the ledgers of all nodes, cannot be modified, and will leave a permanent trace on the blockchain.

The first person to leave a message on the blockchain was Satoshi Nakamoto. On January 4, 2009, Satoshi Nakamoto left the headline of the day’s article in The Times on the genesis block, “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.” Today, we can still find this message on the blockchain.

How to Leave On-Chain Messages?

Basics: Unencrypted Messages

(1) Leave messages through https://app.mycrypto.com/send.

Connect your wallet, fill in the recipient address and transfer amount (can be 0 ETH), enter the content you want to leave as a message after “0x” in the Data field, then click Next, and finally Confirm.

Note: The message information needs to be in hexadecimal format, so you can use some conversion tools or websites to convert it in advance. For example:

(2) Leave messages through mobile wallets.

You need to use an Ethereum wallet with some ETH (such as MetaMask, imToken wallet) to complete the transaction and pay the gas fee. For example, open the imToken wallet, enter a transfer address for the transaction, click Advanced Mode, enter the message information in hexadecimal format, and remember to start with “0x”.

(3) Leave messages using the Etherscan IDM tool [8].

With this tool, you don’t need to input pre-processed hexadecimal data in the Input Data field. You can directly enter the content you want to leave as a message, and it will automatically process it into hexadecimal data. The result is displayed as follows:

Advanced: Encrypted Messages

The above introduced unencrypted messages, and correspondingly, there are also encrypted messages. Let’s look at an example first:

(https://bscscan.com/tx/0xfa1fa7cdfa3c5fe2cfaf61e14caf4b5174302d3801b09bb650d3f90ec706c3e9)

Address 0x313 sent a on-chain message to the address marked as TransitFinance Funds Receiver: “Please decrypt this message using the private key of your address” and attached a large piece of information that can only be seen after decryption.

How is the encrypted on-chain message implemented?

(1) Encryption

First, search for the transaction hash by clicking on it in Etherscan:

Then, obtain the original transaction hexadecimal data of the transaction hash:

Next, obtain the public key based on the original transaction hexadecimal data:

Then, enter SecretMessage and publicKey and run the following code:

Finally, send using the above tools.

(2) Decryption

Enter PrivateKey and encrypted and run the following code:

SlowMist Assists On-Chain Messaging Example

As a blockchain threat intelligence security company, SlowMist often receives assistance requests from project parties or individual users. Here’s an example. On October 2, 2022, the cross-chain transaction platform aggregator Transit Swap was hacked, with stolen assets exceeding $28.9 million. At the request of the project party, we assisted in negotiating with the attacker.

Here are some excerpts from the negotiation process:

(https://bscscan.com/tx/0x7491671cfab5066d5a36299cf295e721611bae6ff61a847a32b11d1cf716c274)

(https://bscscan.com/tx/0xfa1fa7cdfa3c5fe2cfaf61e14caf4b5174302d3801b09bb650d3f90ec706c3e9)

According to the official statement on October 12, 2022, “the white hat has returned $24 million in funds”.

Summary

This article mainly introduces the relevant knowledge and usage of on-chain messaging. As one of the ways of anonymous communication, on-chain messaging, on the one hand, due to the immutability and transparency of on-chain information, it is also subject to public “scrutiny”, which may to some extent avoid one party’s subsequent remorse; on the other hand, it provides a communication platform between victims and attackers, increases privacy, provides opportunities for victims to reduce financial losses, but also be cautious of phishing information in the messages.

In addition to leaving messages on the blockchain, users and project parties can increase the possibility of recovering funds through the following methods:

  • Notify relevant institutions immediately: Report and appeal to local law enforcement agencies, financial regulatory agencies, and relevant blockchain project teams. Provide detailed information and evidence, and cooperate with the investigation of relevant institutions;

  • Contact the trading platform: If the funds are stolen on a certain trading platform, contact them immediately and provide detailed information about the incident. The trading platform may take measures to investigate and assist in resolving the issue;

  • Collaborate with the community: Make the incident public and collaborate with other community members to share information and experiences. Other users may provide useful information about the attacker or attack techniques;

  • Seek professional help: Consult professional blockchain security companies or lawyers for legal and technical assistance. They can provide relevant advice and guidance to help recover funds as much as possible or take other appropriate legal measures. You can also contact the SlowMist AML team by submitting a form [9].

Of course, the most important thing is to take preventive measures to reduce the risk of fund theft, including using secure and reliable wallets and trading platforms; protecting private keys and access credentials; avoiding clicking on suspicious links and downloading software from unknown sources; and maintaining security awareness and knowledge updates. Finally, it is highly recommended to read the “Blockchain Dark Forest Self-help Handbook” produced by SlowMist [10].

Reference links:

[1] https://www.slowmist.com/report/first-half-of-the-2023-report(CN).pdf

[2] https://etherscan.io/tx/0xcc73d182db1f36dbadf14205de7d543cfd1343396b50d34c768529aaab46a1c0

[3] https://etherscan.io/tx/0x9c25b6ca65c5bd0597a13ceae6f0d6edcef4b10279f338114550926ad0387ce4

[4] https://etherscan.io/tx/0xbe21a9719a4f89f7dc98419f60b247d69780b569cd8869c0031aae000f98cf17

[5] https://etherscan.io/tx/0xcf0b3487dc443f1ef92b4fe27ff7f89e07588cdc0e2b37d50adb8158c697cea6

[6] https://etherscan.io/tx/0x054409f252ac293a0ed34108b25e5906476817c5489bd3e98a5d3e1ee0825020

[7] https://etherscan.io/tx/0x1fd6d2e67a2ac4cf7c1718cc3058d5625171b95d66744801c97a4de54a41197b

[8] https://etherscan.io/idm

[9] https://aml.slowmist.com/recovery-funds.html

[10] https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md

[11] https://cryptobook.nakov.com/asymmetric-key-ciphers/ecies-example

Like what you're reading? Subscribe to our top stories.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.

Share:

Was this article helpful?

93 out of 132 found this helpful

Gambling Chain Logo
Industry
Digital Asset Investment
Location
Real world, Metaverse and Network.
Goals
Build Daos that bring Decentralized finance to more and more persons Who love Web3.
Type
Website and other Media Daos

Products used

GC Wallet

Send targeted currencies to the right people at the right time.