According to the “2023 H1 Blockchain Security and Anti-Money Laundering Report”  published by SlowMist, there were 10 instances in the first half of 2023 where losses from attacks were either fully or partially recovered. The total stolen amounted was approximately $232 million from these 10 cases, of which $219 million was recovered, accounting for 94% of the stolen funds. In three of these cases, the stolen funds were completely returned.
Hopefully, this can be the new trend where funds are returned after being stolen. Whether the funds are recovered through a bounty or via negotiation, there are primarily two ways of commutating with the party responsible: one is through social media platforms such as twitter, and the other is through on-chain messages between the attacker and the project party.
For instance, on March 13, 2023, the DeFi lending protocol Euler Finance was attacked and the attacker profited about $197 million. On March 20, the attacker claimed in an on-chain message  to Euler that they now wished to “reach an agreement.” The attacker wrote, “We want to make it easier for all those affected, and we don’t intend to keep what doesn’t belong to us. Let’s set up secure communication and reach an agreement.”
A few hours later, Euler responded on-chain  saying, “Message received, let’s discuss this privately through Euler Deployer address and one of your EOAs on Blockscan, via the email firstname.lastname@example.org or any other channel of your choice. Please reply with your preferred method.”
Interestingly, on March 15, a user named 0x2af sent an on-chain message  to the hacker, requesting the return of their life savings, 78 wstETH, stating, “Please consider returning 90% / 80%. I am just a user, and my life savings consist only of the 78 wstETH I deposited in Euler. I am not a whale or a millionaire. You can’t imagine how bad my situation is, it’s ruined. I’m sure $20 million is enough for you to change your life, and you can bring joy back to many affected people.” The hacker then sent them 100 ETH. Immediately afterwards, many addresses imitated the user’s behavior and sent messages to hackers.
Of course, there are also cases of phishing attempts through on-chain messages. On March 22, 2023, after completing the attack, the Euler hacker transferred 100 ETH to the Ronin hacker, who had stolen over $625 million, in an attempt to create confusion and evade pursuit. The Ronin hacker seized the opportunity, returned the favor with 2 ETH, and sent an on-chain message  to the Euler hacker asking them to decrypt an encrypted message. However, experts claimed that the message was a phishing scam attempting to steal the private key of the Euler attacker’s wallet. We once wrote an analysis of this incident, which can be referred to if interested. Minutes after the Ronin hacker’s wallet sent a message to the Euler hacker’s wallet, Euler Finance’s developers attempted to intervene with their own message , warning the Euler hacker to be wary of any so-called decryption software and stating, “The easiest method is to return the funds.” The developers of Euler continued in another transaction , “Under no circumstances should you attempt to read the message. Do not input your private key anywhere. Be aware, your machine could also be compromised.”
What is on-chain message?
As we know, Bitcoin and Ethereum mainnet are essentially globally distributed ledger systems. Take Ethereum as an example; currently, more than ten thousand Ethereum nodes are copying all data on the Ethereum mainnet. This means that any message, transaction, or information on the Ethereum mainnet will be replicated thousands of times, ensuring the immutability of blockchain information. The Ethereum mainnet is generally more “affordable” compared to the Bitcoin network, hence most people prefer Ethereum for their first choice for on-chain messaging. As mentioned earlier, the essence of the blockchain is a distributed ledger, so when we conduct a transactions, we’re able to leave a message. These messages are recorded on all nodes’ ledgers, cannot be modified, and stored on the blockchain.
The first to start leaving messages on the blockchain was Satoshi Nakamoto. On January 4, 2009, Satoshi left the headline news of the day from The Times on the genesis block, “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks,” which we can still find on the chain today.
How to Leave Messages on the Chain?
Basic: Unencrypted Messages
(1) Leave a message via https://app.mycrypto.com/send
Connect your wallet, fill in the recipient’s address and transfer amount (which can be 0 ETH). In the Data field, type in the message you want to leave after ‘0x’. Then, click ‘Next’, and finally ‘Confirm’.
Note: The message needs to be in hexadecimal format, so you can convert it in advance using some conversion tools or websites.
(2) Leave a message via a mobile wallet transfer
You need to use an Ethereum wallet with some ETH (such as MetaMask or imToken wallet) to complete the transaction and pay the Gas fee. For example, open the imToken wallet, input a transfer address to make a transfer transaction, click ‘Advanced Mode’, enter the hexadecimal format message (remember to start with “0x”).
(3) Leave a message using the Etherscan IDM tool 
With this tool, you don’t need to input processed hexadecimal data in ‘Input Data’. You can directly type in the message you want to leave, and it will automatically process it into hexadecimal data for you. The results are shown as follows:
Advanced: Encrypted Messages
We’ve discussed unencrypted messages, and there are also encrypted messages. Let’s start with an example:
Address ‘0x313’ sent an on-chain message to the address marked as ‘TransitFinance Funds Receiver’: “Please use the private key of your address to decrypt this message”, and attached a large piece of information that needs to be decrypted to be seen.
So, how are encrypted on-chain messages realized?
Firstly, search for the transaction hash via Etherscan:
Then, obtain the original transaction hexadecimal data of the transaction hash:
Next, retrieve the public key based on the original transaction hexadecimal data:
Finally, enter ‘SecretMessage’ and ‘publicKey’, and run the following code:
Finally, use the above tool to send.
Input PrivateKey and encrypted and run the following code:
Example of SlowMist Assisting in On-Chain Messaging
As a blockchain threat intelligence security company, SlowMist often receives assistance requests from project parties or individual users. Here’s an example. On October 2, 2022, the cross-chain trading platform aggregator Transit Swap was hacked, with stolen assets exceeding $28.9 million. At the request of the project party, we assisted them in negotiating with the attacker.
Here are some parts of the negotiation process:
According to the official statement on October 12, 2022, “the white hat has returned $24 million in funds”.
This article mainly introduces the relevant knowledge and usage of on-chain messages. On-chain messages, as a form of anonymous communication, on the one hand, due to the immutability and transparency of on-chain information, this is equivalent to passively accepting the “scrutiny” of the public, which may avoid to some extent one party reneging afterwards; on the other hand, it provides a platform for communication between the victim and the attacker, increasing privacy, providing an opportunity to reduce financial losses for the victim, but also beware of phishing information in the messages.
In addition to on-chain messages, users and project parties can still increase the possibility of retrieving funds in the following ways:
Immediately notify relevant agencies: report and complain to local law enforcement agencies, financial regulatory agencies and relevant blockchain project teams. Provide detailed information and evidence, and cooperate with the investigation of relevant institutions;
Contact the trading platform: if the funds were stolen on a certain trading platform, contact them immediately and provide detailed information about the incident. The trading platform may take measures to investigate and assist in resolving the issue;
Cooperate with the community: publicize the incident and cooperate with relevant community members to share information and experience. Other users may provide useful information about the attacker or attack techniques;
Seek professional help: consult a professional blockchain security company or lawyer for professional legal and technical assistance. They can provide relevant advice and guidance, help to retrieve funds as much as possible or take other appropriate legal measures. You can also contact the SlowMist AML team by submitting the form .
Of course, the most important thing is to take preventive measures to reduce the risk of funds being stolen, including using safe and reliable wallets and trading platforms; protecting private keys and access credentials; avoiding clicking on suspicious links and downloading software from unknown sources; and maintaining security awareness and knowledge update. Finally, it is highly recommended to read the “Blockchain Dark Forest Survival Manual” produced by SlowMist.