An unnamed Bitcoin user reportedly hacked hundreds of wallets purportedly controlled by Russian security services, stealing coins and sending them to addresses belonging to Ukrainian volunteers engaged in the war.
According to a now-deleted report by on-chain data analysis firm, Chainalysis, from Feb. 12, 2022, to March 14, 2022, a mysterious user reportedly accessed close to 1,000 bitcoin (BTC) addresses he claimed belonged to Russia’s security services.
According to Chainalysis, the hacker used a feature on the Bitcoin network called OP_RETURN. It is a function that not only flags on-chain transactions as incorrect but can also be used to hold text, allowing users to broadcast messages and have them permanently and immutably recorded.
The OP_RETURN function designates a transaction as invalid and burns any BTC it contains. Chainalysis reports that the unidentified user took advantage of the OP_RETURN function to destroy BTC worth around $300,000 by invalidating previously executed transactions.
Initially, the hacker only intended to burn coins stolen from Russia’s security services. However, after Russia invaded Ukraine, he apparently changed tactics and began channeling funds to pro-Ukrainian groups engaged in the war.
Three hacked wallets linked to Russia
It is also alleged that the user sent messages in Russian to coin owners, reportedly accusing them of using the same addresses to pay hackers.
Security specialists are strongly convinced that Russian intelligence services regularly use hackers to carry out a variety of missions. However, these rumors have not been confirmed.
Chainalysis also pointed out that at least three of the wallets already had established connections to Russia. One reportedly paid for servers used in Russia’s disinformation operation during the 2016 United States presidential elections. Meanwhile, the other two have been linked to the SolarWinds attack.
The data analysis firm claimed that the attacker did not necessarily take control of the wallets by hacking them. Instead, the “attack” might have been an inside job. Accordingly, the person who took over the coins may have been a former or current employee of the Russian intelligence services.
Furthermore, the likelihood that the hacker obtained private keys belonging to Russian-controlled addresses raises concerns about the soundness of the country’s crypto operations.
Chainalysis suggested that not only did the hacker’s action prevent Russia’s intelligence services from accessing those coins, but it also made it more difficult for them reuse the same addresses in future operations.