Sophisticated scam emerges in the bitcoin chain

Bitcoin’s ecosystem faces an emerging challenge, after the detection of a fraudulent scheme that Take advantage of the Bitcoin network infrastructure To deceive users, according to a report published on July 8 by Bitmex Research.

This case, identified in a historical direction linked to the collapse of Mt. Gox in 2014, highlights an evolution in the tactics of fraud that combines advanced techniques of metadata embedding in the block chain with social engineering, representing a risk for rookies and experts equally.

Mt. Gox, one of Bitcoin’s first exchange platforms, suffered a hacking that resulted in the loss of approximately 850,000 bitcoin, of which some 80,000 are associated with the 1FEEXV6BAHB8YBZJJQQQMJJRCChGW9SB6UF, mentioned in the bitmex analysis.

That event, occurred more than a decade ago, left a trace of digital assets that now serve as a hook for a new type of deception.

Bitmex Research points out that The scam uses the op_return functiona OPCODE Within the bitcoin protocol, which allows up to 80 bytes of data in a transaction, such as images, text, among others.

Stofkers use an embedded message that directs users to a website that simulates being legitimatemarking a turning point in the sophistication of attacks.

The modus operandi of this scam begins with the creation of a transaction that includes a output Op_return with the text «Notice To Owner: See www.salomonbros.com/owner_notice»(In Spanish, notice to the owner: see www.salomonbros.com/owner_notice).

This can be seen in the following image, which shows the transaction 6a7967c70d2c8DE5B6898DF6B87B4EB785189B2CD6CCCC29DA343858E55 of block 903744, processed on July 3:

Bitcoin block. — From Bitmex they point out a new mode of scam in Bitcoin. Source: Block 903744.

Specifically, the transaction detected is an entry to the 1FEEXV6BAHB8YBZJQQMJJRCRHGW9SB6UF, a P2PKH type (payment to hash from public key), a common format in the first years of Bitcoin for its simplicity, although although less private than current provided by the update Taproot.

The link within the transaction leads to a page that states that the Bitcoin address in question is “lost or abandoned” and that an alleged client has taken constructive possession of the funds. At the time of this article, the page from where the attackers operate is falling and cannot be accessed.

Subsequently, other messages are added in other transactions: «Legal Notice: We have taken possession of this wallet and its content» (Legal Notice: We have taken possession of this purse and its content) and «Not abandoned? Supply it by an on-chain transaction use private Key by sept 30 » (Wallet not abandoned? Try it with a transaction in the chain using the private key before September 30):

Mempool.space Bitcoin Blocks. — Fraud makes users believe that they lost control of their Wallets. Source: Block 903447.

Scammers add several messages registered through the OP_RETURN Foundion. Source: Block 903744.

The site to which the first message link, designed to look credible, presents a false form requesting personal data As a name, email or telephone number, under the premise of verifying the identity of a possible legitimate owner.

In that link, the scammers added the following message:

“This digital wallet seems to be inactive or abandoned. Our client has taken the constructive possession of the same and seeks to determine if there is a legitimate owner. This legal notice is published in accordance with the applicable legislation, in order to provide an opportunity to the owner to claim a property that, otherwise, would qualify as lost or abandoned. Ninety to the owner to respond to this notice; Respond before October 5, 2025. If no response is received, digital wallets and content will be considered confirmed as abandoned. ”

The full message and the required form can be observed in the following image:

However, Bitmex’s investigation reveals that the domain is not related to Salomon Brothers, a historical investment firm of Wall Street founded in 1910 and absorbed by Citigroup in 1998.

The page includes names of exejecutive of that entity of the 80s, a social engineering strategy that seeks to exploit the reputation to induce trust. The key of deception lies in your Technical and psychological execution.

Op_return, being An immutable element In the Bitcoin archive, he ensures that the message remains publicly visible, attracting the attention of those who monitor old addresses or seek to claim lost assets.

The false website, when requiring personal information, exposes users to risks such as the identity theft or unauthorized access to their own fundsespecially if they share private keys or details of their purses.

Bitmex warns that this tactic remembers legal schemes promoted by figures such as Calvin Ayre, who in the past financed disputes on the property of similar addresses, although there is no direct evidence of its involvement in this specific case.

The recommendation is clear: Avoid interacting with any associated form or linksince the delivery of personal data can facilitate subsequent attacks. Protect purses through safe private keys and Wallets (physical devices disconnected from the Internet) remains the best defense.

This incident underlines the need for education in the Bitcoin ecosystem, where the transparency of its accounting coexists with human vulnerability.