Vigilante hacker burns hundreds of BTC held in wallets used by Russian intelligence Vigilante hacker burns hundreds of BTC held in wallets used by Russian intelligence
The anonymous vigilante reportedly found 986 unique Bitcoin addresses between March 2022 and April 2022 that they claimed were used by Russian security agencies.
2 min read
Updated: Apr. 27, 2023 at 8:48 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
A vigilante hacker burned roughly $300,000 worth of Bitcoin found in almost a thousand addresses allegedly linked to Russian intelligence agencies through the OP_RETURN function in 2022, according to Chainalysis research.
The anonymous vigilante reportedly found 986 unique Bitcoin addresses between March 2022 and April 2022 that they claimed were used by Russian security agencies.
They leaked the addresses using the text storage capabilities of the OP_RETURN function which is used to mark BTC transactions as invalid and burnt the majority of BTC contained within the addresses.
The vigilante also sent some of the BTC to an address used to collect donations for Ukraine with the message:
“Help Ukraine with money from the GRU Khakir.”
They used three other messages to mark the addresses:
- โGRU to SVR. Used for hacking!โ
- โGRU to GRU. Used for hacking!โ
- โGRU to FSB. Used for hacking!โ
GRU is the Russian Foreign Military Intelligence Agency; the SVR is the Foreign Intelligence Service; and the FSB is the Federal Security Service โ all three are intelligence agencies.
The Russian link
Although the vigilante provided no concrete evidence to back their allegations of Russian intelligence links through their OP_RETURN messages, Chainalysis research found that two of the addresses were mentioned on a now-deleted blog post by a Russian cybersecurity firm called HYAS.
According to the blog post, the three addresses โ 1DLA46sXYps3PdS3HpGfdt9MbQpo6FytPm and 1L5QKvh2Fc86j947rZt12rX1EFrCGb2uPfย โ were used by the SVR to “purchase infrastructure used in the infamous Solarwinds hack.”
Additionally, a third address is also confirmed to have Russian links and was reportedly used by the GRU in a disinformation campaign targeting U.S. politicians.
Chainalysis said:
“The fact that the OP_RETURN messages appear to have been accurate for three of the addresses lends credibility to the claims against the others as well.”
‘Pure intentions’
The OP_RETURN hacker burnt hundreds of thousands of dollars in an apparent effort to “leak” the addresses to the public, according to Chainalysis.
“Our hypothesis is that the OP_RETURN sender did this to make the discovery of the transactions, and the accusations associated with them, more likely.”
The research firm added that the fact that the hacker was willing to give up such a sum of money lends further weight to their claims that these addresses were used by Russian security agencies.
Furthermore, after burning hundreds of BTC, the hacker began donating the rest to Ukraine to clarify their “pure intentions” and “support for the Ukrainian cause.”
Author 
Assad Jafri
AJ, a passionate journalist since Yemen's 2011 Arab Spring, has honed his skills worldwide for over a decade. Specializing in financial journalism, he now focuses on crypto reporting.
