Blockchain as a Secret Message Board
While built for finance, blockchains now carry more than tokens; hidden code on blockchains turns them into silent stages for secrets, jokes, and attacks. Across many chains, users have embedded secret messages and even code inside transactions. This can be as simple as ASCII text hidden in a Bitcoin transaction or as complex as malicious software commands tucked into smart contracts. In effect, a blockchain can function both as a financial ledger and a permanent message board where data, once written, is immutable. From Bitcoin to Ethereum to Solana, creative and covert uses of transaction data have produced some fascinating (and sometimes dangerous) easter eggs.
Bitcoin: Embedded Messages from Easter Eggs to Malware
Bitcoin’s blockchain has a rich history of hidden messages. The very first Bitcoin block (the 2009 genesis block mined by Satoshi Nakamoto) contains a famous message in its coinbase data: “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.”
This was Satoshi’s way of time-stamping the launch, but also a sly commentary on financial instability. Ever since, others have used Bitcoin transactions to immortalise texts. For example, in block 630,000 (mined in 2020 during a new wave of money-printing) miners echoed Satoshi by embedding a New York Times headline about the Fed’s $2.3 trillion COVID-19 bailout. Bitcoin’s design makes this possible because a special script field (like the coinbase or an OP_RETURN output) can store a short arbitrary message without breaking the transaction format.
This ability has led to many whimsical or heartfelt messages recorded on-chain. In 2013, a user famously encoded the full lyrics of Rick Astley’s “Never Gonna Give You Up” into a series of Bitcoin transactions – effectively rick-rolling anyone who decoded the blockchain data. Others have proposed marriage via blockchain or inserted poetry, tributes, and even snippets of profanity. Over the years, Bitcoin blocks have contained everything from wedding proposals to eulogies and Bible verses.
A notable example: Block #666,666 (ominously numbered) included the Biblical quote “Do not be overcome by evil, but overcome evil with good” from Romans 12:21, an easter egg likely placed by a miner to mark the occasion. Because the blockchain is public and permanent, these messages serve as indelible graffiti – a form of free speech etched into global history. Once recorded, “no one can erase or alter what’s written there”, giving people a censorship-resistant way to express themselves.
However, not everything hidden in Bitcoin’s blocks is benevolent. Researchers have discovered that illicit content can be and has been embedded in the blockchain’s data. In 2018, a study found that around 1,600 files were stored in the Bitcoin ledger, including some with links to child abuse imagery. This means simply possessing a full copy of the blockchain could be legally problematic if it contains contraband data. Similarly, Bitcoin addresses and transactions have occasionally been used to distribute malware instructions. Law enforcement agencies like Interpol warned as early as 2015 that “malware [could be] injected and permanently hosted” on a blockchain, beyond the reach of takedowns.
OP_RETURN
Indeed, cybercriminals have taken advantage of Bitcoin’s OP_RETURN field (which can hold ~80 bytes of data) to create covert communication channels. One notorious example is the Glupteba botnet: it uses the Bitcoin blockchain to fetch its command-and-control (C2) servers. In practice, infected Glupteba malware looks up transactions associated with a specific Bitcoin address and scans for an OP_RETURN output carrying an AES-encrypted payload – when decrypted, this hidden data reveals the domain name of the botnet’s next C2 server. This trick allows the botnet operators to update C2 instructions simply by broadcasting a new transaction. If one server is shut down, “they simply need to add a new Bitcoin script [message] and the infected machines obtain a new C&C server by decrypting the script data”. In short, Bitcoin’s blockchain can act as an ultra-resilient bulletin board for hackers, where messages to malware or other bad actors persist indefinitely and are nearly impossible to censor.
Smart Contracts Hiding Code and Hacker Chats
On programmable blockchains like Ethereum (and its analogs such as Binance Smart Chain), the scope for hidden content is even greater. Instead of just a tiny text field, attackers can hide entire chunks of executable code or URLs within smart contracts and transaction data. Recently, security researchers uncovered a tactic dubbed “EtherHiding,” in which hackers embed malicious code inside a public smart contract on Ethereum or BSC. For example, Google’s Threat Analysis Group recently observed a North Korean state-sponsored team deploying malware this way: they placed an encrypted payload in a smart contract, effectively turning the blockchain into a decentralised dead-drop for their malware.
When victims run the initial malware stub on their machine, it connects to the blockchain (via an API or RPC node) and retrieves the hidden payload from that contract’s data, thereby downloading the next stage of the attack. Because the malicious code is stored on the blockchain’s ledger, it cannot be taken down by defenders – it will remain accessible as long as the blockchain is operational. Even if authorities shut down servers or websites, they can’t scrub data from Ethereum’s global network. Moreover, the attackers can quietly update or replace the malware instructions by modifying the smart contract or publishing new transactions, all while remaining pseudonymous. This means the usual strategies of blocking domains or servers don’t work: the blockchain has become a robust command-and-control channel for the hackers. (Mandiant researchers aptly called this a “next-generation bulletproof hosting” technique.) In another case, researchers at ReversingLabs found that two malicious NPM packages were leveraging Ethereum in a similar fashion: the packages fetched a snippet of hidden data from an Ethereum contract, which contained a URL pointing to a second-stage malware file.
To anyone inspecting network traffic, these malware queries just looked like ordinary blockchain interactions, helping the attack fly under the radar. These examples show how public blockchains are being weaponised to smuggle code, essentially using the decentralised infrastructure as a covert distribution platform for malware.
Communication
Aside from hiding malware, Ethereum transactions are often used for communication between hackers, victims, and investigators. There’s a growing trend of conducting negotiations or taunts via on-chain messages, since it’s the only direct line to an anonymous hacker’s address. A famous instance is the Poly Network hack of August 2021, in which an attacker stole over $600 million from a DeFi protocol. The Poly Network team publicly pleaded for the funds’ return, and the hacker actually responded through a series of Ethereum transactions. The anonymous thief embedded messages in the transaction input data to engage in a Q&A, explaining their motives (“for fun :)”) and conditions. This real-time on-chain dialogue went on for days.
Incredibly, the hacker began returning the money and ultimately gave back essentially all the stolen assets, while posting messages like “I am considering returning some tokens or just leaving them” as the drama unfolded. Poly Network even started calling the hacker “Mr. White Hat” on-chain as a gesture of goodwill.
Hackers and project teams have used blockchain messages to negotiate and even joke with each other. In a March 2022 exploit of Cashio (a Solana-based stablecoin project), the attacker left a note embedded in an Ethereum transaction input declaring: “Accounts with less than 100k have been returned. All other money will be donated to charity.” Indeed, smaller victims were made whole, while the hacker ironically cast themselves as a charitable thief for the rest. In another case, after the Crema Finance hack (July 2022 on Solana), the development team tried reaching out by sending an on-chain message to the hacker’s known Ethereum address, offering a bounty if the funds were returned. This public offer, essentially a “Dear Hacker” letter written into a transaction, worked: the hacker responded and agreed to a deal, accepting a 45,455 SOL bounty (worth about $1.5M) and returning the remaining $8+ million to the project.
These episodes show how even adversaries communicate in plain sight on the blockchain, using it like an immutable chat board. Messages between hackers, whether threatening, conciliatory, or humorous, are visible to all but can be the most direct way to communicate when no other channels exist.
On-Chain Signals and Easter Eggs
Every major blockchain has some mechanism for including arbitrary data in transactions – and creative users have taken advantage of all of them. Solana, for instance, allows a special memo instruction where a short plaintext note can be attached to a transaction. This could be used to write a message into Solana’s ledger (similar to Bitcoin’s OP_RETURN). While Solana’s community hasn’t (yet) to our knowledge produced as many famous easter eggs as Bitcoin’s, the concept is the same. In practice, some Solana-related hackers have preferred to use Ethereum for messaging (likely because Ethereum is more widely monitored by the community). In the Cashio and Crema exploits mentioned above, the incidents occurred on Solana but the communication happened via Ethereum transactions, implying that cross-chain hiding of messages is also routine. It underscores that hackers will use whatever chain is convenient to get their message across.
Even privacy-focused chains like Monero have data fields that can carry hidden information. Monero’s transactions include a field called tx_extra which can hold arbitrary data (unencrypted or encrypted) alongside the payment. Users have experimented with this by inserting messages or hashes in tx_extra. In a few cases, activists reportedly broadcast political statements using Monero transactions, leveraging the fact that the network is censorship-resistant (albeit Monero’s privacy means only those looking at the raw chain data would notice the message).
Other blockchains like Bitcoin Cash, Litecoin, Dogecoin, and Ethereum Classic inherited Bitcoin’s scripting and thus also support OP_RETURN messages or similar memo capabilities. In short, “hiding” data in the blockchain is a multi-chain phenomenon – wherever the protocol permits extra bytes of data, someone will eventually use it to leave a secret note or payload. The implementations differ (a memo field here, an event log there), but the outcome is the same: permanent data hidden in plain view on an indestructible ledger.
Conclusion: The Double-Edged Sword of Immutable Messages
From Satoshi Nakamoto’s bailout quip to North Korean malware code, the blockchain has become a repository of both inspiring and concerning secrets. These hidden messages and code snippets demonstrate the power of public ledgers as uncensorable communication channels. On one hand, they enable artistic, personal, and political expressions to live forever beyond the reach of any authority – a realisation of the cypherpunk ideal of free speech etched in math. On the other hand, the same permanence and neutrality can be abused: attackers repurpose blockchain transactions as stealth malware infrastructure, and criminal communications can be broadcast with impunity.
Researchers now scrutinise blockchain data not just for financial flows, but for these hidden signals – be it a hacker’s taunt encoded in hex or an encrypted payload lurking in a contract. In essence, every blockchain carries a parallel narrative alongside its economic transactions. It’s a story told through Easter eggs and encrypted instructions, through memes and malware. Uncovering these secrets gives us remarkable insights into the creativity of users and the resilience (or brittleness) of our decentralised systems. As blockchain adoption grows, we can expect this hidden layer to keep expanding – revealing humanity’s best ingenuity and worst intentions, all locked immutably in the code of transactions.
