On July 8, 2025, the cryptocurrency security community was put on high alert after BitMEX Research uncovered a sophisticated scam targeting some of the oldest and most valuable dormant Bitcoin addresses in existence. The scheme leveraged Bitcoin’s OP_RETURN opcode to embed fraudulent legal notices directly onto the blockchain, with the most prominent target being the infamous 1Feex wallet — an address holding approximately 80,000 BTC stolen from the Mt. Gox exchange in March 2011. At Bitcoin’s trading price of $108,811 on that day, the wallet’s contents were valued at roughly $8.7 billion, making this one of the most ambitious blockchain-based phishing attempts ever documented.
The Exploit Mechanics
The attackers exploited OP_RETURN, a Bitcoin opcode that allows users to embed arbitrary data — up to 80 bytes per transaction — directly into the blockchain. While OP_RETURN was originally designed for legitimate purposes such as notarizing documents or anchoring data, the scammers repurposed it as a delivery mechanism for fraudulent legal threats. They sent tiny “dust” transactions to pre-2012 Bitcoin addresses that still contained large, untouched balances. Each dust transaction carried an OP_RETURN message reading: “NOTICE TO OWNER: see salomonbros[.]com/owner_notice.”
The cost of this attack was minimal. Dust transactions require only a negligible amount of Bitcoin, yet the OP_RETURN data they carry becomes permanently etched into the blockchain. This guarantees that any future owner, blockchain explorer, or curious on-chain analyst who examines the address will encounter the fraudulent notice. The scammers effectively turned Bitcoin’s immutable ledger into a bulletin board for their phishing campaign, exploiting the very transparency and permanence that blockchain advocates celebrate.
On July 4, 2025 — a U.S. holiday that saw record-breaking on-chain movement — the attack escalated. Blockchain sleuths discovered that 80,000 BTC were transferred out of eight decade-old wallets within minutes of each other. Each of these wallets had previously received a trio of OP_RETURN messages culminating in the “Salomon Brothers” notice, suggesting a coordinated campaign that had been building over several days.
Affected Systems
The primary target was the 1Feex wallet, one of the most closely watched addresses in Bitcoin history. This wallet has long been associated with the 80,000 BTC stolen from Mt. Gox during the exchange’s catastrophic 2011 breach. The funds have remained untouched for over fourteen years, making the address a magnet for speculation, legal maneuvering, and now, outright fraud.
However, the 1Feex address was not the only target. The scammers cast a wide net, sending OP_RETURN messages to multiple pre-2012 addresses containing substantial dormant balances. These early Bitcoin addresses, often referred to as “Satoshi-era” wallets, are particularly attractive targets because many of their private keys may have been lost over the years, and the original owners may be difficult to trace or verify.
The fraudulent website at salomonbros[.]com was designed to appear legitimate. It was branded as “Salomon Brothers” — evoking the name of the real historical investment bank — and featured an “advisory board” listing genuine 1980s bond-trading luminaries. The site claimed to have taken “constructive possession” of the dormant wallets and gave any “bona fide owner” ninety days, until October 5, 2025, to prove ownership or forfeit all rights. Proof could allegedly be provided by signing an on-chain transaction or by submitting personal information through a web form.
The Mitigation Strategy
BitMEX Research was the first to publicly identify and expose the scam, issuing a blunt warning on X: “Do NOT fill in this form.” The analytics desk characterized the scheme as “a Calvin Ayre-style legal scam,” drawing parallels to past attempts by Craig Wright and his associates to lay claim to the Mt. Gox coins through creative legal theories. Security analyst @0xZilayo corroborated the assessment, labeling the OP_RETURN notices “most definitely phishing attempts and have no legitimacy.”
For holders of dormant Bitcoin addresses who receive similar OP_RETURN messages, the recommended mitigation is straightforward: anyone with control of their private keys can prove ownership safely by moving funds to a fresh wallet. The act of signing a transaction from the address itself is sufficient proof of control — no third-party website or form is necessary. Anyone without the private key has nothing to gain and much to lose by responding to such notices, as the personal information submitted through the fraudulent web form could be used for identity theft, social engineering, or further targeted attacks.
Law enforcement agencies have been notified about the scam, though no jurisdiction had announced a formal investigation as of July 8. The pseudonymous nature of the scammers, combined with the borderless reach of blockchain technology, makes prosecution challenging. Bitcoin traded at $108,811 at the time of the alert, with the broader market showing a 4.6% decline in total crypto market capitalization amid the news cycle.
Lessons Learned
This incident underscores several critical lessons for the cryptocurrency community. First, OP_RETURN and similar on-chain data embedding mechanisms can be weaponized by bad actors. The immutability that makes blockchain valuable for record-keeping also means that fraudulent messages, once embedded, cannot be removed. Users must develop a healthy skepticism toward any unsolicited notices found on-chain.
Second, the enduring allure of the Mt. Gox saga continues to attract opportunists. More than a decade after the exchange’s collapse — which resulted in the loss of 850,000 BTC — the missing coins remain a tempting target for scammers exploiting both technical primitives and legal grey areas.
Third, the sophistication of this attack is notable. The scammers created a convincing fake website, leveraged a legitimate-sounding brand name, and exploited a genuine Bitcoin feature in OP_RETURN. This represents an evolution beyond traditional phishing emails or fake exchange websites, moving the attack surface directly onto the blockchain itself.
User Action Required
If you hold Bitcoin in a long-dormant address and notice OP_RETURN messages or dust transactions appearing in your transaction history, do not panic — but do exercise caution. Never submit personal information through any website linked in an on-chain message. If you control the private keys, the safest course of action is to move your funds to a new, secure wallet with a fresh address. Treat any unsolicited legal notice broadcast via the blockchain with extreme skepticism. In Bitcoin, possession of the private key remains the only proof of ownership that matters — no matter what an OP_RETURN string or a glossy website might claim. Stay vigilant, verify through official channels, and remember that legitimate legal proceedings do not typically announce themselves via blockchain graffiti.
Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Always conduct your own research and consult with qualified professionals regarding cryptocurrency security.
It’s wild how people still underestimate what you can do with OP_RETURN. This “dust attack” on the Mt. Gox wallet is a classic social engineering trick disguised as a technical exploit. Most users see a transaction from a known address and assume it’s legit without checking the script. Stay vigilant out there, the chain never lies but people do.
dust attacks work because wallet software defaults to showing the most recent sending address. its a UX problem disguised as a protocol feature
dustb0wl nailed it. the attack vector is entirely dependent on wallet software blindly trusting transaction metadata. a simple UTXO source check would kill this class of scam overnight
Every time I hear “Mt. Gox” my heart skips a beat for all the wrong reasons. This phishing attempt is just another reminder that scammers will follow the big money wherever it goes. Using OP_RETURN to mimic transactions is clever but ultimately just another way to prey on FOMO and panic. Hopefully, the trustees are smarter than these script kiddies.
Whoa, I didn’t even know OP_RETURN could be used like this to target specific wallets. This article is such a wake-up call! It really shows why you need to triple-check every address, even if it looks familiar in your history. Thanks for the heads up, definitely sharing this with my discord group so they don’t get caught in the next wave.
This is exactly why we need better UI/UX in wallet software. If wallets didn’t just blindly display “from” addresses based on transaction history without verifying the actual UTXO source, these OP_RETURN poisoning attacks would be useless. It’s a protocol-level feature being used for malice, and the burden of defense shouldn’t just be on the end-user. Great technical breakdown of the scam.
wallet UI is the real vulnerability here. most people dont even check the full address, let alone verify UTXO sources
80,000 BTC sitting in that wallet since 2011 and scammers are using OP_RETURN dust to trick whoever controls it. the creativity is almost impressive