The Great Bitcoin Dusting: A ‘Salomon Brothers’ Client Tries to Claim Dormant Wallets

Introduction

This summer, an unknown actor “dusted” thousands of bitcoin wallets – sending them tiny amounts of BTC with mysterious messages embedded in the OP_RETURN field. An OP_RETURN is like the memo line on a check, with one important difference: anyone, not just the recipient, can see its contents on the blockchain.  

The messages usually contained an all-caps warning (e.g “LEGAL NOTICE”) and a link to a page on the website of Salomon Brothers. Not the storied Wall Street firm where Lewis Ranieri pioneered mortgage-backed securities in the 1980s (that’s now part of Citigroup), but an obscure outfit that acquired the name. The webpage notified message recipients that their wallets “appear[ed] to be lost or abandoned” and that an unidentified Salomon client had (somehow) taken “constructive possession” of them. Cornell Law School’s Legal Information Institute defines constructive possession as “the legal possession of an object that is not in the person’s direct physical control. ... For example, someone with keys to a safe deposit box may have constructive possession to the contents of that box.” (Emphasis added.)  

Wallet owners were given 90 days to either move coins onchain to show they had the private keys or send Salomon a message with documentation of their claim to ownership. Those who did not take action by the deadline risked “relinquishment” of their legal rights to the wallets, Salomon warned. 

Although published onchain for all to see, these messages garnered little attention until early July, when, shortly after receiving one of them (1,2,3,4,5,6,7,8), a long-dormant wallet belonging to an early holder moved 80,000 BTC (1,2,3,4,5,6,7,8). Then the dusting campaign became the subject of fevered speculation. 

Had a hacker group somehow obtained users’ private keys and begun laying the groundwork for a justification of their attack? Worse, had someone discovered a quantum vulnerability in the Bitcoin protocol? Nobody knew what to make of it all.   

To shed light on this murky affair, Galaxy Research did a detailed analysis of the thousands of transactions sent over the course of the summer by Salomon’s client. As this report will show, the majority of the campaign’s targets were P2PKH (“pay to public key hash” script) addresses, which are believed to be less vulnerable to quantum attacks than other address types. For its part, Salomon has said its client “is not a hacker and is not physhing [sic].” So, we do not believe that these messages portend a vulnerability in Bitcoin or the theft of any private keys. 

Although the Salomon client’s intentions remain inscrutable, our analysis shows that the campaign, while sloppy in some respects, was executed through a sophisticated labyrinth of onchain transactions. Given the OP_RETURN campaign’s scale, the messages’ contents, and the notices they linked to, a plausible interpretation is that whoever is behind them may try to wage legal claims^[1] on unresponsive wallets under abandoned property laws in certain jurisdictions after the deadlines. Even if he^[2] obtained a favorable court ruling, however, it remains unclear how Salomon’s client could take possession of these supposedly abandoned wallets without the private keys. 

Key Findings 

• Scope and Structure 

  • 41,523 OP_RETURN messages were sent from 3,738 sender addresses to 39,423 recipient addresses. 

  • In total, the addresses that received messages held 2,334,482.52 BTC combined at the time the messages were transmitted. 

  • The campaign had two phases: trial messages that did not include links or mention Salomon (June 30) followed by waves of messages containing links to Salomon’s website (July and August). 

• Targeting Profile 

  • The vast majority of targets (98.82% of all addresses receiving messages) were legacy P2PKH addresses. 

  • The average adjusted dormancy, or period of inactivity, of addresses receiving notices was 2,171 days (~5.95 years). 

  • An adjusted share of 98.1% of notified addresses had never spent coins since first receipt before being dusted. 

• Execution 

  • The first Salomon-linked message contained a broken URL; the sender followed up with a corrected version days later. 

  • A “test -> blast -> monitor -> adjust” loop is evident: test transactions precede each major wave of messages; the common characteristics of recipient wallets and number of messages sent shift across waves. 

• Possibility of Legal Follow-Through 

  • The campaign's methods, such as targeting addresses that have been inactive for a certain period and providing a grace period for a response, align with the requirements to claim assets under unclaimed or abandoned property laws in some U.S. states. 

  • While the legal viability and possible reach of the Salomon client’s potential claims on abandoned property are questionable, the dusting campaign should not be dismissed outright as a pure behavioral experiment. 

What Is Salomon Brothers? 

The original Salomon Brothers was an investment bank founded in 1910 by Arthur, Herbert, and Percy Salomon. Initially a private partnership, it went public in 1981 through a reverse merger with Phibro Corp. A powerhouse of U.S. Treasury bond trading in its heyday, Salomon Brothers is mostly remembered for the swaggering personalities depicted in Michael Lewis’ book “Liar’s Poker” and for Lewis Ranieri’s innovations.    

In 1997, Sanford Weill’s Travelers Group acquired Salomon—then focused mainly on institutional clients—and combined it with Travelers’ retail brokerage arm to create Salomon Smith Barney. The following year, Travelers merged with Citicorp to form Citigroup, the prototype of a modern “financial supermarket.” In April 2003, Citigroup retired the Salomon Smith Barney name, rebranding the investment bank as Citigroup Global Markets. 

In 2022 a group of self-described Salomon Brothers alumni, including R. Adam Smith, set out to revive the investment bank a few years after purchasing the trademark to the name. This appears to be the Salomon Brothers whose client sent the OP_RETURN messages on the Bitcoin network between July and August. (Smith is quoted in a press release about the campaign.) 

The Salomon Brothers website offers very little information about the company or its team. However, by combining the Wayback Machine, web scraping, and searches of registration directories—and by following the limited breadcrumbs available on the site—we uncovered additional details not accessible from the landing page alone. These findings include insights into the company itself, its web presence, and the messages and notices it has published. 

The firm is a New York-registered corporation, filed on June 5, 2020, and listed as active with the New York Department of State. The company’s principal office is located at 733 Third Avenue in Manhattan, 16th Floor (where there is virtual office space to rent). C. Daniels (Christopher “Chip” Daniels) is identified as the chief executive officer. On his LinkedIn page, Chip Daniels is identified as an executive chairman at State Stox, which appears to be an affiliated company to Salomon Brothers. Notably, the State Stox website has a similar design to Salomon Brothers’ site and the same Third Avenue address listed at the bottom. The two firms were also involved in a deal where Salomon Brothers served as the sole manager taking a company called Ownet public. Daniels also serves as a director at Ownet, according to his LinkedIn. 

Salomon Brothers Website and Socials 

Salomon Brothers has online presence across a website, a LinkedIn account, and an X account. 

Company Website 

The website, which was registered on Jan. 6, 2023, contains links to the services offered by the firm, its history, and a number of other details. Notably, some parts of the website refer to the company as “Salomon Encore,” which seems to appear only in small text on the site and nowhere in the onchain notices. The firm says it offers a variety of services ranging from investment banking/mergers and acquisitions (M&A) and asset management/advisory to real estate financing and research. Each category takes visitors to a new webpage, with the exception of the research button, which takes visitors back to the website’s landing page. There are a number of other defunct buttons across the website and links that take visitors to expired webpages. For example, the main page contains a button to view “Salomon Sisters,” which appears to offer “specialized services to support women business owners and investors.” However, the button to find out more about this service takes visitors back to the main Salomon Brothers website. A link for bridge financing details takes visitors to a page on GoDaddy, the web domain registrar 

On the investment banking/M&A page is a button for what at first glance appear to be the firm’s past deals, which include capital raises and business sales. However, nearly all of the deals advertised happened decades ago, well before this firm acquired the Salomon trademark. On the business sales for example, Home Shopping Network purchased a stake in Ticketmaster Group in 1997; Fred Meyer merged with Quality Food Centers in 1999; and Logicon was acquired by Northrop Grumman in 1997. On the capital raises, Loehmann’s went public twice, in 1964 and again in 1996; and Abercrombie & Fitch went public in 1996. Salomon acknowledges on the website that “These are not transactions completed by Salomon Encore or its affiliates.” Rather, they are “transactions that the people involved with Salomon Encore worked on or that occurred at a firm they previously worked for.” (Emphasis added.) Another page on the site says: “Website references to Salomon Brothers is [sic] a historical reference to Salomon Brothers unless stated otherwise.” 

Aside from helping to take Ownet public, the contemporary Salomon Brothers hasn’t disclosed any other deals it has been involved in. There have been some LinkedIn posts [1][2] inviting investors to reach out for various investment opportunities, but the extent of Salomon’s involvement or if any deal was closed is unclear. 

Social Media Accounts 

The company’s X account has not been active since Christmas 2023 and mostly posted research articles and holiday wishes. Its bio states that it is “back by popular demand” and that Salomon Brothers was established in 1910 and returned in 2022. There was a post about Ownet, described as a social media network whose parent company engaged with Salomon Brothers on an IPO.  

The LinkedIn account also has sparse activity. However, the bio contains a link to salomonencore.com which redirects visitors to the main website at salomonbros.com described above. The LinkedIn account also posted an update regarding the OP_RETURN messages delivered to Bitcoin addresses, which links to a press release published by the firm. 

What Has Salomon Said About the OP_RETURN Messages? 

Salomon has published two public statements about the messages sent to more than 39,400 Bitcoin addresses. One is a press release published on Aug. 7 (almost a week after the final message was sent), and another is a statement posted on the Salomon Brothers website. On its homepage, the headline “SALOMON CLIENT SECURES ABANDONED WALLETS” — in all caps — crawls across the screen like a cable TV news chyron. Clicking on that brings site visitors to a “Statement Regarding Wallet Notices” referencing the widely scrutinized OP_RETURN messages sent in July and August.  

The statement says the firm represents a client who has identified digital wallets that appear abandoned and may be vulnerable to exploitation, and that the firm did not send the messages itself. The client’s identity is not disclosed. The notice emphasizes that the client is not seeking to “adversely impact the crypto market” but rather is acting at “his own expense” to “reduce risks posed by abandoned wallets.” Holders who still control their keys are asked to prove it by sending a small transaction, while those who lost access are encouraged to contact Salomon’s client through the provided form. The page also states, “the client has no interest in claiming wallets that are not actually abandoned.” Additionally, in the notice Salomon Brothers announced the client’s creation of a “keyless wallet recovery fund,” which it said aims to return substantial value to owners who can demonstrate legitimate claims to inaccessible wallets. This fund would be administered by Salomon Brothers, with details to follow in the coming months.  

This notice is not the first one posted on the website about the onchain messages sent by Salomon’s client. Between July 9—more than a week after the first messages were sent—and Aug. 5, the same link directed visitors to a different notice, which remains accessible through the Internet Archive’s Wayback Machine. This notice was less formal in tone and was formatted more like an FAQ than a legal notice. It had sections detailing abandoned wallets, for which it gave only a qualitative definition; the risks they pose; and the client’s goals and intentions, which were consistent with the notice currently displayed on the website. Notably, this earlier notice addressed the speculative assumptions made in the media about the onchain messages sent by its client, stating “we are dismayed that the reporting thus far is based on zero information from Salomon Brothers. Some have reported, with no evidence, that the client is a 'hacker' (implying nefarious intent) or is phishing and has targeted certain wallets. All of that is false.”  

In the Aug. 7 press release, Salomon Brothers echoed much of what was in the notices posted to its website from the standpoints of abandoned wallet risk and how individuals can prove ownership of their addresses. The key detail of this statement is the language around providing “wallet owners with at least 90 days to respond.” While most of the wallets received a minimum 90-day period after receiving messages to respond, 3,203 addresses received no more than 88.4 days’ notice, based on when the transactions carrying the messages landed onchain. More details will be covered on this in the onchain analysis section below, but this is an important detail to highlight if the client is in fact planning to take legal action upon the notices’ expiries. 

Contents of the Links Distributed Through OP_RETURN Messages 

There were two distinct functional Salomon Brothers links distributed through the OP_RETURN messages sent by the company’s client: https://salomonbros.com/owner-notice and https://salomonbros.com/legal-notice-1. Neither of them is accessible through the landing page of the company’s website.  

Both webpages declare that a Salomon Brothers client has delivered a notice to a series of Bitcoin wallet addresses that appear to be “abandoned.” They advise each wallet’s owner to contact Salomon Brothers and/or cryptographically prove ownership by signing a transaction. The notices warn that if address owners do not respond by the stated deadline, their addresses will be treated as abandoned and the client may pursue remedies, including asserting claims over the associated coins through “constructive possession.” Importantly, both of the notices contained identical wording despite having different names ("legal notice” and “owner notice”) but had different deadlines (Oct. 10 in the case of the "owner notice" and Nov. 5 in the case of the “legal notice”). The campaign likely used multiple links and notice titles to keep track of the 90-day response windows granted to message recipients, given that the notices were sent out over a one-month period. 

At the bottom of the notice pages were contact forms where individuals with a “detailed description of [a] valid claim to ownership including supporting documentation” can directly reach out to Salomon Brothers.  It claimed that individuals or their representatives can use the form to preserve anonymity. Notably, the form requested the geographic locations (country, state, and zip code or province) of those submitting details. These fields had asterisks next to them, suggesting they are mandatory for submission. 

What is OP_ RETURN? 

OP_RETURN is a Bitcoin script opcode, or instruction, that lets users embed up to 80 bytes of arbitrary data in a transaction. While the funds tied to an OP_RETURN output are unspendable (and therefore not added to the “UTXO set” of unspendable transaction outputs), the data payload is permanently recorded on the blockchain and broadcast to the entire network. This makes OP_RETURN a kind of “public bulletin board” on Bitcoin. It has been used for purposes from fungible token protocols (e.g. Runes) to timestamps to spam. Because OP_RETURN is both cheap and permanent, it has been used to send onchain messages between addresses. 

Scope of the Salomon Client Dusting Campaigns 

There were two legs of the Salomon client’s campaign: one set of messages with no mention of Salomon Brothers and one set of messages that contained a link to the firm’s website. Onchain data strongly suggests the entity behind the former also sent the latter. The first set of messages appears to have been a trial run for the second, which was much more expansive and thorough. Most of the conversation on social media focused on the second set of messages, specifically the one (“NOTICE TO OWNER: see www.salomonbros.com/owner_notice”) received (1,2,3,4,5,6,7,8) by the ancient whale that sold its coins in mid-July. Few observers at the time noticed the earlier series of messages that contained no link or subsequent ones that linked to the Salomon website. The lack of context was a likely contributor to the widespread alarmist interpretations of the messages (e.g. Bitcoin being cracked by quantum). 

The messages and some of their details are shown in the table below. 

Details and Timeline of the Campaign 

The following lays out the sequence of important events related to the Salomon Brothers dust messages and some high-level details that will be important to connect the dots between the two campaigns. 

Details 

The campaign involved 3,738 unique sending addresses and 39,423 recipient addresses (of which at least five are likely to be owned by the dusting entity). Two of the sending addresses for the Salomon messages also appeared as recipient addresses; in other words, the entity behind the operation dusted its own wallets. The campaign was highly sophisticated from both the funding and dusting perspectives, and mostly targeted addresses with at least one of three main characteristics:  

• P2PKH addresses (an older address type) 

• Addresses that received coins and never sent them (38,754 of the 39,423 addresses)  

• Addresses that have been dormant for an average of 1,890 days  

 Notably, there were 5,097 addresses whose entire visible transaction history is just receiving one of the Salomon Brothers-linked messages; excluding these addresses, the average dormancy of the remaining 34,326 targeted addresses is 2,171 days and the number of targeted addresses that received coins and never sent them was 33,657. The oldest address was dormant for 5,991 days, the youngest address was dormant for 58 days, and 34,307 of the addresses were dormant for at least three full years.  All told, the dusting entity paid at least 0.49831883 BTC in fees (about $60,246 as of Oct.7 ), spent 0.22768359 BTC in dust on the OP_RETURN messages (~$27,516.29), and appeared to have recovered a residual balance of at least 0.00878853 BTC (~$1,062.52) as the campaign wound down.  The dusting entity built an elaborate web of funding flows. Before seeding the dust transactions, it fanned coins across thousands of addresses, passed them between addresses later used across multiple message types, and appeared to manually reassign change outputs rather than returning them to the sender wallet. (“Change” in Bitcoin refers to the leftover amount of an input that is returned to the sender, or to another defined address, after making a transaction.) This made the activity harder to trace at first glance. This complexity, combined with the sheer breadth of the operation, spanning 41,523 OP_RETURN messages, would have required significant preparation, resources, and knowledge of the Bitcoin protocol. 

Targeted Address Types 

Pay-to-Public-Key-Hash (P2PKH) addresses were the most targeted address type in the message campaign, accounting for 98.82% of the addresses that received notices. Why is emphasizing the address types that received messages important? Some Bitcoin address types are believed to be more vulnerable than others to exploitation by novel technologies, and official communications from Salomon Brothers around the OP_RETURN messages alluded to this risk: “Rogue states and criminal organizations with significant resources pose a credible threat to hack assets held in abandoned digital wallets. Older encryption protocols are vulnerable to new technologies, meaning bad actors could illegally gain access to abandoned wallets because these wallets cannot be upgraded to more secure wallets.” This statement appears to refer to Bitcoin’s potential vulnerability to quantum computing, which has been a major topic of discussion and debate in the community for much of the year. 

Quantum computing is a type of computation that uses the principles of quantum mechanics (e.g. superposition and entanglement) to process information in ways that can be exponentially more powerful than classical computers for certain problems. For now, the risk is theoretical. Some experts think useful quantum computers could start showing up in the late 2020s or early 2030s, grow steadily more powerful through the 2030s, and reach full reliability in the 2040s or later 

One of the concerns around a quantum or related attack on Bitcoin is the technology’s ability to match public key (pubkey) and private key pairs, giving a theoretical attacker unauthorized control over user funds. Pay-to-Public-Key (P2PK) addresses (used in Bitcoin’s earliest blocks) embed the raw pubkey in the output itself, which makes it a more vulnerable script type to this theoretical quantum or similar attack than other address types. A quantum computer or other technology could theoretically derive the private key directly from the exposed pubkey and hijack the funds. By contrast, P2PKH addresses (the kind most targeted in the campaign) and later address formats lock coins to a hash, or cryptographic scramble, of the pubkey, which means the raw pubkey is revealed only after the address has spent coins. So, in order for an attacker to exploit these addresses, the victim would have to had spent coins prior to the hypothetical attack and reused the spending address. As noted earlier, the vast majority of the addresses targeted appear not to have sent funds, so their pubkeys have never been revealed and they are theoretically less vulnerable to exploitation than P2PK addresses. 

Our analysis found no evidence that any of the addresses dusted with Salomon Brothers messages in this campaign were P2PK. All identified targets were later types, primarily P2PKH. While it is technically possible to dust P2PK outputs by sending coins directly to a raw public key, we found no indication that the Salomon Brothers client did so. In practice, raw P2PK usage is essentially deprecated. Modern Bitcoin software no longer supports it; this extends to wallet and exchange frontends not allowing users to paste a bare public key as a destination. Galaxy Research validated this by attempting to send BTC to P2PK outputs through both centralized and decentralized frontends, all of which failed to send. We succeeded only by manually constructing a partially signed Bitcoin transaction (PSBT) with a raw P2PK output and broadcasting it ourselves. This required custom script assembly because standard interfaces enforce modern address formats. The difficulty of this exercise highlights how thoroughly P2PK has been abandoned, even though it remains technically possible to spend to such an address. This raises an important question: if the Salomon client’s stated goal was to protect abandoned addresses from technological exploitation, why did it overlook what is arguably the most vulnerable and most likely to be abandoned address type (P2PK) while directing messages to less vulnerable formats? 

As of Sept. 2, there was 1.719 million BTC held in P2PK addresses, accounting for 8.63% of the circulating supply and 8.18% of maximum supply. This is a substantial amount of BTC that is presumed to be chiefly vulnerable in the event quantum computing is achieved, yet as far as we can tell, Salomon’s client notified none of these addresses. 

Funding and Testing of an Important Address – April 7 to June 24 

The earliest trace of the two-pronged campaign dates back to April 7, when a funding transaction reached bitcoin address bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99. As the following analysis shows, this address became central to the non-Salomon and Salomon campaigns. It functioned as the earliest funding source for duster addresses, as a duster itself, and as an address to which many of the dusting addresses reconciled their residual balances after sending OP_RETURN messages. Before the full operation began, the address was used on June 24 to send a transaction containing the message: “This is a test OP_RETURN message for 80 bytes. It must be precise and exact.” A day later, the address received two further OP_RETURN messages, “MESSAGE_1” and “MESSAGE_2.” Together, these messages suggest that the dusting entity was experimenting with Bitcoin’s OP_RETURN functionality in preparation for larger-scale activity. 

The first test transaction revealed a key address, bc1qgh3jg9pqrjyawwernal2u7kuhezrxelgp72z0t, which was funded by the test through bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 as a manually reassigned change address. bc1qgh3jg9pqrjyawwernal2u7kuhezrxelgp72z0t was the funding address for bc1qfefxhstqphwx6rkkxwlup9uufahx0enwm2x5ad, which participated in the non-Salomon campaign and funded bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh (another important address funding dusting addresses and linking the two campaigns), in addition to the 180 other addresses that sent non-Salomon messages. As a result, bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 acted as a gateway, funding addresses in the non-Salomon campaign and as a direct funding address in the Salomon-linked campaign. 

Messages Without Links or Salomon References – June 30 

Shortly following these test transactions, the groundwork for the first large-scale dust campaign emerged in two notices: 1) “Not abandoned? Prove it by an on-chain transaction using private key by Sept 30” and 2) “LEGAL NOTICE: We have taken possession of this wallet and its contents.” These appeared on June 25, circulated among random combinations of the same four addresses, with the full campaign following on June 30 between Bitcoin network blocks 903447 and 903448. In the initial June 25 transactions, bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 played a central role: it 1) sent the “not abandoned?” message to itself, 2) sent the "LEGAL NOTICE” message to bc1qkq47hh2xv0ehvh44ec9z6pvy2856m5w66a3gw8 (which it had funded the day before), and 3) received the same "LEGAL NOTICE” back from that same address. The June 30 campaign then scaled to 90 additional addresses across both messages—87 of which would later also receive Salomon Brothers-linked communications. Among the cohort of addresses receiving these messages was the ancient whale whose involvement in the affair would later draw attention to the campaign. In other words, the addresses associated with the whale were dusted as early as June 30 with both of the non-Salomon Brothers messages. 

First Salomon-Linked Messages Sent – July 2 

On July 2, the dusting entity followed the June 30 activity with the first Salomon Brothers–linked message: “NOTICE TO OWNER: see www.salomonbros.com/owner_notice.” It marked the first of three major Salomon message types sent that month. As with the earlier non-Salomon campaign, bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 appeared in a test transaction, this one at block height 903659, just 15 blocks before the main campaign. Crucially, the test originated from bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh, an address that 1) was also used in the June 30 “abandoned” message and 2) was funded by an address that also participated in the June 30 set of dustings. Additionally, bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh and bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 funded a number of addresses used to send Salomon-linked messages. This overlap strongly suggests a direct link between the two campaigns. Reusing addresses from the earlier wave of messages and using addresses funded by addresses involved in the non-Salomon campaign to test the Salomon Brothers operation may have been operational slips. The actions left compelling evidence the non-Salomon and Salomon Brothers-linked messages were phases of a single, coordinated campaign run by the same entity. 

Moreover, the www.salomonbros.com/owner_notice link provided in the message was dead because it contained an underscore instead of a dash (the dusting entity may have accidentally held the shift button down when inserting the dash). Anyone attempting to visit the webpage is greeted by a 404 error and a “file not found” message. Moreover, there were 20 addresses (excluding those likely to be owned by the dusting entity) holding a combined balance of 106,602.06 BTC at the time of receiving the broken link that either A) never received the corrected message or B) sent their coins before the corrected notice was transmitted. This is an important distinction to make, because if the dusting entity is seeking a legal claim to supposedly abandoned addresses, this collection of dusted addresses in particular may not have been properly notified. This cohort of addresses included the ancient whale that sold its 80,0000 BTC stash. As a result, there was never a webpage for the whale to view even if they saw the message. 

Fixing the Mistake – July 9 to July 14 

The whale moving their coins on July 4 received a lot of attention, leaving some to think there was a vulnerability in Bitcoin or at least in the P2PKH address type. The conversation continued as the whale began to sell their coins through the middle of the month. Around this time, on July 9, the dusting entity started sending messages en masse with the corrected weblink: www.salomonbros.com/owner-notice. The campaign for this specific weblink was split between two main waves, one on July 9 and another from July 13-14 – each with a distinct message including the updated link.  

As with the first three batches of messages, two apparent test transactions were sent on July 8, a few hours before the first wave of corrected messages. The first apparent test was a message that contained only the updated link and no additional language, while the second test contained the full updated message, noting the corrected weblink. The two tests were sent in separate blocks, the first one 73 blocks before the bulk of the corrected notice campaign launched, the second 27 blocks before.   

Interestingly, the apparent test transaction that received only the updated weblink was 1) carried out by an address funded as a manually updated change output in a transaction containing the old message with the broken link and 2) contained a manually inserted change output itself, to address bc1q2dskr0y97vzlpvkhr44tagdh906w48y6mu29mf. (That address later spent its balance down to zero with an odd OP_RETURN message, possibly containing a typo, in German. It translates to “Thank you for giving birth to me. Now you get real money back.”) The funding transaction occurred on July 8, five days after the “WEBPAGE CORRECTION” message campaign concluded (the old link was last sent on July 3, while the test was received on July 8). The transaction also included recipient address bc1qmak4853pysqmqlvmdcs3hwpz928dqqc5v6gnzw which then served as the receiving address in the link-only test transaction. This address also received an odd OP_RETURN message on July 8 that read “this wallet gets deleted by october 2025,” further suggesting it was a guinea pig address for the dusting entity. Notably, this address was initially funded on Nov. 28, 2023, with 0.81162432 BTC. Most of those funds did not move until July 30, when they were all transferred after the wallet received a number of messages from the Salomon Brothers duster. 

Of the 1,940 addresses that received the incorrect link, most (1,919) also received the corrected notice (285 addresses received the corrected link notice despite never receiving the original, which was likely an error by the dusting entity). Notably, addresses that received the broken owner notice link but sent their coins before the corrected notice went out did not receive the corrected link notice; this suggests the dusting entity was monitoring the addresses it sent the original notice and made sure not to double-deliver the message (this could have been intentional or due to filters it applied to target addresses that excluded empty or recently active addresses). 

The second wave of dustings with the updated link started on July 13 using the message: “NOTICE TO OWNER - See https://salomonbros.com/owner-notice.” There was also an apparent test transaction sending this message on July 11, two days before the bulk of the campaign, by none other than bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99. This message was sent to 3,204 addresses, none of which received the original, incorrect link or the "WEBPAGE CORRECTION" message. Every single address in this cohort, except for the receiver of the test transaction, did not get a full 90-day notice period based on the deadline associated with the link (Oct. 10, 2025). Addresses dusted on July 13 only got about an 88.4-day notice period and addresses dusted on July 14 only got about an 87.5-day notice period from the time the OP_RETURN transaction was confirmed onchain. This is a key detail because the written notices attached to the messages claim to have given recipients at least 90 days to respond. These addresses held a combined 251,606.5217 BTC at the time of receiving the notice. Notably, 107 of the addresses that received this message show no activity beyond the receipt itself. These may have been included to inflate the size of the campaign by number of addresses receiving messages, to give the impression of a high number of vulnerable addresses. 

The whale moving their coins remained a newsworthy headline through July 25, a period that overlapped with the transmission on July 23 of the third and final Salomon Brothers message. This message read: “LEGAL NOTICE TO WALLET OWNER: Go To Webpage: salomonbros.com/legal-notice.” Keeping it consistent, there was an apparent test transaction sent 22 blocks before the body of the campaign was carried out. Notably, none of the 33,987 addresses that received this message got any of the preceding messages sent in June or July. This message was the largest by recipient count, spanning two distinct tranches: one between July 23 and July 24 and another between July 28 and Aug. 4. Six thousand messages were sent between July 23 and July 24; 27,987 were sent between July 29 and Aug. 1; and a single message was sent on Aug. 4. 

Key differences between the “LEGAL NOTICE” message and all others preceding it include the large number of addresses targeted, the duration of the campaign, and the average balance of the addresses targeted.  "LEGAL NOTICE” was sent out over the course of 13 days and to 33,987 addresses, which is 2.17x longer than the next longest campaign by time and 6.28x bigger than the next largest message by recipient count. Additionally, the average balance of the addresses targeted by this message type was significantly smaller than all others. The average balance of addresses sent this message was 1.37 BTC, compared to 400.52 BTC in “owner-notice,” 980.52 BTC in “owner_notice,” and 8,400 BTC in each of the “abandoned” and “possession” message targets. 

Interestingly, 4,990 of the addresses that received this final notice have no transaction history beyond receiving this OP_RETURN message. This exact situation was also found in the "owner-notice" messages and was possibly done to inflate the size of the campaign. 

Winding Down the Campaigns 

As the dusting entity wound down each message campaign, it sent residual funds back to itself in bulk to empty the addresses used to send specific sets of OP_RETURN messages. In some cases, the transactions emptying out addresses from one message campaign served as the funding transactions for fresh addresses to send new messages [1][2]. The dusting entity presumably added all these hops to mask links to previous messages, ensuring that owners of dusted addresses couldn’t use a block explorer site to easily identify the relationships between sets of messages. Reinforcing this interpretation is the fact that 3,734 of the 3,738 addresses used to send the messages each delivered only one message type. The four addresses that participated in more than one message type did so in apparent test transactions. 

Address bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 was used in a number of cases as the middleman to rotate funds between addresses used in one message campaign and the next [1][2][3]. Also, address bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh served as the gateway address for residual funds from the non-Salomon campaign to be redeployed in the first set of Salomon-linked messages. Residual BTC recovered from zero-ing out addresses at the absolute conclusion of their use was sent to fresh addresses unaffiliated with the OP_RETURN messages [1][2]. Some of these transactions were large and costly, requiring as much as 68.2kvb (kilovirtual bytes) of data and spending as much $1,300 in fees to execute individual transactions. 

Connecting the Dots 

Two particular addresses strongly suggest that the entity behind the Salomon-linked campaigns was also likely behind the earlier, non-Salomon campaign: bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 and bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh. As foreshadowed in the earliest test messages, the same addresses that pioneered the initial experiments reappear as pivotal bridges linking the non-Salomon and Salomon campaigns. 

The subtle connection between the campaigns comes from these two addresses 1) apparently test-dusting each other in the Salomon-branded campaign, 2) each sending at least one transaction with the non-Salomon messages, and 3) together funding addresses that were used in the Salomon-linked campaign.  Additionally, bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh was funded by bc1qfefxhstqphwx6rkkxwlup9uufahx0enwm2x5ad, which was used to test the June 30 set of messages and was funded by bc1qgh3jg9pqrjyawwernal2u7kuhezrxelgp72z0t (which in turn was funded as a change output by bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99).  

Below is a graph visualization created through a one-hop network analysis. This analysis maps all addresses directly connected to the seed addresses, which are labeled "Focus Addresses.” The data for these connections comes from both the Salomon Brothers–linked funding and messaging flows and non-Salomon message flows. The arrangement of the nodes and edges on the chart is determined by the Kamada-Kawai layout algorithm, which optimizes the spacing to position more closely connected nodes nearer to each other, minimizing line crossings to enhance readability. However, in dense areas, this can lead to nodes overlapping, making it visually challenging to count them individually. 

The two types of relationships included are: 

• Funding edges (lines) in black: These represent transactions where one address funded another (e.g., Address X funding Address Y). 

• Dusting edges (lines) in orange and teal: These represent dusting messages (e.g., Address A dusting Address B). The color distinguishes the message campaign: teal for Salomon-linked and orange for non-Salomon.  

Additionally, self-loops where an address dusted itself were preserved in the analysis and are depicted as circular arcs returning to the same node, as seen with one of the focus addresses.  

The visualization shows that the two seed addresses are directly linked through the Salomon Brothers-linked messaging campaign. Each also dusted an address in the non-Salomon campaign. Additionally, both seeds funded addresses later used in the Salomon Brothers campaigns, creating an overlap between funding and dusting activity. Also note that bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 dusted itself in one of the initial messages, which appears as a self-loop in the middle of the chart. 

Zooming out, it becomes clear that addresses bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 and bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh both funded and sent messages to addresses active in the Salomon and non-Salomon campaigns. Address bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99 played an important role in the funding of the addresses used in the Salomon Brothers campaign, serving as an input address for funding transactions of over 750 such addresses. The chart below highlights the breadth of addresses funded through transactions involving this address, and how those addresses in turn funded others that participated in the Salomon Brothers-linked campaigns. Notably, both focus addresses also seeded the earliest wallets in the Salomon Brothers campaign, supplying the initial trickle of funds that made those wallets operational and enabled the campaign’s subsequent expansion. 

Notably, there was one transaction where both the addresses linking the campaigns together funded 51 output addresses that were then used to carry out and further fund the Salomon Brothers campaign. Residual funds from the non-Salomon messages funneled to bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh were distributed in this transaction – more on this funding flow is detailed below. 

The next chart further underscores the importance these two addresses played in funding the addresses used in the Salomon Brothers messages. Unlike a traditional edge diagram, the visualization relies on spatial tightness rather than visible links: clusters form because certain addresses appear together in the same funding transactions. Because Bitcoin transactions can involve many inputs and many outputs, the chart captures co-participation in funding flows rather than exclusive one-to-one funding relationships. The seed addresses should therefore be interpreted as central hubs of participation, not as the sole originators of every funded address in their clusters. 

What this chart tells us is that the target addresses sat at the center of a funding cluster that directly or indirectly touched most of the addresses serving as dusters in the Salomon Brothers campaign. They also served as funding co-participants to other addresses that acted as secondary hubs, each radiating their own clusters of funding recipients (highlighted by the spoke structure established around the central cluster). This pattern underscores how the target addresses were not only central participants themselves, but also closely connected to other influential funders. This reinforces their pivotal role in the broader Salomon Brothers messages funding network. 

Lastly, a key funding flow clinches the case that the two campaigns were linked. The address bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh served as a reconciliation address for addresses sending the non-Salomon messages. It was also the funding address for addresses sending the first round of Salomon-linked messages. The graphic below is a visualization of this flow. It is simplified compared to the more complicated visuals above to emphasize the role of bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh in linking funds used in the non-Salomon and Salomon-branded campaigns. 

The key part of this flow comes from bc1qfefxhstqphwx6rkkxwlup9uufahx0enwm2x5ad funding 181 addresses (including bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh) at 16:00:35 EST on June 30. Those 181 addresses were later used to send the non-Salomon messages. After the non-Salomon messages were sent, these addresses zero-ed out their residual balances to bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh at ‎2025-06-30 21:23:02 (approximately three hours after the last non-Salomon-branded messages were sent). Two days later, address bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh, in conjunction with bc1q2f60twvuwftp50dz4hmjphyw9ntwaeyhpqul99, funded 51 addresses that were then used in the first Salomon campaign (the one with the broken link). This shows that bc1qgj33ldeqdqp63h9awv6vk8gdg5692y3w2s86lh was the gateway facilitating the movement of funds between the two campaigns. 

Impact of Dusting Campaigns 

In total, the dusting entity sent messages to 39,418 distinct addresses that we believe were not under its control, holding as much as 2,334,482.52 BTC combined.  

Because the duster sent multiple messages to some addresses, this value was augmented by using the maximum balance carried by each distinct address at the time it received any of the messages. All addresses we believe to be owned by the dusting entity are excluded from this analysis.  

One purpose of the dusting campaigns was to see if users would move these coins in response. But how successful was the dusting entity in getting users to do so? The following analysis is current as of Sept. 29 at 8:30 AM ET.  

‘Abandoned' and ‘Possession’ Messages Sent on June 30 

These messages were sent in tandem to 94 distinct addresses, four of which we believe to be test transactions sent by the dusting entity. None of the addresses not likely to belong to the duster moved coins between this campaign and the first Salomon messages, suggesting the June 30 messages had a 0% success rate. These messages were sent to wallets holding a total amount of 789,565 BTC. 

Salomon Brothers Messages 

Analyzing the Salomon-linked messages is a bit trickier given there were three categories of them sent to multiple combinations of the same addresses in some cases. The following observes the success rate of the duster’s Salomon-branded campaign while accounting for the unique combinations of messages and dusted addresses. 

Incorrect Link Sent on July 2 

The first Salomon-branded message with the incorrect link was sent on July 2 to 1,939 unique addresses (excluding addresses likely to be controlled by the dusting entity) holding a nominal amount of 1,902,210.5 BTC. Of those, 10 addresses sent 86,161.15 BTC before the corrected notice was sent out on July 8. This cohort of senders included the ancient whale who controlled eight of these addresses and 80,009.44 of the transferred BTC. This gave the message a success rate of 0.52% by address count and 4.53% by the amount of BTC dusted. This assumes the wallet owners saw the messages and acted in response, but as we will see, it’s also possible at least some of the transfers were coincidental. 

Corrected Link Messages Sent on July 9 and July 13 

The corrected link was sent in two separate sets of messages. One, labeled as a correction, went to the addresses that previously received the broken link (and to some that hadn’t). Another set went to a fresh round of addresses. Filtering for this distinction is necessary to gauge the success rate of this specific message class. 

In the case of the corrected link, 55,161.62 BTC was sent across 109 addresses (not including known duster addresses) after they received this notice. Broken out this looks like:  

• A total of 42,510.35 BTC was transferred by 32 addresses that had received both the corrected notice and the original Salomon notice, but which had not acted following the original. Collectively, these addresses represented 1,795,607.63 BTC held across 1,918 addresses. The success rate in this cohort was 1.67% by address count, corresponding to 2.37% of BTC held by the group. One address only sent a trace amount of BTC after receiving the corrected notice and retains ‎1,105.13 BTC; and another address retains 0.1 BTC. 

• A total of 2,714.12 BTC was transferred by eight addresses that received the corrected notice without ever receiving the original notice. These addresses collectively accounted for 118,489.25 BTC across 284 addresses. The success rate in this cohort was 2.82% by address count, corresponding to 2.29% of BTC. One address held onto 424.59 BTC after receiving the message and only sent a small amount of BTC. 

• A total of 9,937.13 BTC was transferred by 69 addresses that received the corrected link as part of a fresh notice. Collectively, these addresses accounted for 251,606.54 BTC across 3,203 addresses. The success rate in this cohort was 2.15% by address count, corresponding to 3.95% of BTC. However, these addresses did not get the full 90-day grace period as promised in the notice (receiving messages between July 13-14, with a deadline of Oct. 10). The botched notification might make these coins exempt from any legal follow-through. 

In aggregate, this all equates to a success rate of 2.02% by address count and 2.55% by BTC value. 

‘LEGAL NOTICE’ Message Sent Between July 23 and Aug. 4 

Assessing the success rate of the "LEGAL NOTICE" was straightforward because the set of addresses it dusted did not receive any of the previous Salomon or non-Salomon messages. In total, three addresses out of 33,986 moved 114.99 BTC of the 46,693.66 BTC held by this cohort.  This represents a success rate of 0.009% by address count and 0.25% of BTC. The only addresses to move coins in this cohort spent their balances to zero. 

The Total 

In the aftermath of the dusting campaign, 122 addresses moved a combined 141,437.76 BTC.  Assuming an aggregate 2,334,482.52 BTC worth of addresses dusted, 6.06% of the total moved by BTC balance and 0.31% of dusted addresses moved coins. Excluding addresses that moved coins but retained nonzero balances, this leaves 2,188,604.9 BTC worth of dusted balances, or 10.98% of the circulating supply (10.42% of maximum supply), unmoved and thus exposed to whatever legal follow-up these messages might entail. Note: these values only account for coins moved onchain and do not include any wallets that may have contacted Salomon via the form in the notice links.  

If we further exclude addresses that did not receive the full 90-day grace period, those that only got the initial broken notice, and those that were dormant for less than three years (an important duration in the context of abandoned and unclaimed property laws) an estimated 1,920,124.4 BTC is left exposed to potential follow-through on the notices. This equates to 9.64% of circulating supply and 9.14% of maximum (21 million units) supply. 

Movements of Coins After Receiving Messages Could be Coincidental 

Evidence suggests that some addresses that moved coins after being dusted did so coincidentally, and their owners may never have even seen the messages. A clear example is address 16P6cMXdmiiZR5d4L5aa793HwWZ5MomMKu which moved its 1,219.99 BTC stash 80 minutes before receiving a Salomon message. This indicates the dusting entity likely compiled a batch of addresses in advance and only later sent the messages. In the meantime, this particular address had already moved its coins. The broader context of onchain whale activity being high over the last number of months in general further supports the interpretation that the movements of these coins could be purely coincidental. 

What Is Salomon’s Client Trying to Accomplish? 

According to the statement on Salomon Brothers’ website, its client is acting altruistically. “Our client would not knowingly take any action that would adversely impact the crypto market,” the firm says, and he “has no interest in claiming wallets that are not actually abandoned.” The client also intends to create “a keyless wallet recovery fund for those who lost access to their wallets but can support a valid claim to ownership,” Salomon claims. 

It is possible that Salomon’s client simply seeks to have abandoned coins turned over to governmental custody in an attempt to protect the network from adversarial entities (safeguarding the network was a defined goal outlined in its numerous communications around the campaign). However, that step would not, by itself, mitigate such risk; if current cryptographic protections are broken, state-controlled wallets remain just as vulnerable as privately held ones. Alternatively, if the state sells the coins, they could flow back into the market and end up in the very custodial arrangements the client was supposedly trying to prevent. The client may nevertheless believe that once coins sit under governmental custody, adversarial entities would be less willing to exploit them even if they can. 

But another, more cynical interpretation^[3] cannot be ruled out. Consider the following: 

• The public statements made by Salomon and the contents of the onchain notices. The company’s public statements frame the client’s actions as altruistic, stressing that the campaign is about protecting the network and holders who have lost access to their coins. But these assurances are hard to square with the notices’ own language, which asserts the client has taken “constructive possession” of the receiving addresses and warns that inaction may lead to “relinquishment of all rights, title and interest.” Salomon has sent mixed messages: in the most easily findable communications, the client is portrayed as a benevolent protector. But in the fine print, the notices reserve the right to assert ownership over coins the client presumably cannot access (unless he has the private keys or a quantum computer, both of which we consider exceedingly unlikely). This tension raises the question: if the true aim were to save the network from technical vulnerability, why assert individual possession at all? 

• The profile of the targeted addresses. Despite Salomon’s allusions to quantum risk, its client bypassed the most vulnerable address type (P2PK). Instead, the campaign overwhelmingly targeted P2PKH wallets that had been dormant for nearly six years without ever sending coins — comfortably exceeding the three-year dormancy threshold in several state abandoned-property statutes governing digital assets (detailed below). 

• The 90-day deadlines. These mirror the 60- to 120-day notice windows common in unclaimed-property law. 

• The client’s sophistication. As shown above, the actor behind the messages appears to have a deep understanding of Bitcoin across its technical architecture and its social dynamics (the notices allude to the network’s quantum vulnerability, a niche but long-running topic in the Bitcoin community). The combination of technical ability and social awareness gives the client an unusual ability to cast a wide net onchain (sending messages to nearly 40,000 addresses) while also framing the message in a way that plays on community fears and social tension. This makes the campaign look less like a public service announcement and more like an attempt to shape sentiment and pressure dormant holders into action. 

• The behavioral testing patterns. The client did not send the notices in a single, uniform way. Instead, he started small and continually expanded the operation over the course of a month as it gained public attention. If the intent were to warn Bitcoiners of a looming threat, there would be no reason to trickle them out and expand their reach over time; efficiency would demand sending all notices at once, not over a full month’s time. 

Taking these factors together, one could be forgiven for surmising that Salomon’s client intends to take legal action under unclaimed or lost property laws to either assert claims or force state custodianship over coins deemed “abandoned.” 

Stepping back, the old folk saying “finders, keepers” rarely applies in U.S. property law — and certainly not to crypto. “Found property” doctrines traditionally apply to tangible chattels, not intangible assets like BTC. Those must be reported to the state.   

Unclaimed property laws vary from state to state but generally dictate that when a virtual currency account is inactive for a set dormancy period, the "holder" must first perform due diligence to contact the “owner.” Statutory due diligence notices are generally sent through first-class mail (and, if consented, email) by the holder to the owner’s last-known address within state-specified windows (commonly 60–120 days pre-report). If that effort fails, the holder is then legally required to report the asset to the state and, subsequently, remit it to the state's custody. The state then acts as a safekeeper for the funds on behalf of the original owner, and the holder is absolved of liability. This allows the owner or their heirs to file a claim with the state at any time to recover the value of their property.   

The number of states that have added, or are in the process of adding, digital assets to their abandoned property laws may provide insight into how Salomon’s client intends to proceed and the limitations he may face.  

See Appendix for links to state property laws. 

Sending an electronic notice of abandonment via OP_RETURN transactions in lieu of an unobtainable street address or email may be consistent with the spirit of some U.S. state-level unclaimed property laws. However, some definitions and the applicability of these laws may constrain the client’s ability to act. They include: 

1. Who is a "holder"? These laws consistently define a "holder" as a business, corporation, or other legal entity that is obligated to hold, deliver, or pay property to an “owner.” Owner is defined as the person with the legal right to the underlying property believed to be abandoned. In the context of cryptocurrencies, the holder category is likely to include centralized exchanges, custodial wallets and fintech apps, qualified custodians and trust companies, and broker-dealers and investment platforms that support crypto. Such entities can track account inactivity, owner information (such as name and home address), perform due diligence, and remit the funds to the state. With self-custodial wallets, the user is the only one with access to the funds and the developers of these solutions cannot track who uses them or send funds on the owner’s behalf. As a result, there is no third party to report or transfer the assets, so it's impossible to move these funds without access to the corresponding private keys, and, as a result, the “holder” definition likely doesn’t apply. It’s also fundamentally impractical — if the holder is also the owner and they decline to respond to an abandonment notice, but later use the coins themselves, they were never actually lost or abandoned. 

2. What happens with unclaimed property? When a holder fails to find the owner through a due diligence process, it must then remit the property to the state. After a business remits the property to the state, the state acts as a custodian, holding the funds indefinitely on the owner’s behalf. The state may liquidate assets like stocks or virtual currencies into cash for easier management. The original owner or their heirs can then file a claim with the state at any time to recover the property's value. 

3. Do one state’s unclaimed-property laws apply to another? Not automatically. Jurisdiction follows the Supreme Court’s Texas v. New Jersey priority rules: 1) report to the state of the owner’s last known address; 2) if that address is unknown, or if that state does not provide for escheatment (state custody) of that specific property, remit to the holder’s state of incorporation. Importantly, the holder can remit only if the receiving state’s statute covers that property type (sometimes via a catch-all “intangible property” or by requiring liquidation to cash); if neither state covers it or a statute expressly excludes it, there’s no authority to escheat. More broadly, BTC is a global asset, and unclaimed property statutes are creatures of geographically defined law with no international force, meaning they cannot compel reporting or transfer by foreign holders or entities outside the reach of their individual jurisdictions. 

As a result, the Salomon client’s ability to act is possibly limited by: 

1. Jurisdictional priority rules (owner’s last known address first, then the holder’s state of incorporation): OP_RETURN “grace periods” are unlikely to be statutory and, by themselves, likely don’t compel remittance. Even where a notified address has been inactive longer than a standard dormancy period, that inactivity does not itself create a reporting duty absent a statutory “holder.” If the assets are later deposited with a centralized custodian, any obligations would typically arise from that point forward based on the custodian’s records, though certain state statutes could invite fact-specific disputes about prior abandonment and jurisdiction. 

2. Whether a statutory “holder” exists (centralized custodian) versus self-custody (typically no holder): While the notices likely have no statutory authority over self-custodied assets, they could be intended to create a factual predicate for a future claim. If coins from a dusted address are later deposited with a centralized custodian, the Salomon client may use the prior notice to assert a claim, potentially embroiling the owner and custodian in a legal dispute over the coins. 

3. The statutes’ geographic reach: Because BTC is a global asset and U.S. unclaimed property laws carry no international or interstate force, any attempt to maximize coverage would require going state by state or country by country, assessing whether local statutes even recognize digital assets as escheatable property, and pursuing claims only where a viable legal framework exists. This all assumes that the OP_RETURN notices are recognized as a legally sufficient form of contact or due diligence under some jurisdiction's specific unclaimed property statute and that the coins can be moved on the owner’s behalf. It further presumes that both holders and owners are located within those jurisdictions, because without that territorial nexus the statutes would not attach. 

4. The enforcement gap that comes with self-custodied BTC: Legal questions aside, coins in self-custody cannot be moved without access to their corresponding private key under any circumstance. Even if there is a legal pathway to deeming coins in self-custody escheatable, there is no way to enforce the remittance of them without access to the private key. While a court cannot compel the transfer of the bitcoin itself, it could issue an order against a known individual (if the owner is identified) to hand over the private key. But that remedy presupposes an identifiable and reachable person; for most long-dormant or pseudonymous addresses, no such linkage exists, leaving the coins practically beyond the reach of any court order. Unlike a leather wallet on the sidewalk, which a finder can pick up and hold pending the owner’s return, bitcoin cannot be “possessed” at all without a corresponding private key (or, perhaps one day, a quantum computer). Any attempt to bypass that framework and convert abandoned wallets into private title via onchain notice would be untested and questionable if private keys are inaccessible.  

However, this legal gray area may be the client’s perceived value proposition: by establishing an onchain record of notices through dusting, he may think he can attempt to bootstrap a novel claim under newly introduced legislation and seize ownership of “abandoned” coins. 

Recent litigation underscores the weakness of any such theory. In Battle Born Investments Co. v. DOJ, the U.S. Supreme Court rejected speculative ownership claims over a seized Bitcoin wallet, looking instead for concrete indicia of control — namely, the ability to transact or demonstrate private-key access. By analogy, OP_RETURN notices alone are unlikely to establish title or divest owners. Such notices amount to speculative claims at best, lacking the legal force required under existing unclaimed-property regimes. They may, however, be designed to induce self-selection, coaxing dormant holders either to identify themselves or to move coins into custodial venues where statutory hooks may be stronger.  

In short: it is unlikely that the notice creates an immediate claim, but a later move into custody could furnish a fact pattern that ends up litigated in jurisdictions where Salomon’s client takes up his claim. 

Final Thoughts 

Taking all of the onchain and legal details into consideration, the Salomon Brothers OP_RETURN dusting campaign should not be dismissed as a purely behavioral experiment. Instead, it looks like it could be an attempt to establish notice onchain and prepare a record to support potential litigation.  

That said, the operation itself displayed notable inconsistencies: broken links in early messages; possibly insufficient notices to some addresses by the sender’s own asserted standards; failure to notify address types that are believed more vulnerable to technological attack than others while professing the goal of protecting the network from technological attack; and delivering messages to addresses that were dormant for less time than is defined by unclaimed property laws.   

Despite these missteps, whoever carried out the operation clearly understands the Bitcoin network on deep technical level and took elegant measures to cover his tracks and deliver the messages to a large swath of addresses. While still baffling in many respects, the Salomon situation warrants continued monitoring by the global Bitcoin and crypto communities given the novel legal theories that this enigmatic client may end up testing. Keep an eye on the blockchain on Oct. 10 and Nov. 5, when Salomon's client’s 90-day deadlines pass. 

Appendix: State Abandoned Property Laws Addressing Virtual Currency 

• Arizona 

• California 

• Colorado 

• Delaware 

• Florida 

• Illinois 

• Indiana 

• Maine 

• Maryland 

• New York 

• Nevada 

• North Dakota 

• Oregon 

• Rhode Island 

• South Dakota 

• Tennessee 

• Texas 

• Utah 

• Vermont 

• Washington 

• West Virginia 

• Wisconsin