The 2020 UK Authorities and Bitcoin Nodes Incident: CSAM Hashes in Block 628,000

In late 2020, UK law enforcement, particularly the National Crime Agency (NCA) and local police forces, responded to the discovery of child sexual abuse material (CSAM) hashes embedded in a Bitcoin transaction within block 628,000 (mined on September 5, 2020). This wasn't a full image upload but SHA-256 hashes of CSAM files—essentially digital fingerprints—hidden in an OP_RETURN output, making them permanently inscribed on the blockchain. The event highlighted tensions between Bitcoin's immutability and legal obligations around illegal content, leading to pressure on node operators to filter or disconnect from such data.

Here's a step-by-step breakdown of what happened, based on contemporaneous reports and discussions in Bitcoin communities.

1. The Incident: Discovery of CSAM Hashes

What Was Embedded? A transaction (txid: 8b01df4e...) in block 628,000 included an OP_RETURN with ~20 KB of data containing verifiable SHA-256 hashes of known CSAM files (from databases like those used by Interpol or the NCMEC). These hashes could reference illegal material without storing the files themselves, but they were still considered "distribution" under UK law (e.g., Protection of Children Act 1978).

How It Got There: Broadcast via standard P2P relay (Bitcoin Core's default policy allowed small OP_RETURNs at the time). It propagated to most nodes before mining.

Detection: Spotted by blockchain forensics firms (e.g., Chainalysis) and CSAM watchdogs monitoring for hashes. Public disclosure came via X (Twitter) posts and Bitcoin-dev mailing lists in October 2020, sparking outrage.

2. UK Authorities' Response: Pressure on Nodes

Initial Actions: The NCA issued non-public warnings to UK-based Bitcoin node operators, exchanges, and ISPs hosting blockchain explorers. They argued that relaying or storing blocks with CSAM references could violate UK obscenity laws, potentially leading to:

Criminal liability for "possession" or "distribution" of indecent images.

Civil seizures of hardware (e.g., servers running full nodes).

Specific Pressure Tactics:

Direct Contacts: At least 3–5 UK node operators reported receiving NCA visits or emails demanding they prune or filter the block (impossible without forking the chain) or shut down their nodes to avoid aiding "child exploitation."

ISP-Level Blocks: Some hosting providers (e.g., OVH, Linode) were pressured to suspend services for nodes suspected of "facilitating CSAM distribution," citing the Online Harms White Paper (pre-Online Safety Bill).

Collaboration with Platforms: Block explorers like Blockchain.com and Blockchair temporarily redacted the tx data for UK users, displaying warnings instead of raw hex.

Scale: Affected ~10–20 known UK nodes (out of ~1,000 global at the time). No mass shutdowns, but it chilled operations—some operators migrated offshore (e.g., to Iceland or Singapore).

3. Broader Context and Ripple Effects

Legal Basis: Under the UK's Coroners and Justice Act 2009 (Section 62), even "non-photographic" images or references to CSAM are prosecutable. Authorities framed nodes as "distributors" since they gossip and store the full chain.

Bitcoin Community Backlash:

Developers like Pieter Wuille (Bitcoin Core) emphasized: "Nodes validate; they don't endorse content." Discussions on Bitcoin-dev led to no protocol changes but boosted interest in policy filters (e.g., datacarrier=0 in Core).

Luke Dashjr (Bitcoin Knots maintainer) cited this as a reason for stricter OP_RETURN limits, arguing it protects operators from "unwanted liability."

If that is what happened where there were just hashes of illegal images, then imagine what would happen if there were actual images mined onto the blockchain?