Greedy bots have initiated a Replace-by-Fee (RBF) transaction war over Bitcoin sent to a compromised wallet. This situation arose after the bots detected funds deposited into the wallet, attempting to drain it. The compromised wallet's private key was identified as a transaction identifier (txid), specifically the coinbase txid of block 924,982.
Bots Exploit Exposed Private Key
On-chain data reveals that Bitcoin bots successfully drained funds from the compromised wallet within minutes. The SegWit wallet initially received 0.00020305 BTC through two separate transactions. However, it ultimately ended up with a zero balance, leaving no unspent outputs. Every incoming Bitcoin transfer was rapidly spent by the bots.
The first transaction deposited 0.00018209 BTC into the address. Almost concurrently, these funds were withdrawn in a separate transaction, utilizing a fee rate of 12.8 sat/vB. This rapid spending pattern strongly indicates an automated sweep operation.
A second deposit added 0.00002096 BTC to the wallet. These funds were also withdrawn almost immediately. The bot involved paid a fee of 4.80 sat/vB before sending 0.00001572 BTC to an external address.
Bots actively monitor Bitcoin's mempool, which serves as a waiting area for unconfirmed transactions, for any deposits sent to wallets derived from weak or publicly known private keys. Once funds appear in such a wallet, the bots, already possessing the private key, can instantly sign withdrawal transactions.
These bots then immediately initiate replace-by-fee (RBF) transactions. This strategy involves competing with each other by progressively increasing the fees offered to miners in an attempt to get their withdrawal transaction approved first.
An RBF, or replace-by-fee, is a node policy that empowers bots to substitute an unconfirmed transaction with a new one that offers a higher fee to miners. This incentivizes miners to prioritize the newer, higher-fee transaction.
Analysis of on-chain fee data shows noticeable spikes in satoshi-per-byte (sat/vB) rates during these events. These increases are a direct indication of transactions being replaced by versions with higher fees.
Ultimately, only one transaction confirms, while all competing versions are either dropped or superseded.
Observing these greedy bots engaging in increasingly aggressive RBF transactions can be a somewhat entertaining spectacle.
Brevsolution commented on X, stating, "Sometimes I send small transactions to compromised wallets, just to see the beauty in this automated RBFs."
However, some individuals send larger amounts to compromised wallets, and the motivations behind these actions remain unclear. Ottosch questioned on X, "I’d really like to know why that happens." Such transactions could potentially be the result of sender error.
In November, a significant amount of $70,000 was inadvertently sent to a wallet associated with a predictable private key. Brevolution explained that bots react with extreme speed, employing RBF to reduce transactions to a single satoshi. This process often results in the bots incurring fees that are equivalent to almost 100% of the deposited Bitcoin amount.
Bitcoin Private Keys Can Be Compromised
Weak private keys and seed phrases are vulnerable to hacking, similar to how easily guessable passwords can be exploited. The secure storage of private keys is paramount for protecting Bitcoin holdings. Exposure of a private key or any related data frequently leads to swift theft by malicious actors.
Utilizing a transaction ID (txid) to hash a private key does not provide sufficient entropy to adequately secure the private keys. Bitcoin private keys are fundamentally numerical values. It is technically possible to derive a public address and its corresponding private keys from block hashes and transaction IDs (txids).
Any txid or block hash is a valid 256-bit number and can, in principle, be used as a private key. Bots exploit this vulnerability by pre-computing addresses derived from known public data. They then continuously monitor these addresses, ready to drain any incoming funds instantly.