Greedy bots have launched an RBF transaction war over Bitcoin sent to a compromised wallet, according to a post from X.
The bots tried to empty the wallet after it detected the deposited funds. The compromised wallet’s private key is a transaction identifier (txid). Specifically, it’s the coinbase txid of block 924,982.
Bots exploit exposed private key
On-chain data shows that Bitcoin bots drained funds from the compromised wallet within minutes.
The SegWit wallet received 0.00020305 BTC through two transactions. However, it ended up with a zero balance and no unspent outputs left. Every incoming BTC transfer was quickly spent by bots.
The first transaction sent 0.00018209 BTC to the address. At the same timestamp, the funds were spent out in a separate transaction with a fee rate of 12.8 sat/vB. The spending speed indicates an automated sweep.
The second deposit added 0.00002096 BTC. The funds were again removed almost immediately. The bot paid 4.80 sat/vB then sent 0.00001572 BTC to an external address.
Bots continuously monitor Bitcoin’s mempool for deposits sent to wallets derived from weak or publicly known private keys. A bitcoin mempool is a waiting area for unconfirmed transactions.
Once funds appear, the bots already control the private key and can instantly sign withdrawal transactions.
Bots instantly send replace-by-fee (RBF) transactions to compete by raising fees for miners to approve a withdrawal.
An RBF or replace by fee, is a node policy that allows bots to replace an unconfirmed transaction with a new transaction that pays a higher fee to miners.
On-chain fee data shows sudden jumps in satoshi-per-byte (sat/vB) rates. This indicates transactions being replaced with higher-fee versions.
Only one transaction ultimately confirms, while competing versions are dropped or replaced.
The balance history of the compromised BTC wallet. Source:
mempool.space.
Watching greedy bots send more aggressive RBF transactions can be somewhat entertaining.
“Sometimes I send small transactions to compromised wallets, just to see the beauty in this automated RBFs,” said Brevsolution on X.
But some people send larger amounts to compromised wallets, and the reason is unclear. “I’d really like to know why that happens,” said Ottosch on X. Such transactions could be a mistake from the sender’s side.
In November, $70,000 was carelessly sent to a wallet linked to a predictable private key. Brevsolution explained that bots react instantly and use RBF to reduce transactions down to one satoshi. This causes the bots to pay almost 100% of the deposited BTC in fees.
Bitcoin private keys could be compromised
Weak private keys and seed phrases could be hacked. They are predictable like easy passwords.
Storing the private key securely is essential to protect BTC. Exposing it or any other related data often leads to quick theft by hackers.
Using a txid to hash a private key does not provide enough entropy to secure the private keys.
Bitcoin private keys are just numbers. It is possible to derive a public address and private keys from block hashes and transaction IDs (txids).
Any txid or block hash is a valid 256-bit number and can technically be used as a private key.
Bots exploit this by precomputing addresses from known public data. Then they watch those addresses forever and drain them instantly.
If you're reading this, you’re already ahead. Stay there with our newsletter.
