Bitcoin Forum

A friend asked me to share this Bitcoin bounty that was published only a few minutes ago

https://btcleak.com/2020/06/14/steal-our-bitcoin-a-small-segwit-bounty/

It's about hacking 10 addresses for a total of 0.001 BTC. A number of clues are given by the creator. I'll give it a try myself. You too? Good luck!

If it's true the addresses are simple P2WPKH and they are simple brainwallets, all you gotta do is use Brainflayer that's been upgraded to work with segwit

Firstly, the assignments posted by the OP was not about telling the Pay to Witness Public Key Hash of the wallet but empty all the coins in the 7 wallets and from the look of things 5 of the wallet address are exchange wallet which i don't think it possible/easy for you to empty it as claimed by the OP.

Wait a minute.... all 10 addressers were robbed within ONE minute by someone (a bot obviously) paying insane tx fees....


That was the end of that, I guess.

there are always bots on bitcoin network watching the known keys such as the ones from weak brainwallets that these newbies in that link you posted were using. it is obvious that it will be claimed quite fast (a couple of seconds after the transaction was published to the network).

It is possible that a bot can double spend any transaction if it manage to find the private key within a few seconds from the time that transaction shows up in the mempool ? (there's some addresses in the 32 Bitcoin Puzzle that if we know the pub key for those addresses we can find the private key in less than 30 seconds)

The link in the OP has been updated with details. Wow! Funny that they mention Brainflayer as the recommended vector, which requires offline analysis. Much slower than online bots that constantly scan the mempool. Would be interesting to see a next round with more difficult passwords that aren't found in any list from for example hashes.org, but not superhard for tools like hashcat. Like "MyPrivateWallet2020". Will the bots steal those too in seconds? If they can, it means they must have tables of billions of hashes and are able to search them superfast. What do we know about these brainwallet bots, have any codes been publishes? Thanks.

Turns out all 10 public addresses were P2WPKH. 5 P2WPKH-P2SH ("3") and 5 native P2WPKH/Bech32 ("bc1").

dsa90, have you modified Brainflayer to work with segwit addresses, or was it a wish? If you have the code, please make it public!

Round 2:

https://btcleak.com/2020/06/16/steal-our-bitcoin-again/

the amount they have put in those addresses is too tiny that it is not even worth the time trying to create the transaction claiming them let alone writing some code that searches for the hashes and finds the correct key. for 10k satoshi or 90 cents i won't even open my Visual Studio...
and again this has nothing to do with SegWit!

Hahaha, yeah, when I try to look at the rewards, it seems that they have reduce it dramatically that's why those bots didn't even bother to make any effort or at least the people behind. Perhaps the OP was amaze on how the first bounty was sweep in literally in seconds. Not worth a try, as @pooya87 have said.

This frames it. 10k satoshi isn't worth it. Which is part of the question, I guess. Are the bots worth it? They are clearly advanced and quick. Must have taken some time and effort to code, precalculate store and query billions of hashes, and require server and electricity costs to keep going. The "most successful" bot paid 85% in transaction fees, so those 90 cents became 13.5 cents...

if it is for making profit then no it is not worth it. it might have been many years ago when these obvious weaknesses (such as key=SHA256(password)) weren't publicly known and a silly idea like brainwallet was hyped up. and it is not just about the fee, it is about the fact that people don't make mistakes like that anymore. not to mention that it is unethical since you would be stealing other people's money!
but it could be as a white hat thing like what Johoe did back in the days with blockchain.info mess-up.