Bitcoin Forum

This post (https://bitcointalk.org/index.php?topic=1935098.msg61777505#msg61777505) made me curious: how many private keys have been posted on Bitcointalk?
To find out, I searched all downloaded posts (https://bitcointalk.org/index.php?topic=5167469.0) (which took hours) for anything that could be a Bitcoin private key. That resulted in 9375 potential keys (not all of them are valid, and no, I won't post the list).
Yesterday, I imported the private keys into a new Bitcoin Core wallet (this took only a few minutes), and did a rescan. This took forever, but was mesmerizing to watch: the balance went up and down by many Bitcoins, and this kept going for hours! I left it to finish overnight.
This morning, Bitcoin Core was hanging. I killed it, restarted it, and it took forever to load the wallet (which had grown to 2.2 GB during the rescan). Eventually, it worked! It's up to date, and the total balance is 0 (as expected). Every few minutes, Bitcoin Core is unresponsive for a few minutes, most likely because of the large wallet combined with a lack of processing power. It's not very nice to work with, and consumes 1 full CPU core.

Scrolling through the transactions, it's obvious any incoming transaction instantly gets sweeped, usually at a high fee. I assume many people have systems monitoring all compromised private keys, and they're competing against each other to steal the funds before someone else does. Back in the days, it happened to large amounts of Bitcoins, but the more recent transactions are mostly small. Except for last month (January 24): this address (https://blockchair.com/bitcoin/address/1LxPSrR3t8mFLKKsb8W3PxBP77WDmxWPyK) received 0.84362383BTC, which was instantly sweeped. The private key was posted 2 months earlier:
Someone made a very expensive mistake funding it. I'm hoping pbies can tell me where the private key comes from.

TL;DR
Don't post your private keys! Don't post your seed phrases! Don't try to be smart by creating a brain wallet!

No spam
Self-moderated against spam. Discussion is of course allowed.

I think that the number is bigger, since some have posted them as images which you could not "scan".

Even more, in some cases I remember there was a scam spree of posting "by mistake" ETH private keys for wallets containing tokens and no ETH. Obviously, at funding a smart contract was sending the ETH away.
So it was not only mistakes.


Impressive! I've intended a similar test some years ago with Electrum (my set was much smaller and I don't even remember if I've done my test with keys or just addresses). But for some addresses the number of transactions was too big and the Electrum servers were cutting me off (I knew less back then). So I've abandoned the idea of watching those. However, I've noticed even back then that even if some addresses were known to be leaked and unsafe, some people still were playing with them long afterwards (by funding with small amounts). But I was not aware of huge mistakes like that 0.84BTC... wow...

My list is indeed not complete. I didn't search for Hex keys either, only WIF.

I didn't search for altcoin private keys.

That must be why the wallet grew to 2.2 GB. With just private keys, it was only a few MB.

I wonder if the forks get claimed at the same time too or if you checked any of them (similar to what neurotic said, an ethereum private key can look similar to a bitcoin one).


I think they scan in advance to see how big your wallet gets (somehow) or at least decide to load a certain number of addresses (via a tree) and decide if the tree is too big to process or not (whatever it is, it's kept those servers very fast).

Coming from a newbie account? It may be intentional, some greedy members will want to outsmart the poster but the smart will get hunted in the end, I don't go after people's private keys or recovery seeds when I see them online, I believe no one is stupid enough to post them online, they did it to lure greedy people.

Did you click the first 2 words of this topic?

I've made such mistake some years ago when I was really new to crypto. I wanted to send someone my wallet address and I mistakenly sent him my private keys and I was lucky I noticed it before the recipient got the message. I quickly had to transfer my funds to a different wallet and forfeited that very wallet.

It is advisable to always have a clear head when performing sensitive transactions to avoid making costly mistakes.

FYI, Bitcoin Core load whole wallet to RAM which may be reason of long loading time[1].


And with HEX, i expect you'll receive many false positive since 64 character HEX also mentioned as hash of a file, as block hash, as TXID or explaining SHA-256.


That doesn't make sense. Bitcoin don't have smart contract which can be used to perform scam through sharing recovery/mnemonic words.

[1] https://bitcointalk.org/index.php?topic=5400538.msg60252176#msg60252176 (https://bitcointalk.org/index.php?topic=5400538.msg60252176#msg60252176)

This is definitely the case. I remember a few years ago looking more closely at coins being sent to brain wallets being stolen - https://bitcointalk.org/index.php?topic=4768828.msg46603379#msg46603379. In short, within only one or two seconds of a transaction being made to a brain wallet, there are multiple competing transactions detected by different nodes attempting to sweep the coins to another address. And bear in mind that as soon as a node has seen one such non-RBFed transaction, it will reject all others, meaning that although we may only see 3 or 4 such transactions across the entire network, there are likely many more than that which are being rejected. Given that we know there are multiple bots running with huge databases of addresses from brain wallets, it is only logical to assume their databases also include all leaked private keys and seed phrases they can find as well.

Things will get quite interesting once full RBF becomes commonplace. Any such transaction stealing coins from a brain wallet or leaked private key could be replaced by another transaction, regardless of whether or not is opted in to RBF. We could end up seeing different bots broadcasting more and more replacements, each paying a higher and higher fee, trying to steal the coins for themselves. Since there is no incentive for any one such bot to surrender and let another bot win, then such transactions could just escalate until the entire value (or close to it) is paid in fees.

I once entered my private key in a Google search field (https://bitcointalk.org/index.php?topic=996318.msg50657403#msg50657403). It's such a common thing to do: "CTRL-V > Enter", and it's gone. The best way to prevent this is by making sure you can't make this mistake: never handle private keys on a system that's connected to the internet.

I was curious about that scenario too. That would mean that (eventually) only miners profit from funds sent to addresses with leaked private keys.

After a while it makes you wonder if it could actually work the other way. More and more people stop running the bots since it really does become pointless and they are slowly forgotten about.
Kind of like the way junk fax senders have been disappearing. Just no work / no profit and more and more people pursuing legal action against them. They just left the field.

Yes in theory this is 'free money' just by running a script. But the 1st time they go to consolidate all the dust they have since fees ate the rest do they just walk away.

-Dave

No, that can't happen. Just one bot is enough to take the money, and if nobody runs it, someone will. If it's profitable for one person, someone else will do the same. So even if some people stop their bots, others will join.
It's never going to change: once a private key is compromised, funds will disappear.

Not all transactions are dust.

considering that there is a lot and more and more talk about security, there are warnings everywhere, "keep safe your PK" or "not your key not your coins", now I'm interested in how effective such a campaign really is.
is it possible to see statistics or a graph of the number of posts with an exposed private key over a period of time? is the trend decreasing or are we talking about wallet security here in vain?

I agree with Loyce. If you are already running a device 24/7 anyway to host a node, then it costs you nothing to have a script running on that device watching a database of compromised addresses and waiting to sweep any funds which appear. And when we occasionally see transactions like the one Loyce mentioned of ~0.84 BTC, or the one in the post I linked to above of almost 1 BTC, that is more than enough incentive for several people to continually run bots. Each individual will be hoping that their database contains unique addresses, or even actively seeking out unique brain wallets or less common sources of compromised keys.

That's not going to be easy without manual checks. Many people post keys knowing they're compromised already, or they're partial private keys for (secure) vanity address generation. Many keys gets posted more than once (or quoted), and I don't really want to check 10k+ posts.

This is interesting. As regular user of crypto I would have never imagined that there is stuff like this. In fact this was new learning for me and made me think I should be extra cautious about my private keys. Anyways, I am guy who after creating an address would think thrice which key is to be shared to public and which one not even when they mention in BOLD which one is private key and public key. Idk, there might be many of such users out there doing the same thing to avoid what has happened / mentioned in the OP.


I am surprised to read this. What kind of systems are these? How are they able to monitor if a private key is leaked or not. Its confusing to understand and it should be known to everyone so that I won't be making the mistake of leaking my private key by accident.

For example, whether it is phishing sites, or a software downloaded from play store, or any browser extension? What kind of monitor? & how does it recognize the gibberish code as pvt key anyways?

It was a nice experiment, I know there were some public "private keys" on this forum but never think they were that big amount.

There is a way that you can make money with them, if they are old keys and moved coins in the past, then you can get clam coins with those keys. You can use the service on Just-Dice for that, or install the core and make the swap direct from there.

And another fun way to make money with that list is by selling it in one of those services that let you sell files or compressed folders for cryptos. For sure some users would be interested in buying that list.

I'm not sure. I guess it's some customized wallet software.

See for instance Collection of 18.509 found and used Brainwallets (https://bitcointalk.org/index.php?topic=4768828.0), but it could just as well be from hacks or leaks.

Clams aren't worth much anymore. And I'm pretty sure someone thought of claiming them already ;)

Good point. They're probably being sold already.

They will trawl forums like this one, Reddit, Twitter, etc., on the hunt for private keys which have been shared. Then they import those private keys in to their software, which generates the corresponding addresses and watches them for any incoming transactions.

Other sources of private keys they could import include hacked cloud storage, hacked password manager databases, hacked email accounts, brain wallets, and so on.

Simply search for any 51 character string beginning with "5", or 52 character string beginning with "K" or "L".

That's interesting, I thought Bitcoin Core would be more efficient and effortlessly check new transactions in both mempool and new blocks for the addresses in the wallet with some fast search structure.

Those servers run by hackers who snatch coins that are sent to known private keys must have databases of many millions of addresses, I wonder if they run custom code that is much faster than Core because of its more narrow purpose.

Almost certainly. They don't need a wallet in core, and indeed, they don't even need a full node. A pruned node would suffice. They don't care about blocks or historical transactions at all - by the time a transaction is in a block it is already too late for them to steal. All they really care about is a way of maintaining a well connected mempool in order to quickly receive any newly broadcast transactions. For each incoming transaction, they will presumably have something like a huge lookup table database combined with one or more bloom filters so they can as quickly as possible determine if they have the private key for each address.

I hadn't realized this until you posted it. It makes sense, and they don't even need the mempool anymore, all they need to check is every new transaction the moment it first arrives. So that's at most 7-ish transactions per second, or better: every xxx milliseconds a new transaction arrives, and they check them instantly (one at a time).
Kinda like BitBonkers, but with sweeping instead of visualizing.

Someone who introduced me to this forum explained to me back then how he lost everything just by not being careful enough and posting a private key on the proof of authentication instead of a public address and also making the same mistake on the bounty form. 
Mistakes happens that's when one is not careful enough and sometimes they are also voluntery action where the posted wants peoples attention to the wallet, in some cases they fund the wallet with huge either ERC-20 tokens which will require anyone who want to move the send in some gas fee which will immediately be moved by the original wallet owner. In some cases, they are addresses, which make use of more than just a phrase to authorize outgoing transactions. I don't know how they do that, though.
I believe in the case of this nature, it's a mistakenly posted wallet, which has many eyes on it, and because of the constant transactions, lots of bots might have been installed to move out all confirmed transactions immediately. 

Yesterday, 1BoatSLRHtKNngkdXEeobR76b53LETtpyT (https://blockchair.com/bitcoin/address/1BoatSLRHtKNngkdXEeobR76b53LETtpyT) received 0.02429915BTC, which was instantly swept with a 0.001BTC fee.

I tried something new: I pruned Bitcoin Core to 20 GB, then imported the list of private keys, and did a rescan on the past few months. This shows only the recent transactions, and as a result the wallet is 11 MB instead of 2 GB. Bitcoin Core now works as expected without getting too slow to use.

Right when I wanted to post this, a "fatal error occurred" and Bitcoin Core crashed. The debug.log doesn't make sense:
After reloading, it works again. I've never seen this before.

Maybe the same guy who sent the coins to the exposed private key address, he himself swept the coins again. Maybe he's doing that for fun to create drama. Because the coins are swept instantly. Not even a minute after the receiving the coins

Unlikely.
It's much more likely someone did something dumb, and many bots tried to sweep the coins at the same time. One of them was fastest and got the money.

What happens if you send some coins and turn off RBF, only the first thief could get them right?

If you send funds to a compromised address, RBF doesn't matter. The thief uses CPFP and will turn off RBF (in his transaction) to prevent another thief from outbidding him.

have you tried collecting all 'email addresses' posted on bitcointalk including the ones in spreadsheets? some of them include emails

it is legal as posted on public and good for cold emails

I'm not in the business of spamming people.

Actually.. that is a good reminder and insight. I will make sure we never spam crypto audience.

On April 16, someone sent 0.09BTC (https://blockchair.com/bitcoin/address/1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH) to an address with publicly known private key. It disappeared (https://blockchair.com/bitcoin/transaction/405fc5b464d53e5b9523aa7f9767fbac7256e569a5ac619991acabda6aae20e0) instantly with a $12 fee. Someone earned stole $2700 from this.

Yeah, a lot of other things happened that day, for example the same certain someone (Satoshi) sent around 900 bitcoins to puzzle addresses to increase the prize of solving them, and you know how he is, he likes to tip people with Gs, $. 😉

Link?

I thought you already know about the puzzles? https://bitcointalk.org/index.php?topic=5218972.msg62098742#msg62098742

I knew the puzzles, but didn't catch the upgrade. For who also missed it: this transaction (https://blockchair.com/bitcoin/transaction/12f34b58b04dfb0233ce889f674781c0e0c7ba95482cca469125af41a78d13b3) sent about $25 million to these addresses (https://bitcointalk.org/index.php?topic=5218972.msg53649852#msg53649852). That makes it worth it to allocate much more processing power to cracking the puzzles.
Crazy :D

Well, It's not about more power, of course anyone could use hundreds of high end GPUs to solve for example #125, the point is to find a way to solve it with the help of mind not silicon. Now that you said it, $25M is too much yet very little to spend for safety analyzing.

I wish I knew how to automate and sort data processing like you, lol I have millions of public keys I just look for collisions with my eyes.🤣

It looks like this is becoming a reality: