Bitcoin puzzle transaction ~32 BTC prize to who solves it

[Wanderingaran]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

[Benjade]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

It's not correct and you are mixing up “unauthorized access” with a public bounty.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

[Wanderingaran]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

It's not correct and you are mixing up “unauthorized access” with a public bounty.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

While the puzzle creator may intend for the funds to be claimed by cracking the key, that doesn’t automatically make it legal. Most jurisdictions don’t recognize brute-forcing as a valid way to transfer ownership. It’s still technically unauthorized access under computer crime laws. The creator’s forum posts might show intent, but unless they structured this as a binding contract or explicit waiver, the law could still view solvers as committing theft. In practice, nobody gets prosecuted because  is pseudonymous and the creator isn’t complaining, but that doesn’t make it legally safe.

[kTimesG]

You’re mixing up “can’t be proved” with “I don’t know how to prove it.”  

Every Bitcoin Core node stores when it first saw a tx (getrawmempool true). Mempool.observer, forkmonitor.info, etc. archive those feeds. If my tx hit the network at 17:12:03 and yours appears at 17:12:27, the gap is public and cryptographically tied to the txid.

Deterministic ECDSA RFC 6979 forces each signer to use a different nonce r. Two people who really derived the key produce two distinct signatures; a copy-paste front-runner re-broadcasts the identical sig. Comparing scriptSig bytes is enough to show who computed and who plagiarised.

I can sign an arbitrary message (“Block 850 000, puzzle X, I own this key”) and timestamp that hash with OpenTimestamps or even into the blockchain days before broadcasting the spend. When the puzzle falls, I reveal the signature; the hash already on-chain nails the timeline.

Courts deal with timestamped digital evidence every day e-mails, server logs, CCTV metadata so spare us the “no court on the planet” flourish. In practice the front-runner’s best hope is anonymity, not legal theory, because the maths makes the order of discovery trivially auditable.

Since you're acting in bad faith, I certainly wouldn't want to be your friend IRL, you might steal things from me...  

Timestamps of a transaction is not included in the transaction, so the gaps you mention and any logs of any public archives are the time when the TX was seen by that node.

So it's basically not a proof at all. What you call a replacement TX might as well be the first TX that some archival node sees.

And I have no idea what you are talking about regarding the identical signatures. The nonce is random, or it's created deterministically based on the TX data, so unless I'm sending out stuff to the SAME address (and same value), it's gonna be a different nonce -> different signature. Actually, I think it would need to be the exact byte-by-byte TX, in order for signatures to be identical.

There is no way to actually prove that my TX was not actually created and transmitted before your TX.

The timestamp of a TX is, eventually, the timestamp of the mined block. Any other timestamps are not legal proof of anything, as there's no way to validate the TX broadcasting timestamp.

It's also very funny how you would think that sending some signed message days before the actual TX would serve any legal purpose at all, because, unless you're signing it with the key you're about to spend, it can be basically sent out by anyone. So it's futile as it doesn't proof anything. And if you do sign it correctly, you already know what would happen, since signing it exposes the public key.

I feel like we're going in circles with what "not your key, not your funds" means in the context of a public blockchain.

[Cricktor]

I don't know what some don't understand with this puzzle and how someone can argue that a solver of a particular puzzle is a thief.

The puzzle creator has deliberately setup the puzzles to have the "community" try to claim them. Benjade points this out. It doesn't matter what motivation the creator had. The puzzle creator knew that a big chunk of the puzzles will be solved and withdrawn by solvers. He or she obviously donated the coins for this, let's call it technological study.

Even after a lot of the puzzles were solved already, they were topped up considerably to make it a worthy challenge to push solving tech to the limits. Whoever donated the coins for the puzzles, knew what they were doing.


If someone is stupid enough to use very weak and/or publicly known private keys or utterly bad brainwallets based on publicly known secrets data then I'd argue those sort of deserve to loose their coins to bots or whomever, simply due to ignorance and vast stupidity (I recognize that stupidity doesn't justify all evil actions, but hey, you get my point I guess). And yes, such bots exist, are armed and ready to almost instantly replace transactions that show up in public mempools. That's a known fact.

My standpoint is that getting to know a private key to valid UTXOs doesn't make you the legit owner of those UTXOs, but technically you can spend them and probably quite many would do this. I don't want to try to put these and those into some camps, it's a bit pointless. Make it up with yourself in which camp you sit. But this doesn't apply to coins that are deliberately laid out to be claimed like in the context of the Bitcoin puzzle transactions and coins.

Since the inception of low entropy puzzle stealing bots a solver of a low bit-range puzzle is challenged with a new problem for which MARA pool's Slipstream service has proven to be a working solution. Puzzle solver for 67 and 68 was smart enough and has proven this so far that Slipstream didn't scam but calmly confirmed the withdrawal transaction. Good and a must to know.

Puzzle solver for 69 failed to gain this crucial knowledge and it looked very much like they lost their prize to some bots. I would call this bad preperation and ignorance of quick state-of-the-art solution technology.

I forgot from which bit count on it's simply unlikely a bot could find a solution once a public key is exposed in public mempool, even when the next block to mine may take more than an hour to be found. Blocks are found roughly on average over 2016 blocks every 10minutes. You can't predict when the next valid block is published.

Future puzzle solver of 135 doesn't need to care about Slipstream service. Future puzzle solver of 71+ should very much use Slipstream or there will be a lot of tears.

[Benjade]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

It's not correct and you are mixing up “unauthorized access” with a public bounty.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

While the puzzle creator may intend for the funds to be claimed by cracking the key, that doesn’t automatically make it legal. Most jurisdictions don’t recognize brute-forcing as a valid way to transfer ownership. It’s still technically unauthorized access under computer crime laws. The creator’s forum posts might show intent, but unless they structured this as a binding contract or explicit waiver, the law could still view solvers as committing theft. In practice, nobody gets prosecuted because  is pseudonymous and the creator isn’t complaining, but that doesn’t make it legally safe.

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

[Akito S. M. Hosana]

While the puzzle creator may intend for the funds to be claimed by cracking the key, that doesn’t automatically make it legal. Most jurisdictions don’t recognize brute-forcing as a valid way to transfer ownership. It’s still technically unauthorized access under computer crime laws. The creator’s forum posts might show intent, but unless they structured this as a binding contract or explicit waiver, the law could still view solvers as committing theft. In practice, nobody gets prosecuted because  is pseudonymous and the creator isn’t complaining, but that doesn’t make it legally safe.

Okay, I admit it, I'm a criminal in the making. I have to admit, I'm not very good at this. 

[nomachine]

I have to admit, I'm not very good at this. 

You can always try fishing.It’s one of the best ways to calm your mind and heal your nerves. The discipline, patience, and connection to nature that fishing teaches can steer people away from crime, drug use, and self-destructive cycles. Of course, always fish responsibly. Check local regulations and get a license if needed. But once you do, you might just find that fishing does more than put food on the table; it brings peace to your soul. 

[analyticnomad]

So can I steal this magic internet money or not?

[onepuzzle]

Guys, even if we do end up solving the puzzle, we’re going to fall into deep depression. Or some of you already have—especially those who’ve been in it from the beginning. With that kind of money, you could afford a good therapist. The real question is: will we ever be able to feel happiness again?

@satoshi_rising you may have made 0.001% of the people richer — and the rest depressed. Thanks for that.

Now time to rent 24,000 GPUs to solve 71.

[Wanderingaran]

So can I steal this magic internet money or not?

If you live in Mongolia, it's probably safe. 

[betterthanSNnBTC]

Solved.

[mcdouglasx]

I don't know what some don't understand with this puzzle and how someone can argue that a solver of a particular puzzle is a thief.

The puzzle creator has deliberately setup the puzzles to have the "community" try to claim them. Benjade points this out. It doesn't matter what motivation the creator had. The puzzle creator knew that a big chunk of the puzzles will be solved and withdrawn by solvers. He or she obviously donated the coins for this, let's call it technological study.

Even after a lot of the puzzles were solved already, they were topped up considerably to make it a worthy challenge to push solving tech to the limits. Whoever donated the coins for the puzzles, knew what they were doing.


If someone is stupid enough to use very weak and/or publicly known private keys or utterly bad brainwallets based on publicly known secrets data then I'd argue those sort of deserve to loose their coins to bots or whomever, simply due to ignorance and vast stupidity (I recognize that stupidity doesn't justify all evil actions, but hey, you get my point I guess). And yes, such bots exist, are armed and ready to almost instantly replace transactions that show up in public mempools. That's a known fact.

My standpoint is that getting to know a private key to valid UTXOs doesn't make you the legit owner of those UTXOs, but technically you can spend them and probably quite many would do this. I don't want to try to put these and those into some camps, it's a bit pointless. Make it up with yourself in which camp you sit. But this doesn't apply to coins that are deliberately laid out to be claimed like in the context of the Bitcoin puzzle transactions and coins.

Since the inception of low entropy puzzle stealing bots a solver of a low bit-range puzzle is challenged with a new problem for which MARA pool's Slipstream service has proven to be a working solution. Puzzle solver for 67 and 68 was smart enough and has proven this so far that Slipstream didn't scam but calmly confirmed the withdrawal transaction. Good and a must to know.

Puzzle solver for 69 failed to gain this crucial knowledge and it looked very much like they lost their prize to some bots. I would call this bad preperation and ignorance of quick state-of-the-art solution technology.

I forgot from which bit count on it's simply unlikely a bot could find a solution once a public key is exposed in public mempool, even when the next block to mine may take more than an hour to be found. Blocks are found roughly on average over 2016 blocks every 10minutes. You can't predict when the next valid block is published.

Future puzzle solver of 135 doesn't need to care about Slipstream service. Future puzzle solver of 71+ should very much use Slipstream or there will be a lot of tears.

This topic is full of ambiguities. On the one hand, you say that anyone stupid enough to use low-entropy keys deserves to be robbed by bots, but two paragraphs later, you say "Slipstream didn't scam." But does Splitstream really have any responsibility in this case? Since this is an insecure key, does Splitstream really have a responsibility to protect you? If Splitstream doesn't do so, would it legally be a scam?

I think the use of a bot is unethical and synonymous with stealing, although this doesn't mean these are cases with too much judicial ambiguity.
Likewise, if someone on Splitstream decides to replace the TX of puzzle 71, the user will surely call them scammers. But Splitstream makes it clear in its rules that it is not responsible for the security of the private key, so Mara would surely win this fight. It wouldn't be ethical or well-regarded, but that's how the law works, and by using the service you accept its terms.

[Wanderingaran]

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

The puzzle creator’s public statement might imply consent, but unless it’s a legally binding contract (with clear terms, jurisdiction, and revocation mechanisms), authorities could still argue the method of access (e.g., brute-forcing) violates computer crime statutes. Courts often interpret “authorization” narrowly, e.g., Van Buren v. United States (2021) highlighted ambiguities in what exceeds "authorized access."

While the DOJ’s 2022 policy discourages charges for "good-faith security research," brute-forcing a private key lacks the same recognized public benefit as vulnerability disclosure. The policy also explicitly excludes "malicious" acts, and prosecutors might view unsanctioned access to funds (even via puzzles) as financially motivated rather than research.

Even if CFAA liability is avoided, criminal theft laws (e.g., state statutes) could apply. Most jurisdictions require explicit, lawful transfer of property. Cracking a key isn’t a traditional legal mechanism. The creator’s intent might not override statutory definitions of theft or fraud.

Unlike a test server in a bug bounty, the blockchain is a public ledger; the "system" accessed is the network itself. If the wallet’s security relies on cryptographic safeguards, bypassing them could be argued as circumventing a "technological barrier" under laws like the DMCA §1201 (though this is untested for puzzles).

[Benjade]

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

The puzzle creator’s public statement might imply consent, but unless it’s a legally binding contract (with clear terms, jurisdiction, and revocation mechanisms), authorities could still argue the method of access (e.g., brute-forcing) violates computer crime statutes. Courts often interpret “authorization” narrowly, e.g., Van Buren v. United States (2021) highlighted ambiguities in what exceeds "authorized access."

While the DOJ’s 2022 policy discourages charges for "good-faith security research," brute-forcing a private key lacks the same recognized public benefit as vulnerability disclosure. The policy also explicitly excludes "malicious" acts, and prosecutors might view unsanctioned access to funds (even via puzzles) as financially motivated rather than research.

Even if CFAA liability is avoided, criminal theft laws (e.g., state statutes) could apply. Most jurisdictions require explicit, lawful transfer of property. Cracking a key isn’t a traditional legal mechanism. The creator’s intent might not override statutory definitions of theft or fraud.

Unlike a test server in a bug bounty, the blockchain is a public ledger; the "system" accessed is the network itself. If the wallet’s security relies on cryptographic safeguards, bypassing them could be argued as circumventing a "technological barrier" under laws like the DMCA §1201 (though this is untested for puzzles).

Think about it for 2 seconds, these are addresses whose private keys are very limited in their range and created specifically to make them easier to find. What don't you understand about the law? It's written in black and white.

[Wanderingaran]

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

The puzzle creator’s public statement might imply consent, but unless it’s a legally binding contract (with clear terms, jurisdiction, and revocation mechanisms), authorities could still argue the method of access (e.g., brute-forcing) violates computer crime statutes. Courts often interpret “authorization” narrowly, e.g., Van Buren v. United States (2021) highlighted ambiguities in what exceeds "authorized access."

While the DOJ’s 2022 policy discourages charges for "good-faith security research," brute-forcing a private key lacks the same recognized public benefit as vulnerability disclosure. The policy also explicitly excludes "malicious" acts, and prosecutors might view unsanctioned access to funds (even via puzzles) as financially motivated rather than research.

Even if CFAA liability is avoided, criminal theft laws (e.g., state statutes) could apply. Most jurisdictions require explicit, lawful transfer of property. Cracking a key isn’t a traditional legal mechanism. The creator’s intent might not override statutory definitions of theft or fraud.

Unlike a test server in a bug bounty, the blockchain is a public ledger; the "system" accessed is the network itself. If the wallet’s security relies on cryptographic safeguards, bypassing them could be argued as circumventing a "technological barrier" under laws like the DMCA §1201 (though this is untested for puzzles).

Think about it for 2 seconds, these are addresses whose private keys are very limited in their range and created specifically to make them easier to find. What don't you understand about the law? It's written in black and white.

I have thought about it. And as someone who works in cybercrime investigations, I can tell you the law isn’t as binary as "the creator said it’s okay, so it’s legal." The law is written in black and white, but the words say "authorization," not "vibes." Unless the creator formalized this as a binding offer (a smart contract with explicit terms), you’re relying on not getting caught, not legal immunity.

Brute-forcing a key isn’t a recognized legal mechanism.

The creator’s intent might be clear to you, but courts need evidence of a valid contract or gift. If the private key is hidden within a puzzle or image (steganography, riddles, or cryptographic clues) and publicly posted (like GSMG.IO puzzle) by the owner, that’s fundamentally different from brute-forcing under the law.
Puzzle-solving = The owner deliberately encodes the key and invites solvers to extract it. This is closer to a unilateral contract ("Solve this, claim the prize").

If a company posts a puzzle on its website, that’s strong evidence of consent. Courts recognize "invited access". Brute-forcing lacks this clarity. Even weak keys don’t prove the owner authorized all methods of access.

[teguh54321]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

Not bout LAW .. but about moral ...   And yeah sniper bot is morally wrong. Even tough i setup one 😅, but badly coded haha.....

So bruting puzzle  and sniping might be unlawful but sniping is morally wrong

[Akito S. M. Hosana]

Not bout LAW .. but about moral ...   And yeah sniper bot is morally wrong. Even tough i setup one 😅, but badly coded haha.....

So bruting puzzle  and sniping might be unlawful but sniping is morally wrong

We have a cop, a philosopher and a preacher here. We just need a psychiatrist to come here and give us a diagnosis.

[nochkin]

We have a cop, a philosopher and a preacher here. We just need a psychiatrist to come here and give us a diagnosis.

You guys are crazy. Signed.
Done.

[Kelvin555]

So yes, if you fund key 42 with no conditions, whoever signs first owns it. In the puzzle, the first signer already exists; a bot that shoves their transaction aside is just pickpocketing at mempool speed.

So untrue.... "Whoever moves the coins safely to his/her wallet owns the coins".
Bots are part of the competition, do you think the owner did not know that this RBF war would happen ?
Whoever has tried this challenge now fully knows why you shouldn't create a weak private key all thanks to bots.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

Another thing, a bitcointalk forum post doesn't verify ownership of a bitcoin address, when Retiredcoder posted here the first time no one believed him till he signed a message from adresses 125 and 130, when Bram posted here he signed a message from his own address containing moved coins from address 67,  the main reason "signed messages" were added to bitcoin wallet is to verify ownership.

What if we wake up tomorrow and someone signs multiple messages with addresses 140 to 160 saying he/she is the rightful owner of these coins, it was never a challenge, never intended for it to be bruteforced, an unfortunate circumstance happened and he/she went to jail for the last 10years, released recently and found out people are bruteforcing his/her coins, has now made a complaint to the authorities about this....
Would you still believe that bitcointalk forum post
I think peoples' greed and lack of money clouds their judgment here.
If the owner wanted to prove legitimate ownership to these coins, nothing stops him signing a message with addresses 150, 155 and 160, state his intent about the coins and paste in a public forum.