Bitcoin puzzle transaction ~32 BTC prize to who solves it

[mcdouglasx]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

In the hypothetical case that you knew who stole your money, you could sue. Just because a door isn't locked doesn't mean you can break in.

The problem with this is that it's difficult to know who committed the crime. If someone discovers a vulnerability in secp256k1, then according to your logic, they could empty Binance wallets without legal repercussions, since you wouldn't be hacking them. It's just that you know how to add, and your math calculations easily give you the key. This is absurd.



Regarding bots, it doesn't have much to do with speed, whether it's who replaces the transaction last or with the most fees. It depends on the miner who includes the transaction and mines the block. You can send a tx and then replace it, and the first or second transaction could be mined, depending on which miner solves the block first.
It doesn't just matter who has the fastest bot, but who is the luckiest to have the transaction mined.

RBF is intended to replace stuck tx due to low fees, when these do not want to be taken into account by miners, but if the person sending the original transaction does so with enough fees and many miners include it in their proof of work, their transaction could be mined with the same chances as its replacement.

[Benjade]

So yes, if you fund key 42 with no conditions, whoever signs first owns it. In the puzzle, the first signer already exists; a bot that shoves their transaction aside is just pickpocketing at mempool speed.

I do not agree, simply because it wasn't their key, so the ownership does not exist in the first place.

Are you aware that all puzzles with exposed public keys were signed before they got solved, since they had outgoing TXs? The sweeping TXs therefore classify as theft, according to your criteria.

Again: not your key, not your coins. It is your key only when you actually create it yourself. Otherwise, it is not your key, it belongs to everyone and therefore anyone has the equal right to use it as they see fit.

“Not your key, not your coins” cuts both ways.

Until someone derives the private key, the puzzle coins are ownerless data on-chain, yes.
The moment A solves the puzzle and signs a spend, A is the key-holder ownership springs into existence at that instant, because control is proven by the valid signature.

A front-runner doesn’t discover a second key; he simply copies A’s work, rebroadcasts it with a higher fee, and pockets the reward. That’s no different from watching me unlock a safe, grabbing the cash before I can close the door, and claiming “the safe was public property.” The effort that created the new control was mine, not yours.

Outgoing test transactions by the puzzle creator don’t change that: they pre-dated any solver, and the creator explicitly offered the balance to whoever computes the key first. Once that computation is done, the solver holds the key. Copy-paste latency attacks don’t create equal rights they free-ride on another person’s cryptographic proof of ownership, that's all.

[kTimesG]

“Not your key, not your coins” cuts both ways.

Until someone derives the private key, the puzzle coins are ownerless data on-chain, yes.

"Derives the private key"?

That's basically saying "I never owned this key".

None of these arguments will ever hold in any court on this planet, simply because it is impossible to ever prove that you were the first to "derive the key", craft a TX, and having it reach a P2P node, before someone else. That shit is dealt with only after a block is mined and issue gets settled, not before.

It's one thing to hack someone's rightful assets, and a totally different thing to have 100 dudes competing over who ECDLPs first a minuscule weak key, in a mempool, over some assets that don't really belong to ANY of them until the block gets mined and the conflict is solved.

Ownership, in a legal manner, involves proving that the private key was OWNED by you, not that it was "derived". This is done by showing that the private key was indeed a full entropy 256-bits random blob, not a lame-ass zero-filled empty blob with a few bytes at the end.

At best, it can only incriminate yourself, since "deriving" pretty much means "I cracked it, because I didn't own it".

[Benjade]

“Not your key, not your coins” cuts both ways.

Until someone derives the private key, the puzzle coins are ownerless data on-chain, yes.

"Derives the private key"?

That's basically saying "I never owned this key".

None of these arguments will ever hold in any court on this planet, simply because it is impossible to ever prove that you were the first to "derive the key", craft a TX, and having it reach a P2P node, before someone else. That shit is dealt with only after a block is mined and issue gets settled, not before.

It's one thing to hack someone's rightful assets, and a totally different thing to have 100 dudes competing over who ECDLPs first a minuscule weak key, in a mempool, over some assets that don't really belong to ANY of them until the block gets mined and the conflict is solved.

Ownership, in a legal manner, involves proving that the private key was OWNED by you, not that it was "derived". This is done by showing that the private key was indeed a full entropy 256-bits random blob, not a lame-ass zero-filled empty blob with a few bytes at the end.

At best, it can only incriminate yourself, since "deriving" pretty much means "I cracked it, because I didn't own it".

You’re mixing up “can’t be proved” with “I don’t know how to prove it.” 

Every Bitcoin Core node stores when it first saw a tx (getrawmempool true). Mempool.observer, forkmonitor.info, etc. archive those feeds. If my tx hit the network at 17:12:03 and yours appears at 17:12:27, the gap is public and cryptographically tied to the txid.

Deterministic ECDSA RFC 6979 forces each signer to use a different nonce r. Two people who really derived the key produce two distinct signatures; a copy-paste front-runner re-broadcasts the identical sig. Comparing scriptSig bytes is enough to show who computed and who plagiarised.

I can sign an arbitrary message (“Block 850 000, puzzle X, I own this key”) and timestamp that hash with OpenTimestamps or even into the blockchain days before broadcasting the spend. When the puzzle falls, I reveal the signature; the hash already on-chain nails the timeline.

Courts deal with timestamped digital evidence every day e-mails, server logs, CCTV metadata so spare us the “no court on the planet” flourish. In practice the front-runner’s best hope is anonymity, not legal theory, because the maths makes the order of discovery trivially auditable.

Since you're acting in bad faith, I certainly wouldn't want to be your friend IRL, you might steal things from me... 

[Wanderingaran]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

[Benjade]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

It's not correct and you are mixing up “unauthorized access” with a public bounty.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

[Wanderingaran]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

It's not correct and you are mixing up “unauthorized access” with a public bounty.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

While the puzzle creator may intend for the funds to be claimed by cracking the key, that doesn’t automatically make it legal. Most jurisdictions don’t recognize brute-forcing as a valid way to transfer ownership. It’s still technically unauthorized access under computer crime laws. The creator’s forum posts might show intent, but unless they structured this as a binding contract or explicit waiver, the law could still view solvers as committing theft. In practice, nobody gets prosecuted because  is pseudonymous and the creator isn’t complaining, but that doesn’t make it legally safe.

[kTimesG]

You’re mixing up “can’t be proved” with “I don’t know how to prove it.”  

Every Bitcoin Core node stores when it first saw a tx (getrawmempool true). Mempool.observer, forkmonitor.info, etc. archive those feeds. If my tx hit the network at 17:12:03 and yours appears at 17:12:27, the gap is public and cryptographically tied to the txid.

Deterministic ECDSA RFC 6979 forces each signer to use a different nonce r. Two people who really derived the key produce two distinct signatures; a copy-paste front-runner re-broadcasts the identical sig. Comparing scriptSig bytes is enough to show who computed and who plagiarised.

I can sign an arbitrary message (“Block 850 000, puzzle X, I own this key”) and timestamp that hash with OpenTimestamps or even into the blockchain days before broadcasting the spend. When the puzzle falls, I reveal the signature; the hash already on-chain nails the timeline.

Courts deal with timestamped digital evidence every day e-mails, server logs, CCTV metadata so spare us the “no court on the planet” flourish. In practice the front-runner’s best hope is anonymity, not legal theory, because the maths makes the order of discovery trivially auditable.

Since you're acting in bad faith, I certainly wouldn't want to be your friend IRL, you might steal things from me...  

Timestamps of a transaction is not included in the transaction, so the gaps you mention and any logs of any public archives are the time when the TX was seen by that node.

So it's basically not a proof at all. What you call a replacement TX might as well be the first TX that some archival node sees.

And I have no idea what you are talking about regarding the identical signatures. The nonce is random, or it's created deterministically based on the TX data, so unless I'm sending out stuff to the SAME address (and same value), it's gonna be a different nonce -> different signature. Actually, I think it would need to be the exact byte-by-byte TX, in order for signatures to be identical.

There is no way to actually prove that my TX was not actually created and transmitted before your TX.

The timestamp of a TX is, eventually, the timestamp of the mined block. Any other timestamps are not legal proof of anything, as there's no way to validate the TX broadcasting timestamp.

It's also very funny how you would think that sending some signed message days before the actual TX would serve any legal purpose at all, because, unless you're signing it with the key you're about to spend, it can be basically sent out by anyone. So it's futile as it doesn't proof anything. And if you do sign it correctly, you already know what would happen, since signing it exposes the public key.

I feel like we're going in circles with what "not your key, not your funds" means in the context of a public blockchain.

[Cricktor]

I don't know what some don't understand with this puzzle and how someone can argue that a solver of a particular puzzle is a thief.

The puzzle creator has deliberately setup the puzzles to have the "community" try to claim them. Benjade points this out. It doesn't matter what motivation the creator had. The puzzle creator knew that a big chunk of the puzzles will be solved and withdrawn by solvers. He or she obviously donated the coins for this, let's call it technological study.

Even after a lot of the puzzles were solved already, they were topped up considerably to make it a worthy challenge to push solving tech to the limits. Whoever donated the coins for the puzzles, knew what they were doing.


If someone is stupid enough to use very weak and/or publicly known private keys or utterly bad brainwallets based on publicly known secrets data then I'd argue those sort of deserve to loose their coins to bots or whomever, simply due to ignorance and vast stupidity (I recognize that stupidity doesn't justify all evil actions, but hey, you get my point I guess). And yes, such bots exist, are armed and ready to almost instantly replace transactions that show up in public mempools. That's a known fact.

My standpoint is that getting to know a private key to valid UTXOs doesn't make you the legit owner of those UTXOs, but technically you can spend them and probably quite many would do this. I don't want to try to put these and those into some camps, it's a bit pointless. Make it up with yourself in which camp you sit. But this doesn't apply to coins that are deliberately laid out to be claimed like in the context of the Bitcoin puzzle transactions and coins.

Since the inception of low entropy puzzle stealing bots a solver of a low bit-range puzzle is challenged with a new problem for which MARA pool's Slipstream service has proven to be a working solution. Puzzle solver for 67 and 68 was smart enough and has proven this so far that Slipstream didn't scam but calmly confirmed the withdrawal transaction. Good and a must to know.

Puzzle solver for 69 failed to gain this crucial knowledge and it looked very much like they lost their prize to some bots. I would call this bad preperation and ignorance of quick state-of-the-art solution technology.

I forgot from which bit count on it's simply unlikely a bot could find a solution once a public key is exposed in public mempool, even when the next block to mine may take more than an hour to be found. Blocks are found roughly on average over 2016 blocks every 10minutes. You can't predict when the next valid block is published.

Future puzzle solver of 135 doesn't need to care about Slipstream service. Future puzzle solver of 71+ should very much use Slipstream or there will be a lot of tears.

[Benjade]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

It's not correct and you are mixing up “unauthorized access” with a public bounty.

The puzzle creator openly puts the coins in addresses meant to be cracked and even thanks the community for building new cracking tools. That is an implied green light: the only way to claim the prize is to derive the key, and the owner clearly intends that to happen. No computer system is being broken into and the funds are not protected by anything but the puzzle itself, so there is no “unauthorized access” under computer-crime laws. It is a public bounty, not theft.  https://bitcointalk.org/index.php?topic=1306983.msg18765941#msg18765941

While the puzzle creator may intend for the funds to be claimed by cracking the key, that doesn’t automatically make it legal. Most jurisdictions don’t recognize brute-forcing as a valid way to transfer ownership. It’s still technically unauthorized access under computer crime laws. The creator’s forum posts might show intent, but unless they structured this as a binding contract or explicit waiver, the law could still view solvers as committing theft. In practice, nobody gets prosecuted because  is pseudonymous and the creator isn’t complaining, but that doesn’t make it legally safe.

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

[Akito S. M. Hosana]

While the puzzle creator may intend for the funds to be claimed by cracking the key, that doesn’t automatically make it legal. Most jurisdictions don’t recognize brute-forcing as a valid way to transfer ownership. It’s still technically unauthorized access under computer crime laws. The creator’s forum posts might show intent, but unless they structured this as a binding contract or explicit waiver, the law could still view solvers as committing theft. In practice, nobody gets prosecuted because  is pseudonymous and the creator isn’t complaining, but that doesn’t make it legally safe.

Okay, I admit it, I'm a criminal in the making. I have to admit, I'm not very good at this. 

[nomachine]

I have to admit, I'm not very good at this. 

You can always try fishing.It’s one of the best ways to calm your mind and heal your nerves. The discipline, patience, and connection to nature that fishing teaches can steer people away from crime, drug use, and self-destructive cycles. Of course, always fish responsibly. Check local regulations and get a license if needed. But once you do, you might just find that fishing does more than put food on the table; it brings peace to your soul. 

[analyticnomad]

So can I steal this magic internet money or not?

[onepuzzle]

Guys, even if we do end up solving the puzzle, we’re going to fall into deep depression. Or some of you already have—especially those who’ve been in it from the beginning. With that kind of money, you could afford a good therapist. The real question is: will we ever be able to feel happiness again?

@satoshi_rising you may have made 0.001% of the people richer — and the rest depressed. Thanks for that.

Now time to rent 24,000 GPUs to solve 71.

[Wanderingaran]

So can I steal this magic internet money or not?

If you live in Mongolia, it's probably safe. 

[betterthanSNnBTC]

Solved.

[mcdouglasx]

I don't know what some don't understand with this puzzle and how someone can argue that a solver of a particular puzzle is a thief.

The puzzle creator has deliberately setup the puzzles to have the "community" try to claim them. Benjade points this out. It doesn't matter what motivation the creator had. The puzzle creator knew that a big chunk of the puzzles will be solved and withdrawn by solvers. He or she obviously donated the coins for this, let's call it technological study.

Even after a lot of the puzzles were solved already, they were topped up considerably to make it a worthy challenge to push solving tech to the limits. Whoever donated the coins for the puzzles, knew what they were doing.


If someone is stupid enough to use very weak and/or publicly known private keys or utterly bad brainwallets based on publicly known secrets data then I'd argue those sort of deserve to loose their coins to bots or whomever, simply due to ignorance and vast stupidity (I recognize that stupidity doesn't justify all evil actions, but hey, you get my point I guess). And yes, such bots exist, are armed and ready to almost instantly replace transactions that show up in public mempools. That's a known fact.

My standpoint is that getting to know a private key to valid UTXOs doesn't make you the legit owner of those UTXOs, but technically you can spend them and probably quite many would do this. I don't want to try to put these and those into some camps, it's a bit pointless. Make it up with yourself in which camp you sit. But this doesn't apply to coins that are deliberately laid out to be claimed like in the context of the Bitcoin puzzle transactions and coins.

Since the inception of low entropy puzzle stealing bots a solver of a low bit-range puzzle is challenged with a new problem for which MARA pool's Slipstream service has proven to be a working solution. Puzzle solver for 67 and 68 was smart enough and has proven this so far that Slipstream didn't scam but calmly confirmed the withdrawal transaction. Good and a must to know.

Puzzle solver for 69 failed to gain this crucial knowledge and it looked very much like they lost their prize to some bots. I would call this bad preperation and ignorance of quick state-of-the-art solution technology.

I forgot from which bit count on it's simply unlikely a bot could find a solution once a public key is exposed in public mempool, even when the next block to mine may take more than an hour to be found. Blocks are found roughly on average over 2016 blocks every 10minutes. You can't predict when the next valid block is published.

Future puzzle solver of 135 doesn't need to care about Slipstream service. Future puzzle solver of 71+ should very much use Slipstream or there will be a lot of tears.

This topic is full of ambiguities. On the one hand, you say that anyone stupid enough to use low-entropy keys deserves to be robbed by bots, but two paragraphs later, you say "Slipstream didn't scam." But does Splitstream really have any responsibility in this case? Since this is an insecure key, does Splitstream really have a responsibility to protect you? If Splitstream doesn't do so, would it legally be a scam?

I think the use of a bot is unethical and synonymous with stealing, although this doesn't mean these are cases with too much judicial ambiguity.
Likewise, if someone on Splitstream decides to replace the TX of puzzle 71, the user will surely call them scammers. But Splitstream makes it clear in its rules that it is not responsible for the security of the private key, so Mara would surely win this fight. It wouldn't be ethical or well-regarded, but that's how the law works, and by using the service you accept its terms.

[Wanderingaran]

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

The puzzle creator’s public statement might imply consent, but unless it’s a legally binding contract (with clear terms, jurisdiction, and revocation mechanisms), authorities could still argue the method of access (e.g., brute-forcing) violates computer crime statutes. Courts often interpret “authorization” narrowly, e.g., Van Buren v. United States (2021) highlighted ambiguities in what exceeds "authorized access."

While the DOJ’s 2022 policy discourages charges for "good-faith security research," brute-forcing a private key lacks the same recognized public benefit as vulnerability disclosure. The policy also explicitly excludes "malicious" acts, and prosecutors might view unsanctioned access to funds (even via puzzles) as financially motivated rather than research.

Even if CFAA liability is avoided, criminal theft laws (e.g., state statutes) could apply. Most jurisdictions require explicit, lawful transfer of property. Cracking a key isn’t a traditional legal mechanism. The creator’s intent might not override statutory definitions of theft or fraud.

Unlike a test server in a bug bounty, the blockchain is a public ledger; the "system" accessed is the network itself. If the wallet’s security relies on cryptographic safeguards, bypassing them could be argued as circumventing a "technological barrier" under laws like the DMCA §1201 (though this is untested for puzzles).

[Benjade]

“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.

Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing. https://www.law.cornell.edu/uscode/text/18/1030

And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity. https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act

The puzzle creator’s public statement might imply consent, but unless it’s a legally binding contract (with clear terms, jurisdiction, and revocation mechanisms), authorities could still argue the method of access (e.g., brute-forcing) violates computer crime statutes. Courts often interpret “authorization” narrowly, e.g., Van Buren v. United States (2021) highlighted ambiguities in what exceeds "authorized access."

While the DOJ’s 2022 policy discourages charges for "good-faith security research," brute-forcing a private key lacks the same recognized public benefit as vulnerability disclosure. The policy also explicitly excludes "malicious" acts, and prosecutors might view unsanctioned access to funds (even via puzzles) as financially motivated rather than research.

Even if CFAA liability is avoided, criminal theft laws (e.g., state statutes) could apply. Most jurisdictions require explicit, lawful transfer of property. Cracking a key isn’t a traditional legal mechanism. The creator’s intent might not override statutory definitions of theft or fraud.

Unlike a test server in a bug bounty, the blockchain is a public ledger; the "system" accessed is the network itself. If the wallet’s security relies on cryptographic safeguards, bypassing them could be argued as circumventing a "technological barrier" under laws like the DMCA §1201 (though this is untested for puzzles).

Think about it for 2 seconds, these are addresses whose private keys are very limited in their range and created specifically to make them easier to find. What don't you understand about the law? It's written in black and white.

[teguh54321]

@kTimesG Having a valid signature may satisfy the Bitcoin protocol, but off-chain it’s still treated as theft.

It's not theft if it never belonged to the one who claimed it theft.

I'd start there. By this logic, all the guys who solved puzzles so far are thieves.

By the same logic, if I add funds to private key 42, and I call it my assets, then I should sue whoever transfers the funds in the very next block. Correct?

Geez.

The creator of a "Bitcoin puzzle" (where funds are locked behind a private key that must be brute-forced) is intentionally creating a scenario where theft is incentivized. Even if they frame it as a game or challenge, the legal reality is:

They knowingly put funds in a position where unauthorized access is the only way to claim them.

They are effectively encouraging hacking/unauthorized access, which is illegal in most jurisdictions (e.g., under computer fraud, unauthorized access, or theft laws).


If the puzzle creator never relinquished ownership (e.g., by clearly stating "this is not yours until you solve X"), then solving the puzzle does not grant legal ownership, it’s still theft.

If they implied abandonment (e.g., "Whoever finds this can have it"), then it might be a gray area, but most legal systems don’t recognize brute-forcing as a legitimate claim method.

The puzzle creator could be legally liable because:

They structured a scheme that requires illegal actions (unauthorized access) to claim funds.

They knowingly set up a system that violates computer crime laws (e.g., CFAA in the U.S., similar laws in the EU/UK).

They may be seen as an accomplice to theft by deliberately creating conditions where theft is the only way to obtain the funds.


The puzzle creator is not innocent, they designed a system that requires illegal actions to claim funds. While they might argue it’s a "game," the law doesn’t generally recognize brute-forcing private keys as a legitimate way to transfer ownership.

Not bout LAW .. but about moral ...   And yeah sniper bot is morally wrong. Even tough i setup one 😅, but badly coded haha.....

So bruting puzzle  and sniping might be unlawful but sniping is morally wrong