Yesterday, someone sent bitcoin (BTC) to a compromised wallet that used the transaction identifier (txid) of a coinbase block reward as a private key. Incredibly, the txid of the coinbase of block 924,982 is the private key of a wallet.
A bot feeding frenzy commenced.
“I’d really like to know why that happens,” wrote an observer. “Some people have said they throw little amounts occasionally to see the bots fighting, but why the bigger amounts?”
In this context, “bots fighting” refers to computer programs connected to a memory pool (mempool) of pending BTC transactions.
Automatically sensing a deposit into a compromised wallet, bots will immediately broadcast replace by fee (RBF) transactions to outbid one another’s fees to miners for a withdrawal transaction.
The spectacle of watching greedy bots broadcast a stream of increasingly aggressive RBF transactions has some entertainment value.
“Sometimes I send small transactions to compromised wallets, just to see the beauty in this automated RBFs,” commented one hobbyist after a similar incident in November 2025.
On that day, someone recklessly spent $70,000 to the public key of a non-random private key.
“It happens immediately, these nodes ain’t sleeping,” the hobbyist explained with glee. “The software will literally RBF ’em down to a single sat tx, child will literally pay 99.9% fees… it’s beautiful.”
Read more: 402bridge private key leaks, 227 wallets drained in minutes
Bots will happily steal all deposits to compromised wallets
Obviously, a private key is the most important piece of data to store securely in order to protect BTC. Leaking it or any type of common data that allows a hacker to derive it often results in immediate theft.
Many, but not all, of the most popular wallets with non-random private keys have seed phrases with predictable patterns, such as the words “password,” “bitcoin,” “rocketman” repeated 12 times, or the word “abandon” repeated 11 times.
Any non-random pattern lacking true entropy can expose a private key and allow bots to immediately drain any deposit to its public key.
As yesterday’s incident illustrates, non-randomness can also take the form of public information on the Bitcoin ledger, including the txid of a block reward.
Indeed, failure to introduce mechanical entropy when generating a private key can allow brute-force attacks and compromise the security of funds.
Moreover and with particular relevance to yesterday’s loss, hashing a private key via a txid does not add sufficient entropy for the safekeeping of private keys. As these unfortunate incidents illustrate, miners and other mempool observers can surveil txids for non-randomness and try to quickly broadcast a theft transaction using the underlying, exposed private key.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/mempool-bots-battle-over-compromised-btc/