Steal our Bitcoin – a small segwit bounty [Updated!]

We have sent 0.0001 BTC each to ten different public addresses that have never before appeared on the blockchain but should still be considered high-risk and quite unsafe. It will be interesting to see how fast they are robbed!

Here is the transaction: fcbcaecced0e5df2988fbc274a6f60ae8159dbb76df0d647acb83502c656bac8

As seen, we are staking 0.001 BTC in total.

A few clues:

  • Segwit
  • Brainwallet
  • SHA-256
  • Previously known (pass)words

One obstacle may be that that standard-tool Brainflayer doesn’t support segwit addresses. (Or are there forks that do? If so, please let us know.)

In other words, your job is to empty the following public addresses:

367YSQBM7gxFR32tDPATcceZ41tR9iQmtp
34gxouL9pAwrm52SrtUPfyRTMtuwPbD8Cy
3FxDzfsP14mKUuytybxAZeNLGvLBxTxtbx
3JAjhmuqZEkiHYiMNp5Ta11Nbyk8sDqkaK
3PqQ5wxLhtPUKGGbMcsWmym9P5u7wYEKUX
bc1qvw5ryvljtuulwdx225uaanat7psdqwd2c4pkcj
bc1qr35wjxze57gdpcfjku8rtq39n4evkvmm7nev4q
bc1q34x4pr6m7tpgkg9rsc6qtuza8nfhfvz93895ln
bc1q28e7fx8nhfnuljekzm3esup8wcz5ezey7u9z4t
bc1qrwuy34745jjdv46m7dymghnnqs5v88eedka5r9

We know you can do it! This post will be updated all the details when (not if) all addresses have been emptied.

It would be cool if the person(s) who pull this off publish their solutions in the comments below.

This little experiment was possible thanks to a kind donation to this page; our public address at the bottom of this page. If you want to see more experiments and bounties like this, the tip jar is always open!

 

Update a few hours later

Yikes! That was a lot faster than we expected. All 10 public addresses were emptied within one minute and these transactions included in the same block 634753 as the original transaction.

Five different bots competed. We can be quite sure they are bots and not humans since they reacted literally within seconds and before the original transaction had been verified by the network. In other words, we can be quite sure that several different bots are constantly scanning the Bitcoin mempool for unsafe transactions and react immediately to them. Further, the transaction fees are extraordinarily high. The most successful bot grabbed 5 of 10 transactions, but at a very high price – it spent almost 85% on transaction fees! Presumably, the bots set the transaction fees very high in order to “win” (i.e. be chosen by the miner of the next block). Which leads us to the question: is it even worth it to run such a bot? Is it really winning to pay 85% in transaction fees? The tradeoff between “must win” (high transaction fee) and “must profit” (low transaction fee) is an interesting equation.

Alright, so how exactly did we produce these apparently unsafe public addresses? We created what some people refer to as brainwallets, which – in the simplest form – is taking the single-round SHA-256 hash of your passphrase (“something you can remember”) and use that as the private key. For this experiment, we used the following weak passwords (in bold):

Hello1
948edbe7ede5aa7423476ae29dcd7d61e7711a071aea0d83698377effa896525
367YSQBM7gxFR32tDPATcceZ41tR9iQmtp

Satoshi
002688cc350a5333a87fa622eacec626c3d1c0ebf9f3793de3885fa254d7e393
34gxouL9pAwrm52SrtUPfyRTMtuwPbD8Cy

newyork
350c754ba4d38897693aa077ef43072a859d23f613443133fecbbd90a3512ca5
3FxDzfsP14mKUuytybxAZeNLGvLBxTxtbx

password123
ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
3JAjhmuqZEkiHYiMNp5Ta11Nbyk8sDqkaK

catcatcat
bd337ddd210e2ecdf448b3eb67ddde14e18dd0a9852d8737b2222c52c61f27ee
3PqQ5wxLhtPUKGGbMcsWmym9P5u7wYEKUX

BTC
da8562e7abc01a6f0d49a25d144ce6a9d7752a079c5d950ad5a93fd6d623f7fd
bc1qvw5ryvljtuulwdx225uaanat7psdqwd2c4pkcj

secretpass
e05f79651d465214e7558a382ed0f0e5a77380a649f4573f3a1036dc4ee10c0b
bc1qr35wjxze57gdpcfjku8rtq39n4evkvmm7nev4q

1
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
bc1q34x4pr6m7tpgkg9rsc6qtuza8nfhfvz93895ln

abc123
6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
bc1q28e7fx8nhfnuljekzm3esup8wcz5ezey7u9z4t

HODL
c038fecc62a77f4b1ca8f06bf621bb612e748505951bbce22ebdbf2291760972
bc1qrwuy34745jjdv46m7dymghnnqs5v88eedka5r9

The web has been abundant for many years with information about the inner workings of legacy addresses. You can, of course, find detailed guides for segwit addresses, but these guides and codes are quite technical. We didn’t expect that 10 weak segwit addresses would be robbed in seconds. But we were obviously wrong.

And this is interesting. It highlights the utter importance of using safe methods for creating private keys, regardless of which address type you use.

Comments and questions?

One more thing!

Consider the donation address at the bottom of the page. We re-invest all contributions into new projects for btcleak.com. Help us create new content and remain ad-free forever. Thank you.

One Reply to “Steal our Bitcoin – a small segwit bounty [Updated!]”

  1. […] the first round resulted in Bitcoin theft within seconds, we have decided to step up the game for the second round. […]

    Reply

Leave a Reply

Your email address will not be published.