{"id":87559,"date":"2023-11-27T15:31:28","date_gmt":"2023-11-27T13:31:28","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=87559"},"modified":"2025-09-13T12:36:59","modified_gmt":"2025-09-13T09:36:59","slug":"man-who-paid-a-record-3-1m-in-bitcoin-fees-says-he-was-hacked","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/man-who-paid-a-record-3-1m-in-bitcoin-fees-says-he-was-hacked\/","title":{"rendered":"Man who paid a record $3.1m in Bitcoin fees says he was hacked."},"content":{"rendered":"<p>The user going by the handle 83_5BTC, from the <a href=\"https:\/\/mempool.space\/tx\/b5a2af5845a8d3796308ff9840e567b14cf6bb158ff26c999e6f9a1f5448f9aa\">\u0430\u0434\u0440\u0435\u0441\u0430<\/a> from which a record $3.1m fee was paid on November 23, says he has fallen victim to a hacker.<\/p>\n<p>\u200b\u200b<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">It was my BTC that paid the high fee. <\/p>\n<p>I created a new cold wallet, transferred 139BTC to it and it got transferred out to another wallet immediately. ?<\/p>\n<p>I can only imagine that someone was running a script on that wallet and that the script had a weird fee calculation. \u2639\ufe0f<\/p>\n<p>\u2014 Hackers_paid_83.5BTC_fee_with_my_money (@83_5BTC) <a href=\"https:\/\/twitter.com\/83_5BTC\/status\/1727996658758058120?ref_src=twsrc%5Etfw\">November 24, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to him, the attacker stole more than 139 BTC ($5.2m), including transaction costs of 83.65 BTC ($3.1m).<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abI created a new cold wallet, transferred 139 BTC to it, and they were immediately transferred to another address. I can only suppose that someone was running a script on that wallet and that the script had a strange fee calculation\u00bb, the user said.<\/p>\n<\/blockquote>\n<p>As proof of his words, 83_5BTC signed a message from the specified Bitcoin address: &#8220;@83_5BTC is the owner of the funds that paid the high fee&#8221;. The signature was verified by Mononaut, the developer of the Mempool tool.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The signature checks out, <a href=\"https:\/\/twitter.com\/83_5BTC?ref_src=twsrc%5Etfw\">@83_5BTC<\/a> apparently controls the key that paid that 83.7 BTC fee.<\/p>\n<p>1\/? <a href=\"https:\/\/t.co\/vmZFn6sozN\">https:\/\/t.co\/vmZFn6sozN<\/a> <a href=\"https:\/\/t.co\/rFcxmxOCwO\">pic.twitter.com\/rFcxmxOCwO<\/a><\/p>\n<p>\u2014 mononaut (@mononautical) <a href=\"https:\/\/twitter.com\/mononautical\/status\/1728946778798793126?ref_src=twsrc%5Etfw\">November 27, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abThe signature is verified; @83_5BTC apparently does control the key that paid the 83.7 BTC fee\u00bb, the expert noted.<\/p>\n<\/blockquote>\n<p>Co-founder of Casa and CTO Jameson Lopp also confirmed the signature.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Oops.<br \/>\u2705 signature verified<a href=\"https:\/\/t.co\/a2Zt74RVf2\">https:\/\/t.co\/a2Zt74RVf2<\/a> <a href=\"https:\/\/t.co\/NK8ZLS0O6S\">pic.twitter.com\/NK8ZLS0O6S<\/a><\/p>\n<p>\u2014 Jameson Lopp (@lopp) <a href=\"https:\/\/twitter.com\/lopp\/status\/1728957651051299226?ref_src=twsrc%5Etfw\">November 27, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Nevertheless, because the wallet was compromised, the signature could very likely have been created by a hacker.<\/p>\n<p>A member of the niftydev community said he knows the person behind the 83_5BTC account, and that he is not the attacker.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">i know this guy: he started an anon account + is trying to get his bitcoins back after a wallet got hacked last week; if you know anyone at <a href=\"https:\/\/twitter.com\/AntPoolofficial?ref_src=twsrc%5Etfw\">@AntPoolofficial<\/a> etc retweets whatever appreciated <a href=\"https:\/\/t.co\/ImpormWHWY\">https:\/\/t.co\/ImpormWHWY<\/a><\/p>\n<p>\u2014 niftydev (b\/acc) (@niftynei) <a href=\"https:\/\/twitter.com\/niftynei\/status\/1728971001860624799?ref_src=twsrc%5Etfw\">November 27, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Representatives of AntPool, who verified the transaction, did not comment on the situation.<\/p>\n<p>According to Mononaut, the most likely reason for the hack was the victim&#8217;s wallet&#8217;s low entropy, making it vulnerable.<\/p>\n<p>In such a scenario, several attackers could vie to steal funds and raise the fee to speed withdrawals to their own address, the expert added.<\/p>\n<p>Mononaut also noted that the paid fee was exactly 60% of the total stolen 139.42 BTC, and the potential hacker additionally withdrew 0.001 BTC from the same address, paying 0.0006 BTC in fees.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I just noticed that the ~83.7 BTC fee was exactly 60% of the stolen UTXO value.<\/p>\n<p>(60% \u00d7 139.42495946 = 83.65497568)<\/p>\n<p>And the attacker *also* swept a 100k sat UTXO from the same address, paying exactly 60k sats in fees <a href=\"https:\/\/t.co\/b88xsi2iFk\">https:\/\/t.co\/b88xsi2iFk<\/a><\/p>\n<p>\u2014 mononaut (@mononautical) <a href=\"https:\/\/twitter.com\/mononautical\/status\/1729045556662792283?ref_src=twsrc%5Etfw\">November 27, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abThis, in combination with the speed of the theft, seems a reasonable demonstration of automated scripting by the attacker\u00bb, the expert explained.<\/p>\n<\/blockquote>\n<p>Earlier on September 10, the Rahos blockchain infrastructure company <a href=\"https:\/\/forklog.com\/en\/news\/unknown-user-paid-510000-in-fees-to-transfer-0-074-btc\">paid<\/a> 19.82 BTC ($510,750) in fees to miners for transferring 0.074 BTC (~$1,800).<\/p>\n<p>Representatives of F2Pool said that after the necessary checks <a href=\"https:\/\/forklog.com\/en\/news\/media-identify-paxos-as-the-sender-of-a-bitcoin-transaction-with-a-510000-fee\">returned to the company<\/a> its bitcoins.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The user going by the handle 83_5BTC, from the address from which a record $3.1m fee was paid on November 23, says he has fallen victim to a hacker.<\/p>\n","protected":false},"author":1,"featured_media":87560,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[226,18,1178,1227,44],"class_list":["post-87559","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-antpool","tag-bitcoin","tag-blockchain-fees","tag-cryptocurrency-transactions","tag-cybercrime"],"aioseo_notices":[],"amp_enabled":true,"views":"26","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/87559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=87559"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/87559\/revisions"}],"predecessor-version":[{"id":87561,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/87559\/revisions\/87561"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/87560"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=87559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=87559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=87559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}