hi
i checked about 20 spreadsheets of bounty campaigns. and in these lists i found about 15 private keys to ETH addresses.
people post their key instead of their address.
all the addresses had nothing in it. maybe somebody else already emptied them.
Op, thank you for this wonderful observation as I think this is very possible and hackers can take advantage of this and steal people ethereum. What on earth would make some one to post it private keys in the place of his ethereum address. I agree with op that some one most have hacked those accounts and stole those ethereum balance.