I agree with Loyce. If you are already running a device 24/7 anyway to host a node, then it costs you nothing to have a script running on that device watching a database of compromised addresses and waiting to sweep any funds which appear. And when we occasionally see transactions like the one Loyce mentioned of ~0.84 BTC, or the one in the post I linked to above of almost 1 BTC, that is more than enough incentive for several people to continually run bots. Each individual will be hoping that their database contains unique addresses, or even actively seeking out unique brain wallets or less common sources of compromised keys.