A user contacted me about a weird / abnormal situation that caused them to lose 1.26869 BTC when transferring from Kraken to an wallet address under their control.
I can confirm that the situation (as seen on the blockchain) is very abnormal, and I cannot understand what caused it.
Basically, one BTC block contains 2 Txs:
- one is the transfer from Kraken to the user account address A (it's a native segqwit address in user wallet) which is the Tx that the user initialed by a withdrawal from Kraken,
- and in the same BTC block, there is a suspicious Tx from the user account address A to an unrecognized segwit address B that is not under control of the user, for a similar amount.
My understanding is that 1) this second (suspicious) Tx that moved the user funds could only have been signed by the user's private key - so likely a case of leaked key - and 2) this suspicious Tx sending the funds to address B could not have been normally initiated because no funds were on address A before the withdrawal from Kraken (which is mined in the same BTC block).
Can the BTC network (mempool) accept a Tx that moves funds from an address that has no balance / uxto?
This situation seems very abnormal to me, and the only way I think it could happen is with this BTC block 793728 being crafted by a malicious miner (or maybe a bot scanning the mempool?) who had access to the user's private key, in order to include the malicious signed Tx (A -> B) in that same block where the Kraken withdrawal was done.
Here are the info:
xpub: xpub6DAPV7c9WDLEg7GvJwZ2ptDmmQVfq7fB1hLKJJGg7P6kkLdBGnuBccSFbzBCcc6iZKZhnprKH6U
Q5NNa4bkYRFVN91MuumjyE46oPSCgsCL
address A:
https://www.blockchain.com/explorer/addresses/btc/bc1q927v5jvzm9pxkdxr0l8q325r3mrz8e9jp56cga (you can see both Txs on this page)
address B:
https://www.blockchain.com/explorer/addresses/btc/bc1qn3rwwaaayt4ugusftlzac22rmve29mqcg6v5dt (where the BTC are now sitting)
BTC block: 793728
Have you guys seen anything like that before? And why is such a hack possible?