“Unauthorized access” only occurs when you defeat a safeguard without the owner’s permission.
The puzzle creator has already said “first to crack the key keeps the coins,” which is explicit consent, exactly like a bug-bounty program inviting you to hack their test server. Contract law treats that as a unilateral offer: perform the task, keep the reward. Once consent is public, brute-forcing the key is neither theft nor computer misuse, because the owner has waived exclusivity and the only “system” you touch is the open blockchain.
Here:
Computer Fraud and Abuse Act — 18 U.S.C. § 1030(a): every CFAA offense hinges on accessing a computer “without authorization” or “exceeding authorized access.” If the owner invites you to try, that element is missing.
https://www.law.cornell.edu/uscode/text/18/1030And there:
DOJ charging policy for the CFAA (19 May 2022): prosecutors are told not to bring charges for “good-faith security research” when the owner has authorized the activity.
https://www.justice.gov/archives/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-actThe puzzle creator’s public statement might imply consent, but unless it’s a legally binding contract (with clear terms, jurisdiction, and revocation mechanisms), authorities could still argue the method of access (e.g., brute-forcing) violates computer crime statutes. Courts often interpret “authorization” narrowly, e.g., Van Buren v. United States (2021) highlighted ambiguities in what exceeds "authorized access."
While the DOJ’s 2022 policy discourages charges for "good-faith security research," brute-forcing a private key lacks the same recognized public benefit as vulnerability disclosure. The policy also explicitly excludes "malicious" acts, and prosecutors might view unsanctioned access to funds (even via puzzles) as financially motivated rather than research.
Even if CFAA liability is avoided, criminal theft laws (e.g., state statutes) could apply. Most jurisdictions require explicit, lawful transfer of property. Cracking a key isn’t a traditional legal mechanism. The creator’s intent might not override statutory definitions of theft or fraud.
Unlike a test server in a bug bounty, the blockchain is a public ledger; the "system" accessed is the network itself. If the wallet’s security relies on cryptographic safeguards, bypassing them could be argued as circumventing a "technological barrier" under laws like the DMCA §1201 (though this is untested for puzzles).
Think about it for 2 seconds, these are addresses whose private keys are very limited in their range and created specifically to make them easier to find. What don't you understand about the law? It's written in black and white.