there was actually a lot of competition to steal this output, so it was probably a well-known or very low-entropy address.
but for whatever reason this version that burnt it all to fees was received first by most mempool servers, so the RBF history isn't visible.
the attacker's address has a long history of similar activity.
e.g, here's another transaction from a few months ago that vaporized almost a full bitcoin to fees in order to steal only ~86k sats
it's hard to say why they've adopted this strategy.
it could be that the automated tool they use to sweep compromised funds is just terrible at bidding.
or perhaps it's a deliberate "scorched earth" policy to discourage competitors.
or it could be much more sophisticated:
by broadcasting two conflicting theft transactions simultaneously - one profitable, the other burning it all to fees - there's a slim possibility that a non-full-RBF miner will still mine the first, while the second blocks competing txs.
Original tweet: https://x.com/mononautical/status/1800496416252743919