Ok there is one good explanation for this case that I found in another comment here [0]: the person who found the private key made a transaction moving only part of the full reward, but in doing so exposed the full public key. A was monitoring the puzzle address for activity, picked up the public key, used it to crack the private key quickly and moved the rest of the funds.

Fascinating that the original cracker wouldn't know these details about Bitcoin transactions.

[0] https://news.ycombinator.com/user?id=mrb

You can't derive an secp256k1 privkey from the associated pubkey. That's the whole point.

You are right in the general case. But the public key is included in a transaction when it gets signed, and in this particular case the attackers already had part of the private key, that's what allowed a different attacker to combine both pieces and break the private key quickly.

I am not sure about this one but for the other puzzles, the solution is usually hashed and the submitter has to provide the solution in the Bitcoin script to solve for the hash. This disclose the solution (and thus the private key). This is not the case for signed Bitcoin transactions but these have special script functions. So if you don't use those, you lose these protections.