transactions – double spend the mempool to outbid an attacker


Many nodes today will not replace any transaction in their mempool with another transaction that spends the same inputs, making it difficult for spenders to adjust their previously-sent transactions to deal with unexpected confirmation delays or to perform other useful replacements.

First paragraph of ‘Abstract’ section in BIP 125

Maybe if the transaction had RBF enabled it would be helpful or if the transaction had a change address in outputs to try CPFP

Hackers are expected to use high fee rate, no RBF, no change address etc. although it’s not the case in lot of incidents that I have observed.