Every Bitcoin address is based on a secret key, from which the public key (associated to a Bitcoin address) is calculated. Once you have the private key for an address, you have the control of that address and can use it to transfer funds.
This secret key is a 32-bytes unsigned integer. You can generate a lot of secret keys, calculate the public keys associated to them and see if they contain bitcoins. If it’s the case, you can transfer the money to an address you control, because you have the secret key.
Such an attack is completely infeasible, because the private key space is really, really huge. There are 115792089237316195423570985008687907853269984665640564039457584007913129639936 secret keys available (1077).
Oh, and they are all listed on directory.io ! Of course, this website is a kind of joke, and all is calculated on the fly when you request a specific page. It also shows the danger of entering your secret key on an unknown website, for example to see if it was compromised…
However, we can bruteforce only a tiny fraction of this space, concentrating on secret keys with some distinctive features. This is what I will explain.