Police in Canada hunt BTC ATM double-spend scammers
Some 112 transactions dating back to September 2018 have been flagged by authorities as double-spend transactions, allowing scammers to steal money by effectively spending the same BTC twice. The scam is thought to have involved an average transaction value of $1,800, with a total of $200,000 scammed by the group over a period of 10 days.
Over half the identified transactions have been attributed to ATMs in Calgary, with the remainder spread between Winnipeg, Toronto, Montreal, Sherwood Park, Ottawa and Hamilton.
The scam has been made possible through 0-confirmation transactions at the ATMs, enabling double spending while forcing merchants to wait for confirmation.
Much of the blame has been laid at tools like replace-by-fee from Bitcoin Core developer Peter Todd, which could have enabled these zero-confirmation transactions. While not designed for criminal applications, the tool is described by Todd as a means of creating successive transactions to smooth ‘stuck’ transactions.
On GitHub, Todd explained, “[Replace by fee] Creates two transactions in succession. The first pays the specified amount to the specified address. The second double-spends that transaction with a transaction with higher fees, paying only the change address. In addition you can optionally specify that the first transaction additional OP-RETURN, multisig, and ‘blacklisted’ address outputs. Some miners won’t accept transactions with these output types; those miners will accept the second double-spend transaction, helping you achieve a successful double-spend.”
While tools like replace by fee are controversial, their use is practical necessity, ensuring users can transact quickly without waiting for confirmations. But with the extent of this latest theft, which has seen scammers walk with as much as $20,000 a day in ill-gotten gains, serious questions must now be asked about BTC as a payments system.
The truth is BTC is no longer up to the job, and is riddled with technical problems which undermine trust and usability.
For the time being at least, those alleged to have been involved in the thefts remain at large.
To receive the latest CoinGeek.com news, special discounts on CoinGeek Conferences and other inside information direct to your inbox, please sign up for our mailing list.