This is How Scammers Double Spent $200k Worth of Bitcoins in Seven Canadian Cities

The sole purpose of crypto is to bring back the power to the masses. Bitcoin led the way and as a revolutionary coin, it is a product of adversity and a leader of a transformation. This means, with every induction, the coin is edging closer to mainstream adoption and that is precisely what every enthusiasts and observer wants. Considering its global nature and how it can be shaping, making these coins accessible to everyone is of top priority.

For this reason, the team behind this novel drive saw it fit to introduce Bitcoin kiosks or crypto teller machines. Although there is no connection with those dispensing government issued fiat, these ATMs embodies decentralization. These ATMs can be two-way, meaning you can buy supported cryptocurrencies and some allows conversion of crypto assets for fiat. Obviously, they are convenient points where users can sell supported coins for a fee while receiving an equivalent amount in fiat.

 In North America, the US leads in the number of installed ATMs but it is Canada that is grabbing all the attention thanks to recent and an unfortunate heist that saw $200k in cash double spent by four scammers across seven towns including Calgary—with 45 Bitcoin ATMs and Montreal with 102 ATMs.

Back to Basics: double spending and Zero-confirm Transactions

But the question in everyone mind is how did they pull it? How did they double spend what is supposedly an immutable transaction? Well, to understand how they did it and how rampant it can be, we must verse ourselves with two terms. Firstly, the meaning of a double spending and secondly, why merchants prefer zero-confirm transactions. In bare minimum definition, a double spend is simply the risk that any cryptocurrency can be spent twice.

It is a problem specific to digital assets and cryptocurrencies in particular in that digital information can be replicated. The good thing is that Satoshi successfully demonstrated that by employing a decentralized system where mathematics and encryption verify transaction logs it was possible to stop double-counting.

On the other hand, zero-confirm transactions are broadcasted transactions that are yet to be confirmed by a miner. A valid transaction is that which has been acknowledged by a miner (it doesn’t matter the the number of confirmations) and consequently etched in the blockchain. Double spending is discouraged and has been made expensive for would be attackers.

Convenience Over Security?

Unfortunately, there is a new breed of users preferring speed over security of their digital assets. It is understandable. Thanks to the 10—20 minute wait time that a typical Bitcoin transaction takes, a merchants and users who accept zero-confirm transactions need not to wait and is a debatable subject. Not all ATMs accept zero-confirm transactions. Merchants using BitPay as an intermediary automatically accept zero-confirm transactions but these are adjusted. Casinos do accept zero-confirm deposits but need at-least three confirmations for withdrawal.

All the same, these scammers took advantage of this lack of confirmation, reversing those transactions and thereafter converting the same Bitcoins for cash.

In the early days of Bitcoin, it was possible to send transactions if they were small enough or had an element of priority. However, with increasing use and miners in for profit, a user must pay for every transaction. And not just any fees. Miners are in business and the higher the fees, the faster the confirmation. There is a fee-rate measuring applicable fees at any time and is measured in satoshis per byte. Now, since not all ATMs accept zero-confirm transactions, it is likely that they did their home work and after picking out these ATMs, they replaced older Bitcoin transactions with new ones with higher fees meaning miners paid attention and confirmed them in a procedure known as Replace by Fee (RBF). RBF was introduced in BIP-0125.

If that didn’t work out, they could as well send the original amount to their Bitcoin wallet(s) while including better fees. The only trick for this double spending is that the wallet of choice must support double spending in one way or another. Any of these options are legal and Satoshi Nakamoto introduced them but was disabled at some point—after Bitcoin Core 0.12+.