This is How Scammers Double Spent $200k Worth of Bitcoins in Seven Canadian Cities
The sole purpose of crypto is to bring back the power to the
masses. Bitcoin led the way and as a revolutionary coin, it is a product of
adversity and a leader of a transformation. This means, with every induction,
the coin is edging closer to mainstream adoption and that is precisely what
every enthusiasts and observer wants. Considering its global nature and how it
can be shaping, making these coins accessible to everyone is of top priority.
For this reason, the team behind this novel drive saw it fit
to introduce Bitcoin kiosks or crypto teller machines. Although there is no connection
with those dispensing government issued fiat, these ATMs embodies decentralization.
These ATMs can be two-way, meaning you can buy supported cryptocurrencies and
some allows conversion of crypto assets for fiat. Obviously, they are convenient
points where users can sell supported coins for a fee while receiving an equivalent
amount in fiat.
In North America, the
US leads in the number of installed ATMs but it is Canada that is grabbing all
the attention thanks to recent and an unfortunate heist that saw $200k in cash
double spent by four scammers across seven towns including Calgary—with 45
Bitcoin ATMs and Montreal with 102 ATMs.
Back to Basics: double spending and Zero-confirm Transactions
But the question in everyone mind is how did they pull it? How did they double spend what is supposedly an immutable transaction? Well, to understand how they did it and how rampant it can be, we must verse ourselves with two terms. Firstly, the meaning of a double spending and secondly, why merchants prefer zero-confirm transactions. In bare minimum definition, a double spend is simply the risk that any cryptocurrency can be spent twice.
It is a problem specific to digital assets and
cryptocurrencies in particular in that digital information can be replicated. The
good thing is that Satoshi successfully demonstrated that by employing a decentralized
system where mathematics and encryption verify transaction logs it was possible
to stop double-counting.
On the other hand, zero-confirm transactions are broadcasted transactions that are yet to be confirmed by a miner. A valid transaction is that which has been acknowledged by a miner (it doesn’t matter the the number of confirmations) and consequently etched in the blockchain. Double spending is discouraged and has been made expensive for would be attackers.
Convenience Over Security?
Unfortunately, there is a new breed of users preferring speed over security of their digital assets. It is understandable. Thanks to the 10—20 minute wait time that a typical Bitcoin transaction takes, a merchants and users who accept zero-confirm transactions need not to wait and is a debatable subject. Not all ATMs accept zero-confirm transactions. Merchants using BitPay as an intermediary automatically accept zero-confirm transactions but these are adjusted. Casinos do accept zero-confirm deposits but need at-least three confirmations for withdrawal.
All the same, these scammers took advantage of this lack of
confirmation, reversing those transactions and thereafter converting the same
Bitcoins for cash.
In the early days of Bitcoin, it was possible to send transactions if they were small enough or had an element of priority. However, with increasing use and miners in for profit, a user must pay for every transaction. And not just any fees. Miners are in business and the higher the fees, the faster the confirmation. There is a fee-rate measuring applicable fees at any time and is measured in satoshis per byte. Now, since not all ATMs accept zero-confirm transactions, it is likely that they did their home work and after picking out these ATMs, they replaced older Bitcoin transactions with new ones with higher fees meaning miners paid attention and confirmed them in a procedure known as Replace by Fee (RBF). RBF was introduced in BIP-0125.
If that didn’t work out, they could as well send the original
amount to their Bitcoin wallet(s) while including better fees. The only trick
for this double spending is that the wallet of choice must support double
spending in one way or another. Any of these options are legal and Satoshi
Nakamoto introduced them but was disabled at some point—after Bitcoin Core