CBC reports that four Canadian men are wanted in connection with conducting double-spend attacks against Bitcoin ATMs in four cities. A total of 112 transactions are alleged to have taken place in September last year, with half of them taking place in Calgary. The other attacks took place in Winnipeg, Toronto, Montreal, Sherwood Park, Ottawa and Hamilton. The men’s identities are unknown, and Calgary police are asking for help identifying them.
Apparently, the Bitcoin ATMs accepted zero-confirmation transactions, and the men exploited this fact to double-spend Bitcoin in exchange for cash. Over 112 transactions in 10 days netted the scammers a total of around $200,000. The average transaction was around $1800.
Arguably, Canadian Bitcoin Core developer Peter Todd’s replace-by-fee tools would make these transactions possible. While not specifically intended or endorsed for criminal activity, the tool enables “stuck” transactions to become unstuck by paying an extra fee. There is a “double spend” tool in the kit, however, which is described by Todd as such:
Creates two transactions in succession. The first pays the specified amount to the specified address. The second double-spends that transaction with a transaction with higher fees, paying only the change address. In addition you can optionally specify that the first transaction additional OP-RETURN, multisig, and “blacklisted” address outputs. Some miners won’t accept transactions with these output types; those miners will accept the second double-spend transaction, helping you achieve a succesful double-spend.
From a philosophical standpoint, the tools are controversial, but intended to encourage services and users to wait for at least one confirmation before considering a transaction completed. Double-spending of unconfirmed transactions has always been possible on Bitcoin and the RBF toolkit did not change that fact. As Peter Todd wrote in after the initial publication of this article:
The simple truth of the matter is that the ATM operator in question is negligent if they are accepting unconfirmed transactions without other mitigating security measures such as obtaining positive legal identification; the fact that they’re asking for help in identifying the thieves is a strong sign of such negligence. This is no different than, say, a store selling high value items choosing not to hire cashiers and instead relying on an “honesty box” for payment.
However, in reality, it’s inconvenient to have customers standing around for 10-30 minutes (or longer) for a transaction to go through. Convenience at the expense of security is a decision the yet-unidentified ATM operators seem to have to made.
We did a bit of research. Calgary has a total of 45 Bitcoin ATMs. However, only 21 of them allow for Bitcoin sales. Several different companies including Bitnational, Bitcoin Solutions, and Bitcoiniacs own these ATMs. Some have a daily sales limit up to $9000.
CCN.com was unable to get any of these companies on the phone. We wanted to inquire whether they allow for 0-confirmation transactions or not.
Calgary has two major brands of ATM. Genesis Coin is one of the most popular brands. Lamassau is another popular commercial brand of Bitcoin ATM.
Presumably, ATM owners set the transaction requirements. To do our part, we urge any Canadian readers who might know the identities of these crooks (pictured above) to contact the Calgary police.
First from the left allegedly attacked ATMs in Toronto, Montreal, Ottawa and Hamilton. The second is the most prolific, who attacked ATMs in Calgary. The third was in Winnipeg while the last was Sherwood Park. He’s wearing sunglasses, so might be the hardest to identify. You can make anonymous reports via Calgary Crime Stoppers.
Bitcoin is a small world. The people with the technical ability to pull this off are not great in number.
The news follows a recent physical brute force attack on a Bitcoin ATM in Memphis, Tennessee, wherein the owners suspected the thief wanted to get their $500 back after buying BTC.
Featured image from Calgary Police Service.
Last modified: July 3, 2020 1:03 PM UTC