With the growth of Bitcoin’s popularity, more businesses are starting to accept it as a mode of payment. As with any financial asset, increased acceptance is coupled with a rise in fraud attacks. Although Bitcoin was designed so that transactions are publicly verified, the Bitcoin ecosystem will always witness attempts at double spending as a primary way of committing fraud on the network. Criminals look to a) spend coins at stores while also, b) transferring the same to their own wallets, thus effectively revoking payments and defrauding merchants.
Fraudsters adopt a wide spectrum of strategies for this purpose.
In the “race attack” variant, they send the two conflicting transactions in rapid succession into the network, aiming for only the wallet transfer to be confirmed. In order to ensure this, criminals often use the Replace-by-Fee (RBF) option, available in many wallets. Here, fees accompanying merchant payments are set low enough to discourage miners from validating those transactions. After a few minutes, pending payments are cancelled by changing the recipient address to that of one’s own wallet.
Offenders also carry out “Finney attacks” — sending payment transactions directly to nodes of retailers, while broadcasting wallet transfers across the entire network. This technique also increases chances of payments being repealed. Other strategies include “Vector76 attacks” (a combination of the above two typologies).
Unfortunately, it takes 10 minutes, on average, to confirm that a Bitcoin transaction is not a double-spending attempt. Fast-pay merchants (such as ATMs, vending machines, quick-service eateries) cannot afford to wait for confirmed payments. Thus, they are exposed to fraud risk, as goods change hands before victims realize that payments have been cancelled.
Then there are other threat vectors (such as “fork attacks”), where sellers might be duped, even after…