$200k Bitcoin Fraud: Four Suspects Sought by Calgary Police
Canadian police are on the hunt for four individuals, suspected of a defrauding a local bitcoin company via “double spend” attacks on Bitcoin ATMs. CBC News reported March 12, 2019, that law enforcement officials are asking for useful information from the public leading to the arrest of the suspects.
Details of the Theft
According to the report, the suspects carried out multiple instances of fraud against a Canadian bitcoin ATM operator in seven cities across the country. Calgary police say they began investigating the matter in October 2018 after receiving a tip-off.
The cybercrime division of the Calgary Police believes that these suspected fraudsters with in-depth knowledge of bitcoin transactions successfully pulled off 112 double spend attacks over a span of ten days. According to the police, the suspects would initiate a withdrawal from the company’s bitcoin ATM and cancel the transaction before the company could process the withdrawal.
By so doing, the suspects would have taken possession of the withdrawn amount without the corresponding BTC deduction occurring in their wallets. Calgary police say the four individuals collectively stole more about $200,000 from the company by repeatedly using this method.
These attacks occurred in major cities like Toronto, Ottawa, Calgary, and Sherwood, as well as, Montreal, Hamilton, and Winnipeg. Police departments from these other cities are assisting the Calgary Police in its investigative efforts.
“Zero-conf” Bitcoin Transactions and Double Spend Attacks
While not appearing in the report by CBC News, Bitcoin Core engineer, Peter Todd highlighted the fact that the theft was successful due to the fact that the ATM operator allowed “zero-conf (0-conf)” transactions to scale through. Zero-conf is a system that allows transactions to go through with zero confirmations on the blockchain.
It's unfortunate that this article doesn't mention the negligence of the ATM operator: they were accepting completely insecure zeroconf transactions. Readers will probably think this is a new flaw in Bitcoin.
CC: @globalnews You should fix your story.https://t.co/ooCXKiLeu0
— Peter Todd (@peterktodd) March 13, 2019
0-conf transactions are instantaneous; once the transaction is sent to the Bitcoin mempool, it is deemed completed despite the fact that miners haven’t yet “mined” a block containing the transaction. The purpose of 0-conf is to create instantaneous transactions for instances when the 10-minute Bitcoin transaction throughput time would not be convenient.
While such protocols might seem useful for situations like BTC ATM transactions; no one would want to wait ten minutes in front of a cash machine, 0-conf opens up the possibility of double-spend attacks. According to Todd, the bitcoin ATM operator was negligent in allowing 0-conf protocols on its machines.
Data from Coinatmradar shows that Canada has 689 Bitcoin ATMs, with Calgary being the city with the highest number of 45. There is no indication of how many other operators might have such flaws in their system, with Todd noting:
“I’ve talked to ATM companies before who have had high losses due to accepting unconfirmed transactions. I got the sense that they weren’t willing to go public due to a combination of factors such as not wanting to encourage more thefts, wanting to hide losses from investors, etc.”