Yahoo Finance 
Bitcoin ATM Double-Spenders: Police Need Help Identifying Four Criminals
CBC reports that four Canadian men are wanted in connection with conducting double-spend attacks against Bitcoin ATMs in four cities. A total of 112 transactions are alleged to have taken place in September last year, with half of them taking place in Calgary. The other attacks took place in Winnipeg, Toronto, Montreal, Sherwood Park, Ottawa and Hamilton. The men’s identities are unknown, and Calgary police are asking for help identifying them.
Double-Spending on a Bitcoin ATM: A Lucrative Criminal Enterprise
Apparently, the Bitcoin ATMs accepted zero-confirmation transactions, and the men exploited this fact to double-spend Bitcoin in exchange for cash. Over 112 transactions in 10 days netted the scammers a total of around $200,000. The average transaction was around $1800.
Arguably, Canadian Bitcoin Core developer Peter Todd’s replace-by-fee tools would make these transactions possible. While not specifically intended or endorsed for criminal activity, the tool enables “stuck” transactions to become unstuck by paying an extra fee. There is a “double spend” tool in the kit, however, which is described by Todd as such:
Join CCN for $19.99 per month and get an ad-free version of CCN including discounts on future events and services. Support our journalists today. Click here to sign up.
Creates two transactions in succession. The first pays the specified amount to the specified address. The second double-spends that transaction with a transaction with higher fees, paying only the change address. In addition you can optionally specify that the first transaction additional OP-RETURN, multisig, and “blacklisted” address outputs. Some miners won’t accept transactions with these output types; those miners will accept the second double-spend transaction, helping you achieve a succesful double-spend.
Scammers Net $20,000 CAD Per Day
From a philosophical standpoint, the tools are controversial, but intended to encourage services and users to wait for at least one confirmation before considering a transaction completed. Double-spending of unconfirmed transactions has always been possible on Bitcoin and the RBF toolkit did not change that fact. As Peter Todd wrote in after the initial publication of this article:
The simple truth of the matter is that the ATM operator in question is negligent if they are accepting unconfirmed transactions without other mitigating security measures such as obtaining positive legal identification; the fact that they’re asking for help in identifying the thieves is a strong sign of such negligence. This is no different than, say, a store selling high value items choosing not to hire cashiers and instead relying on an “honesty box” for payment.
However, in reality, it’s inconvenient to have customers standing around for 10-30 minutes (or longer) for a transaction to go through. Convenience at the expense of security is a decision the yet-unidentified ATM operators seem to have to made.
