Bitcoin thieves got away with ATM double-spending spree across Canada
Four men who nearly bankrupted one of Canada’s largest Bitcoin ATM providers by double-spending are still at large — some two and a half years later.
HoneyBadger Bitcoin ATMs snapped photographs of the suspects as they travelled Canada on a double-spending spree in September 2018.
Dubbed “the ₿ team” by Canada’s press, the crew in 10 days:
- Made 112 fraudulent withdrawals in ATMs.
- Double-spent 23 BTC ($160,000 then, $1.3 million today).
- Spread the scam across seven Canadian cities.
Despite the full-face photos, Protos understands Canadian cops are yet to make an arrest.
Double-spending at Bitcoin ATMs
Bitcoin ATMs generally accept cash for BTC (sent to customer wallets). They also convert crypto into fiat — both for an average fee of about 7%.
- The Bitcoin network processes transactions by adding them to blocks.
- Bitcoin’s blockchain adds blocks every 10 minutes on average.
- Most in the industry consider transactions confirmed six blocks deep.
Sticking to the six-block rule forces users to wait for their transactions to go far enough in the blockchain to be secured.
This renders Bitcoin ATMs cumbersome compared to their ‘traditional’ counterparts.
So, HoneyBadger ATMs in 2018 accepted transactions at zero confirmations. The firm’s general manager Mike Kitt told Protos this was to speed up the process for customers.
But accepting transactions without waiting enabled the fraudsters to swap Bitcoin for cash, only to cancel their withdrawals before HoneyBadger could formally process the BTC.
This allowed the scammers to coordinate attacks — keeping both the cash and the Bitcoin they offered HoneyBadger (the Bitcoin was double-spent).
“We took the risk and unfortunately some bad actors exploited it,” said Kitt.
At the time, cryptographer Peter Todd explained that ATM operators are negligent if they accept unconfirmed transactions “without other mitigating security measures such as obtaining positive legal identification.”
“[…] This is no different than, say, a store selling high value items choosing not to hire cashiers, and instead relying on an ‘honesty box’ for payment,” said Todd.
The HoneyBadger case is cold
The HoneyBadger double-spenders struck in September 2018 but authorities were only notified of the attacks in October.
Canadian police appealed to the public for information about five months later. Despite a few tips, authorities haven’t been able to catch up with the crew.
According to police, 51 of the 112 fraudulent transactions happened in Calgary. So, it was up to the county’s cybercrime department (CPS) to lead the investigation.
All four suspects are described as adult males and are believed to have in-depth knowledge or interest in cryptocurrency, Bitcoin and/or blockchain technology.
Calgary Police
A Calgary Police representative told Protos its cyber investigators looked into the double-spending matter — but any information resulting from the media release had been forwarded to related jurisdictions.
“The Calgary suspect has not been identified at this time,” they said.
Other departments we spoke to noted no other suspects have been identified, either. Toronto Police confirmed it closed its iteration of the case.
However, 95% of local Bitcoin ATM fraud victims involve victims depositing funds into the machines — not the other way around.
CPS said they’ve not charged any of those perpetrators, either, and overall has laid charge(s) in around 1% of occurrences where crypto is mentioned.
That includes ransomware, darknet markets, investment schemes, robberies, and other kinds of crime.
[Read more: Dutch police seized $10M in crypto in 2020 — 650% more than 2019]
“It’s still a relatively new type of crime,” said Winnipeg Constable Jay Murray. He added it’s rare to deal with Bitcoin ATM fraud.
HoneyBadger’s Mitt said the company’s ATMs now wait for one confirmation before accepting Bitcoin transactions.