With the development of cryptocurrency technologies and the growing popularity of Bitcoin, numerous programs such as Flash Bitcoin Software and Fake BTC Software have emerged on the market. These tools can cause serious harm to the Bitcoin ecosystem. In this material, we will examine what such programs are, how they function, their impact on the Bitcoin network, and analyze the Vector76 Attack mechanism-a type of double-spend attack where a malicious actor tries to spend the same transaction twice.
Unlike classic double-spend attacks, the Vector76 attack exploits vulnerabilities in the transaction confirmation process and the delay in block propagation across the Bitcoin network.
… Vector76 Attack: Threat Analysis and Methods for Securing the Bitcoin Network. Cryptoanalysis with Real Data
During a Vector76 attack, the attacker creates two transactions: one to their own address, and another to the seller’s address. They then attempt to convince the seller to accept an unconfirmed transaction while simultaneously broadcasting the other transaction to the network. If the attacker completes their operation before the seller receives confirmation, the funds end up in the attacker’s wallet instead of the seller’s.
Software…
Such programs allow the attacker to precisely calculate the timing between a transaction’s confirmation in a local network and its propagation across the entire Bitcoin network. Two transactions are created: one is sent locally, the other to the main network. If the first transaction is processed before the second is confirmed, the recipient may mistakenly consider it valid. Below, we will consider the most well-known programs that use this approach for Bitcoin transaction confirmations.
Flash Bitcoin Software
This program allows users to temporarily increase the balance of their Bitcoin wallet. It creates transactions that appear legitimate but are not confirmed on the blockchain. Such operations can mislead users and services that accept Bitcoin.
Fake BTC Software
Fake BTC Software is designed to create fake Bitcoin transactions. They are used for fraud, as they simulate the transfer of funds even though no money is actually sent. The program allows scammers to deceive sellers and buyers in cryptocurrency dealings.
Dockeyhunt Vector76 Attack
This tool creates two or more “raw” transactions to implement a double-spend via the Broadcast Bitcoin Transaction function. The essence of the attack is to send the same transaction to different parts of the network, causing temporary inconsistencies in the blockchain. The program is also used for fraud with various tokens and cryptocurrencies, including Bitcoin and Ethereum.
CGMiner and BFGMiner
These mining programs can be used to implement the Selfish Mining attack, as they give miners more control over the block mining process.
Wireshark
Wireshark is a network traffic analysis program that can be used for Sybil and Eclipse attacks. Modified versions of the Bitcoin Core client are also used to attack the consensus mechanism.
BlockSci
BlockSci is a blockchain analysis tool that allows researchers to study transactions and carry out dusting attacks (attacks using “dust” transactions).
Impact of the Attack on the Bitcoin Network
The Vector76 Attack was first described in 2011 and combines elements of the Finney and Race attacks. It exploits vulnerabilities in the transaction confirmation process. The main idea is to create two conflicting transactions and send them through different nodes to trick the recipient and perform a double-spend.
- In a Race Attack, the attacker tries to send two transactions at the same time, one of which is then canceled.
- In a Finney Attack, the attacker pre-mines a block with a transaction, then tries to perform another operation with the same coins.
- The Vector76 Attack combines both approaches to achieve a double-spend.
The consequences of a Vector76 attack can be severe: trust in the system is undermined, users risk losing funds, transaction confirmations may be delayed, and network load may increase.
… Attack Stages:
- Creating two transactions: one is sent to the network, the other to an isolated part of the network.
- Sending the first transaction: it is quickly confirmed locally.
- Sending the second transaction: it is sent to the main network.
- Confirmation of the first transaction: the recipient considers it valid and provides goods or services.
- Confirmation of the second transaction: it is confirmed in the main network, and the first becomes invalid.
- Conflict and double-spend: a conflict arises, and only one transaction enters the blockchain.
- Network merge: when the isolated and main networks merge, a conflict occurs and one transaction is canceled.
Detection and Prevention of the Vector76 Attack
Various methods are used to protect the Bitcoin network from such attacks. Here are the main approaches:
- Block and transaction analysis: mining software and nodes analyze data for conflicts.
- Increasing the number of confirmations: it is recommended to wait for 6 or more confirmations for a transaction to be considered final.
- Machine learning algorithms: modern methods can detect suspicious transaction patterns.
- Network monitoring: specialized programs track suspicious activity.
- Multi-level confirmation: using several stages of confirmation increases security.
- Anomaly analysis: systems detect suspicious transactions and blocks.
- Protocol updates: regular improvements and the introduction of new protection methods.
- Strengthening consensus: additional checks and confirmations make attacks more difficult.
Distribution of an Alternative Block for the Vector76 Attack:
- Creating two conflicting transactions with the same inputs but different recipients.
- The first transaction is broadcast to the network and included in a block.
- An alternative block is created with the second transaction using custom mining software.
- When the first transaction has already received several confirmations, the attacker broadcasts the alternative block with more confirmations, which may be accepted by the network.
Structure of the Vector76 Attack:
- Preparation: creating two transactions-one for the victim (T1) and one for themselves (T2).
- Mining a block: a block with T2 is mined but not published.
- Executing T1: T1 is sent to the network; the victim accepts it after one confirmation.
- Publishing the block: the block with T2 is published, canceling T1.
Practical Section
Let’s consider an example of an attack using Dockeyhunt Vector76 Attack.
- Download the program from the official website: www.dockeyhunt.com
- Install the necessary packages and libraries, run setup.exe.
For a successful attack, it is important to create a second wallet in advance (for yourself, T2), where all BTC will be transferred for storage. Open the folder and run Cold Bitcoin Wallet.exe to generate a new address.
Generating a New Bitcoin Address
Click Generate Address. Obtain the new address data for further storage in the cold wallet.
Now establish a connection with the recipient-in this example, a Huobi exchange user.
Creating Raw Transaction T1 (for the victim)
The victim-a Huobi exchange user-is expecting a transfer of 1.17506256 BTC.
Sender address: 1888dvSYUx23z2NF79NyCaYQ8dxcWCjHDz
Use the Python script pushtx.py to send the raw transaction.
Clone the Broadcast-Bitcoin-Transaction repository, run bitcoin_info.py to check the sender’s address.
To create the raw transaction T1, copy the UTXO (Unspent Transaction Output) from the sender’s wallet’s last TXID.
Return to the root folder and run Dockeyhunt Vector76 Attack.
When creating the transaction, sign it with ECDSA and enter the sender’s private key. Enter the TXID to verify the validity of all transaction inputs. UTXO allows for more efficient transaction processing since each output can only be used once.
Enter the recipient’s address (the victim), the amount in satoshis, the fee, and the sending amount. After filling in all fields, click Create Transaction.
Result:
- Sender address: 1888dvSYUx23z2NF79NyCaYQ8dxcWCjHDz
- Recipient address: 143gLvWYUojXaWZRrxquRKpVNTkhmr415B
- Raw transaction
Use pushtx.py to send the transaction. The victim sees the funds credited.
Creating Raw Transaction T2 (for yourself)
The previously created cold wallet is used to transfer all BTC to your own address. Repeat the transaction creation process, specifying the new address, amount, fee, and signing the transaction.
Result:
- Sender address: 1888dvSYUx23z2NF79NyCaYQ8dxcWCjHDz
- Recipient address: 1qqQcZbZNvsZoF5x3VcnEcJbzPeXncfKq
- Raw transaction
Again, use pushtx.py to send the transaction. After this, you need to mine a block and publish it in the main blockchain with T2 included.
Mining and Publishing the Block
Run Block Bitcoin Mining, get the block data via block_header.py, add the RawTX for T2.
After mining the block with T2, you get the block_hash_mining.json file, where you see the new block. Check that the block confirms the authenticity of transaction T2.
Check the blockchain link. The payment is confirmed by miners, the victim’s transaction T1 is canceled, and the Huobi exchange user does not receive the funds.
Conclusion
The use of such programs and tools contributes to the growth of fraud and increases the number of victims, which negatively affects the attitude towards cryptocurrencies and the entire community.
- Business losses: Companies accepting bitcoins may suffer serious losses due to fake transactions, which may lead them to stop accepting BTC.
- Regulatory complications: The use of such software complicates the work of regulators and law enforcement, which may lead to stricter rules.
- The need for enhanced security: Constant threats require the implementation of new and improved security measures. Developers can improve transaction confirmation algorithms and introduce new protocols, but this requires resources and time.
This material was prepared for the CRYPTO DEEP TECH portal to improve financial security and protect elliptic curve cryptography secp256k1 from weak ECDSA signatures in Bitcoin. The software developers are not responsible for the use of these materials.