False Top-Up Attack as a Security Threat to Bitcoin Network

BY KEYHUNTER 18.04.2025

False Top-Up Attack as a Security Threat to the Bitcoin Network

A False Top-Up Attack is a targeted attack on cryptocurrency exchanges and wallets in which an attacker simulates a successful transaction in order to deceive the system and obtain illicit assets. In the context of Bitcoin, this attack exploits the UTXO protocol and transaction confirmation mechanism.

Attack mechanism

  1. Creating conflicting transactions :
    The attacker creates a specially structured transaction that appears valid to the exchange system, but contains hidden contradictions. For example, using the RBF (Replace-by-Fee) function allows an unconfirmed transaction to be replaced with a new version with an increased fee, canceling the original transfer 3 .
  2. Exploiting confirmation delays :
    Exchanges that lend funds before the required number of confirmations (usually 2-6 for Bitcoin) are vulnerable. An attacker sends a low-fee transaction, which increases the time it takes to be included in a block, while simultaneously creating a conflicting high-fee transaction 5 .
  3. Event data manipulation :
    Some wallet API implementations only parse individual transaction fields (e.g. in_msgin TON), ignoring critical parameters like out_msgs, allowing successful deposits to be simulated 4 .

An example of an attack on the Bitcoin network

In 2023, cases of using modified transactions with a changeable identifier (malleability attack) were recorded . Attackers:

  • Generated a transaction with an output to the exchange address
  • Changed transaction ID by modifying signature
  • Used original ID to request withdrawal before confirmation 5

Methods of counteraction

  1. Improved transaction verification :
    • Checking the full Merkle tree to confirm that a transaction is included in block 1
    • Analyze all outputs (UTXO) for conflicting transactions 3
  2. Optimization of verification processes :
    • Minimum 6 confirmations required for large amounts 4
    • Implementing double-spend detectors in real time 5
  3. Technical improvements :
    • Using Address Clustering Algorithms to Detect Anomalous Patterns 2
    • Implementation of transaction chain tracking mechanisms (CoinJoin detection) 2

Analysis of Bitcoin network data shows that up to 90% of transactions contain “noise” operations that mask real financial flows 2 . This complicates the detection of attacks, making it necessary to take a comprehensive approach to security that combines:

  • Hardware security modules (HSM) for storing keys
  • Multi-factor authentication of outputs
  • Regular audit of smart contract interfaces 5

Advances in blockchain data analysis and machine learning make it possible to create predictive models for early detection of anomalies. However, the decentralized nature of Bitcoin requires that defense mechanisms continually adapt to new attack vectors.

What algorithms are used to detect False Top-Up Attack

To detect False Top-Up Attacks in the Bitcoin network, a combination of algorithms and methods aimed at analyzing the structure of transactions and network activity is used.

Key algorithms and methods

  1. Analysis of conflicting UTXOs
    An address clustering algorithm is used based on:
    • Common Input Ownership
    • Output change patterns (CoinJoin detection)
    • UTXO creation timestamps 6
  2. Double spending detection
    Implemented through:
    • Real-time mempool monitoring using bloom filters
    • Transaction Hash Comparison Algorithm (SHA-256) for Modification Detection 7
    • RBF Flags (Replace-by-Fee) Analysis via Priority Queue Scoring 6
  3. Verification of confirmations
    Used:
    • Merkle Proof Algorithm
    • Multi-level verification of confirmation depth (6+ blocks heuristic)
    • Adaptive thresholds for different amounts 6
  4. Network analysis
    The following methods are used:
    • Detecting anomalies in propagation delay (Z-score analysis)
    • Identifying Sibling Transactions via Graph Mining
    • Correlation of events in P2P network using ML models 8
  5. Cryptographic checks
    include:
    • Validation of ECDSA signatures with SECP256k1 parameters
    • Script Integrity Control via Script Interpreter
    • Analysis of output hash sums (OP_HASH160) 7

Practical implementation

For exchanges and wallets it is recommended to combine:

  • Tree data structures for tracking UTXO chains
  • Stochastic models for confirmation time prediction
  • Hardware Security Modules (HSM) for Key Processing
  • Multi-factor transaction audit systems with threshold signatures 8

The efficiency of the methods increases when integrated with SIEM class systems that use correlation of events from:

  • Node logs
  • Network sensors
  • API gateways exchangers 5

What are the signs of a False Top-Up Attack on Bitcoin in the event log

The main signs of a False Top-Up Attack in Bitcoin event logs include anomalies in transaction patterns and network activity.

Key attack indicators

  1. Conflicting transactions with the same UTXO
    • Having two transactions with identical inputs but different outputs 5
    • Changing the Transaction Identifier (TXID) via Signature Modification 2
  2. Anomalies in confirmation status
    • Discrepancies between the number of confirmations in the mempool and those actually included in blocks 4
    • Transactions with RBF (Replace-by-Fee) flag not completed within 2-3 blocks 2
  3. Patterns of suspicious addresses
    • Generate addresses with minimal differences from the target (for example, the first 6 characters are the same) 1
    • Using temporary addresses with bounce flag in TON-like implementations 2
  4. Anomalies in transaction data
    • Availability of out_msg in addition to in_msg (in TON type networks) 2
    • Discrepancy between the declared and actual transfer amount 5

Examples from event logs

Case 1 (RBF attack):

textTXID1: c4ca42... (unconfirmed) → output: 1BTC to Exchange
TXID2: 5ca1ab... (confirmed) → output: 1BTC to Attacker

Sign: Replacing a transaction with an increased fee after initiating a withdrawal 5

Case 2 (Targeted poisoning):

textFrom: 0x1E227 → To: 0xd9A1b (legit)
From: 0x1E227 → To: 0xd9A1c (fake)

Sign: Twin addresses with differences in the last characters 1

Detection methods

  1. Analysis of the depth of confirmations
    • Transactions with <6 confirmations are marked as “risky” 5
  2. UTXO Clustering
    • Identifying Related Inputs via Common Spending Heuristic 2 Algorithms
  3. Mempool Monitoring
    • Real-time tracking of conflicting transactions with bloom filters 4

For effective counteraction it is recommended to combine:

  • Signature analysis (based on RBF transaction patterns)
  • Behavioural patterns (anomalies in timing and sums)
  • Cryptographic verification of all transaction fields 5

Signs of a False Top-Up Attack

A False Top-Up Attack in Bitcoin transactions is a specially structured operation in which an attacker initiates a fictitious transfer that results in a real balance replenishment on the exchange, which can lead to significant financial losses for the platform.

Inconsistencies in transaction fields are a key indicator of a potential attack on the blockchain. When conducting Bitcoin transactions, it is important to pay attention to non-standard values ​​in the TXID (transaction identifier) ​​fields, inconsistencies between incoming and outgoing amounts, and suspicious recipient addresses 2 . A particularly alarming sign is a dust attack, where an attacker sends minimal amounts (e.g. 555 satoshi) to a victim’s wallet and then creates an isomorphic transaction to gain control of the funds 2 .

When checking the status of a transaction, you should pay attention to statuses such as “Pending” (the only state where it is still possible to cancel a transaction), “Failed” (an unsuccessful transaction), or “Transaction not found” (transaction not found) 4 . For security, it is recommended to use official blockchain explorers to verify the authenticity of transactions and avoid interacting with suspicious smart contracts that require token approval, which is often used by scammers to gain control over users’ wallets 6 .

Not enough block confirmations

Insufficient transaction confirmations are one of the key risk factors when working with cryptocurrencies. Each block confirmation increases the security of the transaction, making it almost impossible to cancel or change it 2 . Different amounts and situations require different numbers of confirmations:

  • 1 confirmation – only enough for small payments up to $1,000 3
  • 3 confirmations – recommended for amounts of $1,000-$10,000 and used by most crypto exchanges 3
  • 6 confirmations is the standard for large transactions of $10,000-$1,000,000, providing 99.9% confidence in the irreversibility of the transaction 2
  • 15 confirmations – required for some blockchains, such as Bitcoin Cash 1
  • 60 confirmations – recommended for particularly large payments over $1,000,000 3

Attackers can exploit insufficient confirmations to perform a double-spend attack, especially when the network is overloaded or when they control significant computing power (51% attack) 5 . Therefore, it is important to wait for the required number of confirmations depending on the amount and significance of the transaction, and to take into account the current network load 7 .

Payment hash manipulation

Payment hash manipulation is a serious security threat in blockchain transactions. A transaction hash (TXID) is a unique 64-character identifier that is assigned to each transaction in the blockchain and serves as a kind of “passport” for the transaction 2 . Attackers can attempt to change the TXID before the transaction is confirmed in a block, creating the possibility of a double-spending attack 3 .

When identifying potential manipulations with the payment hash, you should pay attention to:

  • Changing the TXID of a transaction before it is confirmed in block 1
  • Conflicting transactions using the same inputs 3
  • Suspicious mining activity of an alternative blockchain branch 3
  • Non-standard patterns in transactions that can be identified by automated analysis methods 4
  • Attempts to use a private key to create dust transactions 5

To protect against such attacks, it is critical to wait for a sufficient number of transaction confirmations and use reliable blockchain explorers to check the status of transactions 7 .

What are the signs that a payment hash has been manipulated?

Signs of payment hash (TXID) manipulation in Bitcoin transactions may appear as follows:

🔍 Key attack indicators

  1. TXID change before confirmation
    – The TXID of a transaction changes before it is included in a block (e.g. due to input/output swapping or fee change).
    – Example: User sees two different TXIDs for the same transaction in the blockchain explorer.
  2. Conflicting Transactions (Double-Spend Attempt)
    – Detection of two transactions using the same inputs (UTXO) but different outputs.
    – Often accompanied by anomalous mempool activity (unconfirmed transactions).
  3. Anomalies in transaction structure
    – Non-standard scripts (e.g. OP_RETURNwith suspicious data)
    – Use of dust outputs ≤ 546 satoshi to create spam or privacy attacks.
  4. Suspicious activity by miners
    – A sharp increase in the network hashrate, which may indicate an attempt at block reorganization (51% attack).
    – Unusual delays in transaction confirmation.

🛠 How to spot manipulation

  1. Checking via blockchain explorers
    – Use tools like Blockchair or Mempool.space to track TXID changes and transaction status.
    – Example query: sqlSELECT * FROM transactions WHERE txid = '...' AND confirmations < 3
  2. Mempool Conflict Analysis
    – Transactions with identical inputs but different outputs (RBF attack).
    – Wallets using the Replace-By-Fee (RBF) option to substitute a transaction with an increased fee.
  3. Eagle transaction monitoring
    – Detecting transactions with zero inputs (often used in Lightning Network attacks).

🛡 Protective measures

  1. Require sufficient confirmations
    – For amounts > $10,000, wait for ≥6 confirmations.
    – Use Coinbase-like rules: 3 confirmations for standard withdrawals.
  2. Verification via multiple sources
    – Compare transaction status across multiple browsers (Blockstream Explorer, BTC.com).
    – For smart contracts, verify signature hash (SigHash) via bitcoin-cli decoderawtransaction.
  3. Use attack detectors
    – Tools like Bitcoin Fraud Monitoring or CipherTrace to automatically analyze suspicious patterns.

❗ Critical scenarios

  • Finney attack : An attacker secretly mines a block with a conflicting transaction to deceive the recipient.
  • Race Attack : Two conflicting transactions are sent to the network almost simultaneously.

To minimize risks, always check the finality of the transactionbitcoin-cli gettxout before confirming the transfer of funds.

Citations:

  1. https://3commas.io/ru/blog/chto-takoe-txid-tranzakcii-i-kak-ikh-raspoznat
  2. https://www.binance.com/ru/blog/all/%D1%87%D1%82%D0%BE-%D1%82%D0%B0%D0%BA%D0%BE%D0 %B5-%D0%B8%D0%B4%D0%B5%D0%BD%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82%D0%BE%D1%80- %D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D0%BD%D0%BE%D0% B9-%D1%82%D1%80%D0%B0%D0%BD%D0%B7%D0%B0%D0%BA%D1%86%D0%B8%D0%B8-3275030102522251832
  3. https://bits.media/double-spending/
  4. https://sciencenews.dk/en/researchers-develop-a-method-to-identify-signs-of-manipulation-in-large-data-sets
  5. https://habr.com/ru/articles/791200/
  6. https://timeweb.com/ru/community/articles/kak-otsledit-status-tranzakcii-v-blokcheyne
  7. https://support.bitcoin.com/ru/articles/3680111-%D1%87%D1%82%D0%BE-%D1%82%D0%B0 %D0%BA%D0%BE%D0%B5-%D0%B8%D0%B4%D0%B5%D0%BD%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0% D1%82%D0%BE%D1%80-%D1%82%D1%80%D0%B0%D0%BD%D0%B7%D0%B0%D0%BA%D1%86%D0%B8%D0%B8- txid-%D0%B8-%D0%BA%D0%B0%D0%BA-%D0%B5%D0%B3%D0%BE-%D0%BD%D0%B0%D0%B9%D1%82%D0%B8

  1. https://cryptomus.com/ru/blog/how-many-confirmations-are-needed-for-transaction
  2. https://ru.wikipedia.org/wiki/%D0%91%D0%BB%D0%BE%D0%BA%D1%87%D0%B5%D0%B9%D0%BD
  3. https://mycrypter.com/tutorials/chto-takoye-podtverzhdeniye-tranzaktsii-v/
  4. https://ru.wikipedia.org/wiki/%D0%94%D0%B2%D0%BE%D0%B9%D0%BD%D0%BE%D0%B5 _%D1%80%D0%B0%D1%81%D1%85%D0%BE%D0%B4%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5
  5. https://www.itsec.ru/articles/ataka-51-i-ustojchivost-blokchejna-bitkoina
  6. https://www.binance.com/ru/square/post/254524
  7. https://ibmm.ru/news/kriptoindustriya/nepodtverzhdennye-tranzaktsii-pochemu-tak-proiskhodit-i-kak-reshit-etu-problemu/

  1. https://danysclinic.com/kak-rabotajut-tranzakcii-bitkoina-uznajte-vse-o/
  2. https://habr.com/ru/articles/791200/
  3. https://ibmm.ru/news/kriptoindustriya/kak-otmenit-tranzakciyu/
  4. https://timeweb.com/ru/community/articles/kak-otsledit-status-tranzakcii-v-blokcheyne
  5. https://www.binance.com/ru/square/post/989881
  6. https://www.rbc.ru/crypto/news/667541c99a79477a6efc4ea6

  1. https://www.chainalysis.com/blog/address-poisoning-scam/
  2. https://www.binance.com/en/square/post/890145
  3. https://seon.io/resources/payment-fraud-in-cryptocurrency/
  4. https://cloud.google.com/blog/topics/threat-intelligence/securing-cryptocurrency-organizations
  5. https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md
  6. https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/
  7. https://dfpi.ca.gov/consumers/crypto/crypto-scam-tracker/
  8. https://www.sciencedirect.com/science/article/pii/S2096720921000166
  9. https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/
  10. https://onlinelibrary.wiley.com/doi/10.1155/2022/5307697
  11. https://bitcoin.stackexchange.com/questions/76132/why-cant-mining-pools-provide-fake-transactions-within-the-generated-blocks
  12. https://www.reddit.com/r/CryptoCurrency/comments/1hsjz72/i_wrote_out_the_most_common_crypto_scams_so_you/
  13. https://www.sciencedirect.com/science/article/abs/pii/S0045790621002068
  14. https://support.kaspersky.ru/help/Kaspersky/Mac25/en-US/240668.htm
  15. https://www.bitpanda.com/academy/en/lessons/how-to-spot-and-avoid-common-crypto-scams
  16. https://darktrace.com/blog/using-ai-to-detect-a-bitcoin-mining-campaign-leveraging-citrix-netscaler-vulnerabilities
  17. https://www.mdpi.com/2071-1050/16/22/9692
  18. https://darktrace.com/blog/exploring-a-crypto-mining-campaign-which-used-the-log-4j-vulnerability
  19. https://global.ptsecurity.com/analytics/knowledge-base/how-to-detect-a-cyberattack-and-prevent-money-theft
  20. https://nordlayer.com/blog/blockchain-security-issues/

  1. https://www.ptsecurity.com/ru-ru/research/analytics/how-to-detect-10-popular-pentester-techniques/
  2. https://habr.com/ru/companies/pt/articles/759758/
  3. https://www.mathnet.ru/php/getFT.phtml?jrnid=tisp&paperid=359&what=fullt
  4. https://habr.com/ru/companies/bizone/articles/525406/
  5. https://github.com/vlsergey/infosec/blob/master/Cryptanalysis_methods_and_types_of_attacks.tex
  6. https://www.coinbase.com/ru/learn/crypto-glossary/what-is-a-51-percent-attack-and-what-are-the-risks
  7. https://www.php.net/manual/ru/function.password-hash.php
  8. https://www.infosystems.ru/library/glossary/slovar-terminov-po-informatsionnoy-bezopasnosti/
  9. https://ciu.nstu.ru/kaf/persons/20397/a/file_get/316162?nomenu=1
  10. https://chromewebstore.google.com/detail/free-vpn-chrome-extension/jaoafpkngncfpfggjefnekilbkcpjdgp

  1. https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md
  2. https://ntb.gpntb.ru/jour/article/download/1010/806
  3. https://www.binance.com/en/square/post/890145
  4. https://beincrypto.com/hackers-steal-fund-false-deposit-attack/
  5. https://hacken.io/insights/blockchain-security-vulnerabilities/
  6. https://www.slowmist.com/service-blockchain-security-audit.html
  7. https://crystalintelligence.com/investigations/the-10-biggest-crypto-hacks-in-history/
  8. https://osl.com/en/academy/article/how-to-avoid-falling-victim-to-fake-crypto-mining-schemes
  9. https://cyberleninka.ru/article/n/on-the-development-of-the-crypto-industry-of-japan
  10. https://cyberleninka.ru/article/n/cryptocurrency-and-technology-could-it-revolutionize-the-economic-prosperity
  11. https://www.ccn.com/education/crypto/bitcoinlib-malware-fake-python-packages-target-crypto-wallets-explained/