I wrote an answer on Quora about types of fraud that can occur when using Bitcoin. Thought I’d share here as well!
The other answers seem to address the more general types of fraud that also apply to cash and other assets, such as theft and lack of chargebacks.
I will use this answer to describe types of fraud that are exclusive to Bitcoin and similar block-chain based crypto-currencies.
1. Malleability attacks
In the Bitcoin protocol, every transaction can be identified by a double SHA256 hash of the data in the . This hash is called the txid. The transaction data that is hashed includes the amount of bitcoin in the transaction, the sender(s) and recipient(s) of the transaction, and a script and signature proving that the sender(s) own(s) the coins and specifying the conditions for redeeming the coins sent. This hash acts as an identifier for the transaction in the network…but you have to be careful!
The problem arises when a company uses the txid in an automated system to issue refunds for transactions that did not properly propagate the first time.
Consider this scenario:
A user withdraws their bitcoin from an exchange (oh say Mt. Gox for example). Mt. Gox generates a bitcoin transaction to send the user their bitcoin. This transaction will have a txid that Mt. Gox will store in their database. Mt. Gox’s system will look at the blockchain sometime later and see if a transaction with this txid has been confirmed. If so, then all is good, if not, then they might automatically try to resend the transaction after some time so that the user does not get angry and say ‘where is my money!!’.
Here is where the fraud comes in!
Let’s say that I am a malicious user. I withdraw some bitcoin from Mt. Gox. When they propagate the transaction, I copy it right away and make a tiny, inconsequential adjustment to the script or signature by appending a specific set of bytes so that the transaction is still valid. Note, the same amount of money is still being sent from/to the same parties. I just did the equivalent of drawing a dot on a package after it was weighed for shipping. It still has a valid signature from Mt. Gox. Nothing materially changes…EXCEPT for the txid - the double SHA256 hash of the transaction data.
If I broadcast this ‘malleated’ transaction with the new txid into the network, it MIGHT get accepted before Mt. Gox’s transaction does. If this happens, then Mt. Gox’s original transaction will never be seen in the blockchain because the coins will have already been sent to me and the transaction will be seen as an invalid double spend attempt.
So, I will still receive my coins, but Mt. Gox’s automated system will not see the txid of the transaction they generated in the blockchain. The txid in the blockchain will be that of the transaction I modified or ‘malleated’. So the automated system may send me my coins again because it thinks that the previous transaction failed, effectively giving me twice the money.
Of course this problem can be avoided through extra accounting checks, but it has a problem that has bitten some companies before.
The risks of tx malleability have been reduced recently after updates to the bitcoin core protocol, but it is still important to be aware of.
To read more about it, see the Bitcoin .
2. Double Spend Attacks
I might use bitcoin to buy some chicken wings from a small town, backwoods restaurant near Charleston, WV (yes, there is a place there that accepts bitcoin).
When I pay for my chicken wings, I will send the proper amount of bitcoin to the store owner’s bitcoin address. A short time later he will give me my chicken wings and I’ll leave.
If I wasn’t a nice guy, when I sent him the bitcoin I might have actually made 2 transactions! One that went to him and one that went back to me. He will have seen my transaction to him, but it will still likely be unconfirmed by the network at the time I leave.
Now the bitcoin core protocol prevents this type of double spending, which is one of its claims to fame. It will only allow one of my transactions to succeed. So if i’m lucky, the transaction I sent back to myself will be confirmed and the transaction I sent to the store owner won’t be. I’ll be long gone by the time he realizes it! So I will have tricked the store owner into thinking I sent him the money, when I really sent him what turned out to be an invalid transaction.
This problem can be avoided entirely by waiting for a few confirmations in the network. But for instantaneous transactions, companies can use payment processors like Bitpay who check for double spend attempts immediately.
It is always good to be aware!
This answer doesn’t cover everything, but I hope that somebody finds it useful!