Race Attack and Finney Attack Explained: How Double-Spending Works on Blockchain

Race Attack and Finney Attack Explained: How Double-Spending Works on Blockchain Feb, 2 2026

Imagine buying a $5,000 laptop with Bitcoin. You send the payment. The merchant sees the transaction pop up on their screen - no confirmations needed - and hands you the box. You walk out. Five minutes later, the transaction vanishes. The merchant never got paid. The laptop is gone. This isn’t a movie. This is how race attacks and finney attacks work - two real, documented ways hackers steal from merchants who accept Bitcoin without waiting for confirmations.

What Is a Race Attack?

A race attack happens when someone sends two versions of the same Bitcoin transaction at the same time. One goes to the merchant. The other goes to the rest of the Bitcoin network, spending the same coins back to the attacker’s own wallet. The goal? Trick the merchant into thinking they got paid, while the network confirms the theft.

Here’s how it plays out:

  • The attacker has 1 BTC in wallet A.
  • They send 1 BTC to the merchant’s wallet (Transaction 1).
  • Simultaneously, they send that same 1 BTC back to their own wallet B (Transaction 2).
  • They make sure Transaction 2 reaches the Bitcoin network faster than Transaction 1.
  • The merchant, seeing Transaction 1 on their screen, assumes it’s real and ships the product.
  • Within minutes, Transaction 2 gets included in a block. Transaction 1 gets rejected as a double-spend.
The trick relies on timing and network delays. If the merchant’s node is poorly connected - say, only linked to a few peers - the attacker can control which transaction arrives first. Research from Cornell University in 2012 showed that under ideal conditions, this attack succeeds over 85% of the time if the attacker controls the merchant’s node connection.

Today, with over 15,000 active Bitcoin nodes, it’s harder. But it’s still possible. In March 2025, a New York coffee shop called CafeChainNYC lost $450 in espresso machines after their point-of-sale system accepted zero-confirmation transactions during a network spike. Their node was slow to sync. The attacker exploited that gap.

What Is a Finney Attack?

The Finney attack is sneakier. It doesn’t rely on network speed. It relies on mining power.

Named after Hal Finney - one of Bitcoin’s first contributors and a miner himself - this attack requires the attacker to be a miner. Not just any miner. Someone with enough hash power to mine blocks occasionally.

Here’s the sequence:

  • The attacker mines a block in private. Inside that block is a transaction: 1 BTC from wallet A to wallet B (both owned by the attacker).
  • They don’t broadcast it yet.
  • They use wallet A to buy something from a merchant who accepts zero-confirmation transactions.
  • Once the merchant delivers the goods, the attacker broadcasts their pre-mined block.
  • The block includes the transaction sending the coins to wallet B - not the merchant.
  • The merchant’s transaction is erased from the blockchain. The attacker keeps the product and the coins.
This attack is nearly foolproof - if you can mine blocks. The success rate? Close to 100%. But here’s the catch: you need to mine a block before the merchant’s transaction gets confirmed. That window? Seconds. And you need enough hash power to get lucky.

As of January 2026, Bitcoin’s total hash rate is around 45,000 PH/s. To have a decent shot at mining a block every few hours, you’d need at least 1% of that - about 450 PH/s. That’s expensive. You’re not doing this to steal a $200 hoodie. You’re doing it for high-value items: luxury watches, electronics, even real estate.

There’s a reason we don’t hear about Finney attacks every day. Most miners don’t risk it. It’s unethical. It’s detectable. And the reward rarely justifies the cost. But it’s still possible. And that’s what makes it dangerous.

How Are These Attacks Different?

At first glance, both attacks look like double-spending. But they’re built on different mechanics.

Comparison of Race Attack vs. Finney Attack
Feature Race Attack Finney Attack
Who can execute it? Any Bitcoin user Only miners with significant hash power
Resource needed? Basic wallet + internet Mining hardware + 450+ PH/s hash rate
Success rate? 30-85% (depends on node setup) Up to 100% if block is mined
Time window? Seconds to minutes Seconds - must mine before merchant confirms
Network dependency? High - exploits propagation delays Low - attacker controls the block
Common target? Low-value, fast-turnover goods High-value, immediate-delivery items
The race attack is like a pickpocket in a crowd. The finney attack is like a bank robber who steals the vault key before the teller opens the door.

A retro-styled miner in an exosuit preparing to broadcast a private block to steal a payment from a merchant.

Why Do These Attacks Still Matter in 2026?

You might think: “Bitcoin’s bigger now. These attacks are dead.”

They’re not.

Yes, the network is stronger. More nodes. Faster propagation. BIP 125 (Replace-By-Fee) made it harder to swap transactions after they’re broadcast. Bitcoin Core’s 2022 update prioritized “first-seen” transactions across 80% of nodes. And BIP 321, released in December 2025, introduced “transaction pinning” - making race attacks nearly impossible.

But here’s the problem: not everyone uses these updates.

Merchants who accept crypto for small purchases - coffee, digital goods, subscriptions - still rely on zero-confirmation transactions. Why? Because waiting 10 minutes for one confirmation kills customer experience. A 2025 BitPay survey found merchants lose $2.30 in sales for every transaction delayed by extra confirmations.

And for high-value sales? The risk is real. Ledger Academy’s 2025 analysis showed that for transactions over $10,000, the expected loss from double-spending attacks is $84.30 per $1,000 processed. That’s an 8.4% risk. No legitimate business accepts that.

Meanwhile, smaller altcoins - coins with market caps under $100 million - are still wide open. 73% of them, according to CryptoRank’s 2026 report, have no defenses against race or finney attacks. Their networks are too small. Their nodes too few. Their protocols too outdated.

How to Protect Yourself as a Merchant

If you accept Bitcoin, here’s what you need to do - right now:

  • Never accept zero-confirmation transactions for anything over $100. This is the golden rule. Even $500 should require at least one confirmation.
  • Use BTCPay Server. It’s free, open-source, and built with security in mind. Its “0-conf risk scoring” analyzes transaction patterns and flags suspicious activity - reducing false positives by 63%.
  • Connect to 8-12 trusted outbound nodes. Don’t rely on random peers. Use known, well-connected nodes. Coinbase Commerce data shows 76% of enterprise merchants do this.
  • Use transaction acceleration tools. Services like Blocknative’s Notify API reduce the race attack window from 30+ seconds to under 5.
  • Require 3+ confirmations for transactions over $5,000. 92% of merchants already do this. Don’t be the exception.
For businesses that can’t wait, consider the Lightning Network. It’s built for instant, low-cost payments. As of 2026, it handles 18% of all Bitcoin merchant transactions - up from 2% in 2022. No race attacks. No finney attacks. Just fast, secure payments.

A futuristic merchant counter with holographic warnings showing both race and Finney attack mechanisms side by side.

What About Regulators?

Governments are catching up.

The EU’s MiCA regulations, effective since 2024, require all crypto merchants to wait for at least one confirmation on transactions over €100. The U.S. Treasury’s 2025 guidance says merchants must use “risk-based confirmation requirements” - meaning you can’t treat a $5 coffee the same as a $5,000 laptop.

These aren’t suggestions. They’re rules. And non-compliance can mean fines, loss of banking access, or even criminal liability in some jurisdictions.

The Bigger Picture

The truth is, race and finney attacks aren’t about breaking Bitcoin. They’re about exploiting human behavior.

Satoshi Nakamoto wrote in the original whitepaper: “Six confirmations are required for high-value transactions.” That wasn’t a guess. It was a calculation based on probability, network size, and economic incentive.

Today, that advice still holds. Six confirmations - about one hour - is the gold standard for anything over $10,000. And it works.

The attacks are real. The risks are measurable. But the solutions are simple: wait. Verify. Use tools. Don’t rush.

The blockchain doesn’t need to be faster. It needs to be respected.

What’s Next?

The Bitcoin community is now debating “Client-Driven Transaction Ordering” (CDTO) - a protocol that could eliminate these attacks entirely by giving users control over transaction order. But mining pools are pushing back. Why? Because it could reduce their fee revenue.

For now, the best defense isn’t a new protocol. It’s discipline.

If you’re a merchant: wait for confirmations.

If you’re a user: don’t pressure merchants to skip them.

And if you’re a miner? Don’t be the one who breaks the system.

The network is secure. But only if we are.

Tags:

Categories

Archives