Definition
A Finney attack is a double-spend technique against merchants who accept zero-confirmation payments, named after early Bitcoin contributor Hal Finney, who first described it in 2011. Unlike a simple race attack, a Finney attack requires the attacker to be a miner, because it hinges on secretly pre-mining a block and holding it in reserve while the fraud plays out.
How the attack works
The attacker mines privately until they find a valid block that includes a transaction paying coins from one of their own addresses back to another address they control — but they do not broadcast the block. Holding the block in reserve, the attacker then spends the same coins in a second transaction paying a merchant who accepts unconfirmed payments and hands over goods on sight. Immediately afterward, the attacker broadcasts the pre-mined block. Because that block already spends the coins to the attacker's own address, the network accepts it as history and the merchant's conflicting transaction becomes invalid — it can never confirm. The merchant is left with nothing; the attacker keeps both the goods and the coins.
Why it is hard and expensive in practice
The attack demands two scarce things at once: block-finding capability and timing. First, the attacker must actually find a block, which at today's difficulty means owning or renting serious hashrate — a home miner or Bitaxe-class device finding a block is a lottery event, not a schedulable attack step. Second, the moment the private block is found, a countdown starts: if any other miner publishes a competing block first, the withheld block goes stale and the attacker forfeits the entire block reward plus fees. The expected cost of that forfeiture is the attack's real price tag. With a full block subsidy and fees at stake, a Finney attack only pays if the merchant transaction is worth a meaningful fraction of a block reward — and any merchant selling at that scale has no business accepting zero confirmations anyway.
Defenses
The defense is almost embarrassingly simple: require at least one confirmation. Once the merchant's payment is buried in a block, the pre-mined conflicting block cannot displace it without out-mining the honest network. For genuinely instant point-of-sale payments where waiting ten minutes is unacceptable, the sound answer is not zero-confirmation on-chain acceptance but the Lightning Network, where payment finality is enforced by the channel construction rather than by hoping no miner is holding a block behind their back. Merchants who insist on zero-conf can reduce (not eliminate) exposure by listening for conflicting transactions across many well-connected nodes, but against a Finney attacker specifically this monitoring is useless — the conflicting transaction is hidden inside an unpublished block and is invisible until it is too late.
Place in the attack family
Historical footnote
Hal Finney holds a unique place in Bitcoin history — he was the recipient of the first Bitcoin transaction, sent by Satoshi, and one of the earliest miners — and it is characteristic that the attack bearing his name exists because he disclosed it, not because he performed it. Publishing the strongest attack you can think of against a system you believe in is the security culture Bitcoin inherited from the cypherpunks, and it worked: the ecosystem absorbed the lesson early, and zero-confirmation acceptance for anything of value quietly disappeared from serious commerce years ago, replaced by confirmation depth on-chain and instant settlement on Lightning.
The Finney attack belongs to the zero-confirmation family alongside the race attack (broadcasting two conflicting transactions to different parts of the network) and the Vector76 attack (a hybrid that combines both techniques). All are forms of double-spend that vanish once a payment is actually confirmed in the chain. Historically, the exchange between Hal Finney and Satoshi on these edge cases is part of why confirmation depth — not broadcast — became Bitcoin's standard of settlement, a norm every node runner and merchant still relies on today.
In Simple Terms
A Finney attack is a double-spend technique against merchants who accept zero-confirmation payments, named after early Bitcoin contributor Hal Finney, who first described it in…
