Last Updated: February 2026
In April 2025, Bitcoin Core v29 made full Replace-by-Fee permanent and non-configurable – ending a decade-long debate that started with Satoshi Nakamoto and fundamentally changing the forensic landscape for every unconfirmed Bitcoin transaction. Before this change, only transactions explicitly signaling RBF through the nSequence field could be replaced. Now, every unconfirmed transaction is a candidate for replacement, which means every transaction sitting in the mempool can generate forensic intelligence that disappears once it confirms.
For investigators, RBF replacements are not just a fee-bumping mechanism. They are a forensic event. Comparing the original transaction to its replacement reveals which output is the change address – a privacy leak that the Bitcoin Wiki identifies as one of the most direct attribution signals available in mempool analysis. When the replacement changes the payment destination rather than just the fee, it exposes a double-spend attempt in real time. And fee escalation patterns across multiple replacements profile the sender’s urgency, sophistication, and potentially the nature of the underlying activity.
At Crypto Trace Labs, our forensic team monitors RBF patterns as standard practice across active investigations. This guide explains the specific forensic signals that transaction replacements produce, documents real fraud cases that exploited the mechanism, and outlines what full RBF means for blockchain investigations going forward.
What Makes RBF a Forensic Event?
A standard Bitcoin transaction, once broadcast, reveals its inputs, outputs, and fee. An RBF replacement reveals something additional: the difference between two versions of the same transaction created by the same sender. That differential is where the forensic value lives.
The core forensic technique works as follows: “When a sender bumps the fee on a transaction, the higher fee has to come from somewhere. In almost every case, the wallet reduces the change output – the amount returning to the sender – while keeping the payment output intact. If you capture both the original and the replacement, the output that decreased is the change. The output that stayed the same is the payment. You have just identified which address belongs to the sender and which belongs to the recipient.”
This differential analysis works because wallet software follows predictable logic when constructing fee bumps. The Bitcoin Wiki documents three theoretical countermeasures – reducing both outputs proportionally, reducing the payment instead of change, or replacing both addresses entirely – but notes these are rarely implemented in practice. The vast majority of RBF replacements follow the simple pattern: fee goes up, change goes down, payment stays constant.
Critically, this information exists only in the mempool. Once the replacement confirms, the original transaction is discarded by nodes. Investigators who are not running mempool monitoring infrastructure miss this signal entirely – all they see on-chain is the final confirmed transaction with no basis for comparison.
How Did RBF Enable $195,000 in ATM Fraud?
The most documented RBF fraud case occurred across Canada in 2019, when a group of fraudsters exploited Bitcoin ATMs operated by HoneyBadger – conducting 112 double-spend attacks over just 10 days in seven cities including Calgary, Toronto, Montreal, and Ottawa.
The method was straightforward. Each attacker approached a Bitcoin ATM, initiated a cash withdrawal by sending Bitcoin with RBF signaling enabled. The ATM accepted the transaction at zero confirmations and dispensed cash. The attacker then immediately broadcast a replacement transaction redirecting the Bitcoin back to their own wallet – keeping both the cash and the cryptocurrency.
The total loss reached $195,000. Calgary Police’s cybercrime division investigated and identified four suspects, but the case highlighted a systemic vulnerability: any service accepting zero-confirmation Bitcoin transactions was exposed to RBF double-spend fraud. The attack required no technical sophistication – as one report noted, RBF “makes it a lot easier even for non-tech folks to pull off such a scam.”
The forensic trail was clear. Every double-spend attempt left paired transactions in the mempool – the original sending funds to the ATM operator and the replacement redirecting them to the attacker. Transaction graph analysis connected the replacement destination addresses across all 112 attacks, linking them to the same operation and ultimately to the suspects’ identifiable withdrawal points.
With full RBF now permanent as of Bitcoin Core 29.0, the zero-confirmation security model is definitively dead. Any business still accepting unconfirmed Bitcoin payments is operating without the even minimal protection that the first-seen rule once provided.
What Forensic Signals Do RBF Patterns Produce?
Beyond the change output leak, RBF replacements generate several distinct forensic signals depending on what changes between transaction versions.
Fee escalation profiling
The pattern of fee increases across multiple replacements reveals behavioral intelligence. A single moderate bump from 10 to 25 sat/vB aligned with mempool conditions suggests routine fee management. Rapid escalation through multiple replacements – 10 to 50 to 200 to 500 sat/vB within minutes – suggests urgency. In Crypto Trace Labs investigations, we have observed panic fee bumping associated with ransomware payment deadlines, front-running attempts, and stolen fund movement where the sender is racing to get confirmations before an exchange freeze takes effect.
Output modification detection
Legitimate fee bumping changes the fee and adjusts the change output accordingly. The payment output remains identical. When the payment output itself changes between the original and replacement – different amount, different address – that is not fee bumping. That is a double-spend attempt. Monitoring systems flag this distinction automatically: same outputs with adjusted change equals legitimate, modified payment outputs equals fraud signal.
Replacement frequency and automation
The Bitcoin network processes between 2,000 and 6,000 replacement transactions per day. Most are single replacements. When a transaction undergoes three, four, or more replacements in sequence, it indicates either automated fee estimation software (common in institutional custody) or manual intervention under pressure. The replacement count itself becomes a data point for classifying the sender’s infrastructure and behavioral profile alongside wallet fingerprint analysis.
nSequence field analysis
Under the original opt-in model, a transaction signaled RBF replaceability by setting at least one input’s nSequence value below 0xFFFFFFFE. This field is still forensically relevant even after full RBF became standard. Different wallet software sets nSequence to different default values, creating another fingerprinting vector. A transaction with nSequence = 0xFFFFFFFD signals RBF opt-in and enables relative timelocks. A transaction with all inputs at 0xFFFFFFFF was historically not signaling RBF – though post-Core 29.0, it is replaceable regardless. The discrepancy between the signal and the actual policy creates an interesting forensic marker for UTXO pattern analysis.
How Did a Protocol Bug Threaten Lightning Network Security?
RBF’s forensic significance extends beyond simple transaction replacement into the security architecture of second-layer protocols built on Bitcoin.
In October 2023, security researcher Antoine Riard disclosed four CVEs (CVE-2023-40231 through 40234) describing “replacement cycling attacks” against Lightning Network Hash Time Locked Contracts. The attack exploited RBF mechanics to cycle a victim’s HTLC-timeout transaction out of the mempool repeatedly, preventing it from ever confirming. Once the timelock expired, the attacker could claim the locked funds.
The mechanism worked in three steps. The attacker broadcast a transaction spending both the HTLC output and an output from their own “cycle parent” transaction, replacing the victim’s transaction via RBF rules. Then the attacker replaced their own transaction with one that no longer included the HTLC spend, restoring the original state. This cycle could repeat indefinitely, keeping the victim’s legitimate timeout transaction perpetually unconfirmed.
Lightning implementations – Eclair, Core-Lightning, LND, and LDK – all deployed mitigations involving random rebroadcasting at multiple intervals. No confirmed real-world exploitation occurred in the ten months following disclosure. But the case demonstrated that RBF mechanics create forensic surfaces in Lightning channel operations. Investigators examining disputed channel closures, forced closures under unusual timing conditions, or suspicious transaction input patterns must now account for replacement cycling as a potential attack vector.
What Does Full RBF Mean for Exchange Security?
Blockchain security firm SlowMist documented a class of attacks they termed “RBF fake deposit” fraud – where attackers send RBF-signaling transactions to exchanges, receive credit at zero confirmations, then replace the transaction to redirect funds. SlowMist developed a dedicated testing tool called Badwhale specifically to help exchanges evaluate their vulnerability to this attack.
The detection was straightforward under opt-in RBF: exchanges could check whether any input’s nSequence was below 0xFFFFFFFE and reject zero-confirmation credit for flagged transactions. Under full RBF, that check is meaningless – every transaction is replaceable regardless of signaling. Exchanges must now either wait for at least one confirmation before crediting deposits or implement real-time mempool monitoring that detects replacement attempts as they occur.
Crypto Trace Labs encounters this vulnerability in exchange security assessments and fraud investigations. The shift to mandatory full RBF has made zero-confirmation deposit crediting a clear operational risk, and exchanges that have not updated their deposit handling since Bitcoin Core 29.0 are exposed to fraud that was previously limited to the subset of transactions with explicit RBF signaling.
RBF Forensic Signals at a Glance
| Signal | What It Reveals | Where to Observe |
| Change output decrease | Which output belongs to the sender (change vs. payment identification) | Mempool only – compare original and replacement |
| Payment output modification | Double-spend attempt – recipient address changed between versions | Mempool only |
| Fee escalation pattern | Sender urgency, sophistication level, potential time-sensitive criminal activity | Mempool only |
| Replacement count | Automated vs. manual fee management, institutional vs. individual sender | Mempool only |
| nSequence values | Wallet software identification, RBF intent signaling | On-chain (confirmed transaction) |
| Lightning close fee bumps | Channel dispute urgency, forced close behavior | On-chain + mempool |
Note: five of six signals require mempool monitoring infrastructure – they cannot be recovered from on-chain data after confirmation. This is why Crypto Trace Labs maintains continuous mempool capture as part of our investigative capability.
Frequently Asked Questions
Can RBF transactions be traced after they confirm?
The confirmed replacement transaction is traceable on-chain like any other transaction. However, the original transaction that was replaced is discarded by nodes upon confirmation and is only available to investigators who captured it from the mempool before it was superseded. The forensic value of RBF – the differential between original and replacement – requires mempool monitoring. Without it, the replacement looks like any ordinary transaction.
What is the difference between RBF and CPFP?
Replace-by-Fee replaces the unconfirmed transaction with a new version paying a higher fee. Child Pays for Parent creates a new transaction spending the unconfirmed output, with a fee high enough to incentivize miners to confirm both. Forensically, RBF reveals change outputs through differential analysis. CPFP reveals spending relationships – the child transaction must come from someone who controls the unconfirmed output, linking the child’s sender to the parent’s recipient. Both produce wallet clustering intelligence.
How do Bitcoin ATMs protect against RBF fraud now?
After the Canadian HoneyBadger attacks, most Bitcoin ATM operators implemented minimum confirmation requirements – typically one to three confirmations before dispensing cash. Some operators added mempool monitoring to detect replacement attempts in real time. With full RBF now standard, any ATM still accepting zero-confirmation transactions has no security against this attack vector.
Does RBF affect privacy coins or Ethereum?
RBF is a Bitcoin-specific mechanism tied to its UTXO and mempool model. Ethereum uses a nonce-based replacement system where sending a new transaction with the same nonce and higher gas price replaces the pending one – functionally similar but structurally different. Privacy coins like Monero have their own transaction replacement mechanics, though Monero’s ring signatures and stealth addresses make the differential analysis technique far less effective.
Can investigators detect replacement cycling attacks on Lightning?
Replacement cycling leaves observable traces: repeated appearance and disappearance of HTLC-timeout transactions in the mempool, combined with competing transactions from the counterparty. Detection requires continuous mempool monitoring with specific pattern matching for HTLC transaction formats. Lightning implementations now mitigate the attack through randomized rebroadcasting, but forensic analysis of historical mempool data can reveal attempted attacks after the fact.
What percentage of Bitcoin transactions use RBF?
Before Bitcoin Core 29.0, approximately 20-27% of transactions explicitly signaled opt-in RBF through the nSequence field. The network processes between 2,000 and 6,000 actual replacement transactions per day. Since April 2025, the signaling distinction is moot – all unconfirmed transactions are replaceable by default, making the entire mempool a potential source of replacement forensic data.
Is Your Platform Vulnerable to RBF Exploitation?
Full RBF changed the rules permanently. If your exchange, ATM network, or payment platform was built when zero-confirmation transactions had even minimal reliability, that security assumption no longer holds. The $195,000 Canadian ATM fraud happened under opt-in RBF – under full RBF, the attack surface is every unconfirmed transaction, not just those with explicit signaling.
Crypto Trace Labs conducts RBF vulnerability assessments for exchanges and payment processors, investigates double-spend fraud cases, and provides blockchain forensic analysis that includes full mempool intelligence. Our team – including analysts like D. Hargreaves – holds ACAMS certifications, MLRO qualifications across UK, US, and European jurisdictions, and Chartered status at Fellow Grade. No upfront charge for non-custodial wallet recoveries.
Contact Crypto Trace Labs for an RBF security assessment or to discuss an active investigation.
This content is for informational purposes only and does not constitute legal, financial, or compliance advice. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors. Consult qualified professionals regarding your situation.
