Triangulation Scams in P2P Markets

– and how Peach addresses it. P2P trading has its advantages, but it means you are paying a real person directly, and scammers love to figure out ways to abuse this system. One of the nastiest (and really the most common at this point) is the triangulation scam, so let's walk through how it works, and how Peach blocks it without asking you for your ID.

Diagram of a triangulation scam: a triangle linking a scammer, an unwitting victim, and an honest seller, with Bitcoin flowing from the seller to the scammer, cash from the victim to the seller, and a warning from the scammer to the victim

What's a triangulation scam

The trick is that the scammer never pays for the Bitcoin themselves. They get someone else to do it, usually a person who has no idea they are part of a Bitcoin trade at all.

The play, step by step:

The scammer lists something for sale somewhere else entirely. A phone, a concert ticket, a piece of furniture on a classifieds site, on eBay or Facebook Marketplace. A normal sale, nothing to do with Bitcoin.
A buyer (the victim) agrees to buy that item and gets ready to pay.
At that exact moment, the scammer jumps onto our P2P Bitcoin marketplace and takes a trade with a real seller.
The scammer passes the seller's bank details to the victim, as if those were the scammer's own details for the item being sold.
The victim transfers the money to the seller, believing they are paying for a phone.
The seller sees the money land, confirms the payment, and releases the Bitcoin to the scammer.

The scammer walks away with Bitcoin they never paid for. The victim is out their money and never receives the item. The seller, acting in complete good faith, became the unwitting tool in the middle. Three parties, one of them a stranger to the whole thing. That is the triangle.

Why this is so hard to catch

From the seller's side, everything looks normal. The right amount of money shows up, on time, for the trade they agreed to. There is no obvious red flag in the moment.

The only thing that is wrong is who the money came from. The payment is sitting in the seller's account from a person who thinks they just bought a secondhand phone. If the seller has no way to know who the payment was supposed to come from, that mismatch is invisible.

How Peach shuts it down

This is where the buyer payment details come in, and why we ask for them.

When you take a trade on Peach as a buyer, you have to enter the details of the account you are paying from. The seller then sees those details inside the app. So when the money arrives, the seller has something to check it against: the name and account that actually sent the funds versus the name and account Peach says should be sending them.

In a normal trade, they match. The buyer paid from their own account, exactly as declared. Trade confirmed, Bitcoin released, everyone happy.

In a triangulation scam, they do not match. The money landed from some random victim's account, not from the buyer named in the trade. That mismatch is the seller's signal.

It is HIGHLY ADVISED*, at that point, that the seller does NOT confirm the payment on Peach, and rather opens a dispute. Our mediators step in, the Bitcoin goes back to the seller, and the money is refunded to the victim. The scam fails. The trade does too, but the seller is free to republish without an extra on-chain transaction.

*there have been cases where the victim complains to the authorities and accuses/involves the (honest) seller. You don't want that.

Right now, this is the only way we have found to stop third party payments and triangulation scams without compromising the things we actually care about: no KYC, no surveillance, no handing your identity to anyone. You declare the account you pay from, the seller checks it matches, and that is it. This works on the vast majority of payment methods (cash and a few anonymous methods may be handled differently).

Why a payment reference does not fix this

A fair question we get is: why not just have the seller set a reference or memo on the payment, and tell buyers to include it? Surely if the payment carries a secret code, only the real buyer can pay correctly?

It sounds good, but it does not close the hole. The scammer is talking to the victim, so he can simply forward the reference along with the bank details: "pay this account, and put this code in the reference field." The victim dutifully includes it. The payment arrives with a perfect, matching reference, and the seller has no reason to suspect anything. The scammer controls the message, so the scammer controls the reference. It protects nothing.

Checking who sent the money is fundamentally different. The scammer cannot forward their own bank identity to the victim. The victim pays from the victim's account, and no reference in the world changes that name. That is why the payment details check works where a memo does not.

The takeaway

When Peach asks for your payment details, it is not a KYC step, and Peach cannot see it, except in cases of dispute. It is a small, honest piece of information that lets the seller confirm the money came from you and not from someone who has no idea they are funding a Bitcoin trade. It protects the seller, it protects an innocent stranger, and it keeps the marketplace clean, all without anyone uploading a passport.

P2P done right means trading directly without giving up your privacy. Stopping triangulation scams is part of doing it right.

Happy peaching 🍑