You can double spend unconfirmed transaction / replace it with different transacion paying higher fee, spending same inputs, but to different destination. Attackers were stupid trusting 0-conf.