1.) When a customer withdraws bitcoin from your service, include an extra output in the transaction to spend a portion of your own BTC back to a new address you control.
2.) Track the presence of that output at your new address. (Through a callback for instance)
3.) Did the bitcoin arrive?
- If yes, then congratulations, you can be sure that the funds involved were delivered
- If no, then neither your funds or the customers withdrawal were successfully sent out to begin with.
If for whatever reason an attacker tried to manually spend or fake-double spend bitcoin back to your new address as a "trick," all they've accomplished is an action that forces your system to mark their withdrawal as successful.