Unless the "victim" is running some non-standard software or have been configured specifically to not broadcast tx's this should not be possible (unless you are saying the attacker owns the victims internet connection).

Actually even if they did own the victims internet connection they would still have to be rather amazing to be able to complete the 6 confirmations within one hour.