An unknown person or group may be collecting the IP addresses of Bitcoin (BTC) users and linking them to their BTC addresses, violating the privacy of these users, according to a blog post by Bitcoin app developer pseudonym 0xB10C. The entity has been active since March 2018, and its IP addresses have appeared in various public publications by Bitcoin node operators in recent years.
0xB10C is the developer of several Bitcoin analysis websites, including Mempool.observer and Transactionfee.info. They have also been awarded with a Brink.dev Bitcoin Developer Grant in the past.
An entity I call LinkingLion, active since 2018 and on a Monero banlist, is opening connections to many clearnet Bitcoin nodes. Its presumably attempting to link transactions to node IPs. Maybe a chain analysis company trying to enhance its product?https://t.co/W4PDoln3p3
—0xB10C (@0xB10C) March 28, 2023
0xB10C calls the entity “LinkingLion” because the IP addresses associated with it go through the LionLink network colocation data center. However, information from the ARIN and RIPE logs reveal that this company is probably not the originator of the messages, according to 0xB10C.
The entity uses a range of 812 different IP addresses to open connections with Bitcoin full nodes visible on the network (also called “listening nodes”). Once a connection is opened, the entity asks the node what version of the Bitcoin software it is using. However, when the node responds with a version number and a message indicating that it has understood the request, the entity closes its connection about 85% of the time without responding.
According to the post, this behavior may indicate that the entity is trying to determine if a particular node is reachable at a particular IP address.
Although this behavior is not necessarily worrisome, what can be is what the entity does the other 15% of the time. 0xB10C stated that about 15% of the time, LinkingLion doesn’t close the connection immediately. Instead, it listens for inventory messages that contain transactions or sends an address request, and listens for both inventory and address messages. So they close the connection in 10 minutes.
This behavior would normally indicate that the user is a node trying to update its copy of the blockchain.. However, LinkingLion never requests blocks or transactions, which implies that they must be pursuing some other purpose, the post said.
0xB10C claimed that LinkingLion could be recording the timing of transactions to determine which node received a transaction first, which can be used to determine the IP address associated with a particular Bitcoin address, they explained:
“Connections that complete the release handshake and stay connected learn about our node’s inventory, such as transactions and blocks. Temporal information, i.e. when a node announces its new inventory, is especially relevant. It is likely that the entity learns about the new transaction from our wallet first from us. Since the entity is connected to many listening nodes, it can use that information to link broadcast transactions to IP addresses.”
To help protect the community from this privacy threat, 0xB10C has put together an open source ban list that nodes can implement to prohibit LinkingLion from connecting to them. However, he also warned that the entity could circumvent this list of prohibitions by changing the IP addresses it uses to connect. In the opinion of 0xB10C, the only permanent solution to the problem is to change the transaction logic within Bitcoin Core, something the developers have been unable to do until now.
The vulnerability exposed in the post appears to mainly affect users running their own Bitcoin nodes. 0xB10C did not say whether it also affects ordinary users who trust Electrum or other Bitcoin wallets connecting to third-party nodes, nor did they say whether users can defend against the attack using a virtual private network. Cointelegraph has reached out to 0xB10C on LinkedIn for answers to these questions, but they could not be reached at press time.
Privacy has been a constant concern for Bitcoin and cryptocurrency users over the years. Although Bitcoin addresses are pseudonymous, their transaction histories are fully public. Andreas Antonopoulos, a Bitcoin educator, has claimed that Bitcoin will never truly be private. But Breeze Wallet has tried to improve privacy on the network using offchain transactions and cryptographic puzzles.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.