An unknown person or group may be collecting the IP addresses of Bitcoin (BTC) users and link to their BTC addresses, violating the privacy of these users, according to a blog post by Bitcoin app developer pseudonym 0xB10C. The entity has been active since March 2018 and its IP addresses have appeared in various public posts by Bitcoin node operators in recent years.
0xB10C is the developer of several Bitcoin analysis websites, including Mempool.observer and Transactionfee.info. have also been award-winning a Brink.dev Bitcoin Developer Grant in the past.
An entity I call LinkingLion, active since 2018 and on a Monero ban list, is opening connections to many Clearnet Bitcoin nodes. Presumably it tries to bind the transactions to the IP addresses of the nodes. Perhaps a chain analysis company trying to improve their product?https://t.co/W4PDoln3p3
—0xB10C (@0xB10C) March 28, 2023
0xB10C calls the entity “LinkingLion” because the IP addresses associated with it go through the LionLink network’s colocation data center. However, log information from ARIN and RIPE reveals that this company is probably not the author of the messages, according to 0xB10C.
The entity uses a range of 812 different IP addresses to open connections with Bitcoin full nodes that are visible on the network (also called “listening nodes”). Once a connection is opened, the entity asks the node what version of the Bitcoin software it is using. However, when the node responds with a version number and a message indicating that it has understood the request, the entity closes its connection approximately 85% of the time without responding.
According to the post, this behavior may indicate that the entity is trying to determine if a particular node is reachable at a particular IP address.
While this behavior is not necessarily a cause for concern, it is what the entity does the other 15% of the time that may be cause for concern. 0xB10C indicated that about 15% of the time, LinkingLion does not close the connection immediately. Instead, they listen for inventory messages that contain transactions or send an address request, and listen for both inventory and address messages. Then they close the connection in 10 minutes.
This behavior would normally indicate that the user is a node trying to update its copy of the blockchain. However, LinkingLion never requests blocks or transactions, which implies that they must be pursuing some other purpose, the post said.
Related: Zero knowledge proofs are coming to Bitcoin
0xB10C stated that LinkingLion could be recording the timing of transactions to determine which node received a transaction first, information that can then be used to determine the IP address associated with a particular Bitcoin address. The developer explained:
“Connections that complete the release handshake and stay connected learn about our node’s inventory, such as transactions and blocks. The time information, that is, when a node announces its new inventory, is especially relevant. The entity will likely first find out about our new wallet transaction from us. Since the entity is connected to many listening nodes, it can use that information to link broadcast transactions to IP addresses.”
To help protect the community from this privacy threat, 0xB10C has produced an open source ban list that nodes can implement to prohibit LinkingLion from connecting to them. However, they also warned that the entity could circumvent this ban list by changing the IP addresses it uses to connect. In the opinion of 0xB10C, the only permanent solution to the problem is to change the transaction logic within Bitcoin Core, something that the developers have not been able to do until now.
The vulnerability exposed in the post seems to mainly affect users running their own Bitcoin nodes. 0xB10C did not say whether it also affects ordinary users who rely on Electrum or other Bitcoin wallets connecting to third-party nodes, nor whether users can defend against the attack using a virtual private network. Cointelegraph reached out to 0xB10C on LinkedIn for answers to these questions, but was unable to reach them at press time.
Privacy has been an ongoing concern for Bitcoin and cryptocurrency users over the years. Although Bitcoin addresses are pseudonymous, their transaction histories are fully public. Bitcoin educator Andreas Antonopoulos has argued that Bitcoin will never be truly private. But Breeze Wallet has tried to improve privacy on the net by using off-chain transactions and cryptographic puzzles.