An unknown person or group may be collecting the IP addresses of Bitcoin (BTC) users and linking them to their BTC addresses, violating the privacy of these users, according to a blog post from pseudonymous Bitcoin app developer 0xB10C. The entity has been active since March 2018, and its IP addresses have shown up on several public posts from Bitcoin node operators over the past several years.
0xB10C is the developer of several Bitcoin analytics websites, including Mempool.observer and Transactionfee.info. They have also been awarded a Bitcoin developer grant from Brink.dev in the past.
An entity I call LinkingLion, active since 2018 and on a Monero banlist, is opening connections to many clearnet Bitcoin nodes. Its presumably attempting to link transactions to node IPs. Maybe a chain analysis company trying to enhance its product?https://t.co/W4PDoln3p3
— 0xB10C (@0xB10C) March 28, 2023
0xB10C calls the entity “LinkingLion” because the IP addresses associated with it pass through LionLink network’s colocation data center. However, ARIN and RIPE registry information reveal that this company is probably not the originator of the messages, according to 0xB10C.
The entity uses a range of 812 different IP addresses to open connections with Bitcoin full nodes that are visible on the network (also called “listening nodes”). Once it opens a connection, the entity asks the node which version of the Bitcoin software it is using. However, when the node responds with a version number and message stating that it has understood the request, the entity closes its connection about 85% of the time without responding.
According to the post, this behavior may indicate that the entity is trying to determine if a particular node can be reached at a particular IP address.
While this behavior isn’t necessarily a cause for concern, it’s what the entity does the other 15% of the time that may be a concern. 0xB10C stated that about 15% of the time, LinkingLion doesn’t close the connection immediately. Instead, they either listen for inventory messages that contain transactions or send a request for an address and listen for both inventory and address messages. They then close the connection within 10 minutes.
This behavior would normally indicate that the user is a node trying to update its copy of the blockchain. However, LinkingLion never requests blocks or transactions, which implies that they must be pursuing some other purpose, the post said.
0xB10C stated that LinkingLion might be recording the timing of transactions to determine which node first received a transaction, information that can then be used to determine the IP address associated with a particular Bitcoin address. The developer explained:
“Connections that complete the version handshake and stay connected learn about our node’s inventory, like transactions and blocks. The timing information, i.e., when a node announces its new inventory, is especially relevant. The entity is likely to first learns about our new wallet transaction from us. As the entity is connected to many listening nodes, it can use that information to link broadcast transactions to IP addresses.”
To help protect the community from this privacy threat, 0xB10C has produced an open-source ban list that nodes can implement to ban LinkingLion from connecting to them. However, they also warned that the entity could get around this ban list by changing the IP addresses it uses to connect. In 0xB10C’s view, the only permanent solution to the problem is to change the transaction logic within Bitcoin Core, which developers have so far been unable to do.
In a conversation with CoinStreetDaily, 0xB10C stated that the vulnerability doesn’t just affect users who run their own nodes. Even users who rely on a third-party server through a wallet like Electrum or Mycelium can still be victims of this invasion of privacy.
“When using Electrum wallet, you connect to a remote Electrum server. You tell the server which addresses you are interested in and, when you send a transaction, you tell the server about the transaction. This is all linked to your IP address if you don’t use Tor or similar,” they said. “All LinkingLion has to do is to run public Electrum servers and get people to connect to it. This has been suspected to be happening for years and it has been recommended to run your Electrum server connected to your own node.”
Privacy has been a continuing concern for Bitcoin and crypto users over the years. Although Bitcoin addresses are pseudonymous, their transaction histories are entirely public. Bitcoin educator Andreas Antonopoulos has argued that Bitcoin will never be truly private. But Breeze Wallet has attempted to improve privacy on the network by utilizing offchain transactions and cryptographic puzzles.
This article was updated on March 30 with a comment from 0xB10C regarding users who don’t run their own nodes.