An unknown person or group may be collecting bitcoin IP addresses, According to a blog post by pseudonymous Bitcoin app developer 0xB10C, users link them to their BTC addresses, violating the privacy of those users. The entity has been active since March 2018, and its IP address has appeared in multiple public posts by Bitcoin node operators over the past few years.
0xB10C is the developer of several Bitcoin analysis websites, including Mempool.observer and Transactionfee.info. They have also received Bitcoin Developer Grants from Brink.dev in the past. 0xB10C refers to the entity as "LinkingLion" because the IP address associated with it passes through the hosting data center of the LionLink network. However, according to 0xB10C, ARIN and RIPE registration information indicates that the company may not be the originator of the message.
This entity uses a series of 812 different IP addresses to open connections to Bitcoin full nodes (also known as "listening nodes") visible on the network. Once the connection is opened, the entity asks the node which version of the Bitcoin software it is using. However, when a node responds with a version number and a message indicating that it has understood the request, the entity closes its connection about 85% of the time without responding.
According to the post, this behavior may indicate that the entity is trying to determine whether a particular node is reachable via a particular IP address. While this behavior isn't necessarily cause for concern, what the entity does the other 15% of the time might be. 0xB10C means that about 15% of the time, LinkingLion will not close the connection immediately. Instead, they either listen for inventory messages containing transactions, or send address requests and listen for both inventory and address messages. Then they close the connection within 10 minutes.
This behavior usually indicates that the user is a node trying to update its copy of the blockchain. However, the post states that LinkingLion never requests blocks or transactions, which means they must be pursuing other purposes. 0xB10C indicates that LinkingLion may be logging transaction times to determine which node received the transaction first, which information can then be used to determine the IP address associated with a particular Bitcoin address. The developer explained:
"The connection that completes the version handshake and stays connected learns about our node's inventory, such as transactions and blocks. Timing information, i.e. when a node announces its new inventory, is especially relevant. It is likely that this entity first learned about our new wallet from us transactions. Since an entity is connected to many listening nodes, it can use that information to link broadcast transactions to IP addresses.” To help protect the community from this privacy threat, 0xB10C has produced an open-source ban list that nodes can implement to prohibit LinkingLion from connecting to them. However, they also warned that the entity could bypass this ban list by changing the IP address it uses to connect. In 0xB10C's view, the only permanent solution to the problem is to change the transaction logic inside Bitcoin Core, which developers have so far been unable to do.
The vulnerabilities exposed in the post appear to primarily affect users running their own Bitcoin nodes. 0xB10C did not say whether it would also affect ordinary users who rely on Electrum or other Bitcoin wallets connected to third-party nodes, or whether users could use a virtual private network to defend against the attack. Cointelegraph reached out to 0xB10C on LinkedIn for answers to these questions, but they were not available at the time of publication.
Privacy has been an ongoing concern for bitcoin and cryptocurrency users for years. Although Bitcoin addresses are anonymous, their transaction history is completely public. Bitcoin educator Andreas Antonopoulos believes that Bitcoin will never be truly private. But Breeze Wallet attempts to improve online privacy by utilizing off-chain transactions and cryptographic puzzles.
