According to a pseudonymous Bitcoin app developer’s blog post, 0xB10C, an entity has been collecting data from Bitcoin users using a variety of 812 IP addresses to hide its identity. The entity has been active since March 2018 and linked to several public posts from Bitcoin node operators over the past few years.
IP addresses “LinkingLion”
The developer claims that this unknown person or group may be violating the privacy of Bitcoin users by collecting their IP addresses and linking them to their BTC addresses. The developer has named the entity “LinkingLion” because the IP addresses associated with it pass through the LionLink network’s colocation data center. However, according to the developer, the company identified through ARIN and RIPE registry information is probably not the originator of the messages. The developer behind this post is also the creator of various Bitcoin analytics websites and has previously been awarded a Bitcoin developer grant from Brink.dev.
To interact with Bitcoin full nodes visible on the network, the entity utilizes a variety of 812 IP addresses. These connections, also known as “listening nodes,” are established, and the entity inquires about the version of Bitcoin software the node uses. In response, the node acknowledges the request and provides the version number, but in approximately 85% of cases, the entity abruptly terminates the connection without replying.
The post suggests that the entity’s actions may be an attempt to verify whether a specific node can be accessed through a specific IP address. While this behavior may not be problematic, the developer expresses concern about what the entity does during the remaining 15% of the time. According to 0xB10C, LinkingLion does not immediately terminate the connection during this period. Instead, it either listens for inventory messages containing transactions or sends a request for an address. It listens for inventory and addresses messages before closing the connection within ten minutes.
Typically, this behavior suggests that the user is a node attempting to update its blockchain version. However, the fact that LinkingLion does not request any blocks or transactions indicates that they have a different motive, as per the post. According to 0xB10C, LinkingLion may be recording the timing of transactions to identify which node was the first to receive them. This data can then be used to determine the IP address associated with a specific Bitcoin address. The developer explained:
“Connections that complete the version handshake and stay connected learn about our node’s inventory, like transactions and blocks. The timing information, i.e., when a node announces its new inventory, is especially relevant. The entity will likely learn about our new wallet transaction from us first. As the entity is connected to many listening nodes, it can use that information to link broadcast transactions to IP addresses.”
To safeguard the community against this privacy risk, 0xB10C has developed an open-source ban list that nodes can adopt to prevent LinkingLion from establishing connections with them. However, the developer cautioned that the entity could evade this ban list by altering its IP addresses to connect. In the developer’s opinion, the only permanent solution to the problem is to modify the transaction logic in Bitcoin Core, which has been difficult for developers to achieve thus far. The vulnerability identified in the post appears to primarily affect users operating their own Bitcoin nodes. 0xB10C did not clarify whether this also affects regular users relying on Electrum or other Bitcoin wallets that connect to third-party nodes, nor did they mention whether users can protect themselves using a virtual private network.
Over the years, privacy has been an ongoing worry for Bitcoin and cryptocurrency users. Despite Bitcoin addresses being pseudonymous, the details of their transactions are completely public. A Bitcoin educator, Andreas Antonopoulos, has asserted that Bitcoin will never be entirely private. However, Breeze Wallet has endeavored to boost privacy on the network by using off-chain transactions and cryptographic puzzles.