An unidentified individual or group appears to be collecting the IP addresses of Bitcoin (BTC) users and associating them with their BTC addresses, jeopardizing the privacy of these users, as outlined in a blog post by pseudonymous Bitcoin app developer 0xB10C. This operation has been ongoing since March 2018, with its IP addresses being identified in various public posts from Bitcoin node operators over the years.
0xB10C is known as the creator of multiple Bitcoin analytics websites, such as Mempool.observer and Transactionfee.info, and has previously received a Bitcoin developer grant from Brink.dev.
An entity referred to as LinkingLion, active since 2018 and on a Monero ban list, is establishing connections with numerous clearnet Bitcoin nodes, potentially aiming to connect transactions to node IPs. Could it be a chain analysis company seeking to enhance its product?https://t.co/W4PDoln3p3
— 0xB10C (@0xB10C) March 28, 2023
The entity dubbed “LinkingLion” by 0xB10C due to its IP addresses passing through the LionLink network’s colocation data center. However, according to information from ARIN and RIPE registries, this company is likely not the originator of these messages.
Using a spectrum of 812 different IP addresses, the entity initiates connections with Bitcoin full nodes visible on the network, also known as “listening nodes.” Following the connection, the entity inquires about the version of Bitcoin software the node is using. Subsequently, when the node responds with a version number and acknowledgment message, the entity closes the connection around 85% of the time without further engagement.
While this behavior may not immediately raise concerns, it is the remaining 15% of actions that may be worrisome. 0xB10C noted that in about 15% of instances, LinkingLion does not promptly disconnect. Instead, it either listens for inventory messages containing transactions or requests an address and listens for both inventory and address messages before closing the connection within 10 minutes.
The post highlighted that this conduct suggests that the entity may be tracking transaction timing to identify which node first receives a transaction, ultimately linking it to the IP address associated with a specific Bitcoin address.
For community protection against this privacy infringement, 0xB10C has crafted an open-source ban list that nodes can employ to block LinkingLion from establishing connections. Nevertheless, 0xB10C cautioned that the entity could circumvent this ban list by altering the IP addresses it uses for connections. The enduring solution, in 0xB10C’s estimation, lies in altering the transaction logic within Bitcoin Core, a task developers have struggled to accomplish.
The vulnerability discussed in the post primarily impacts users operating their own Bitcoin nodes. It remains unclear whether this also affects regular users reliant on Electrum or other Bitcoin wallets connecting to third-party nodes and whether users can shield themselves using a virtual private network. Efforts to reach out to 0xB10C on LinkedIn for further insights have been unsuccessful at this time.
Privacy remains a prevalent concern for Bitcoin and crypto users. Despite Bitcoin addresses being pseudonymous, their transaction histories are entirely public. Bitcoin advocate Andreas Antonopoulos asserts that Bitcoin will never achieve complete privacy. Nonetheless, Breeze Wallet has endeavored to enhance network privacy by utilizing off-chain transactions and cryptographic puzzles.
Image Source: Svet foto / Shutterstock