Bitcoin Users’ Data Was Stolen By An Entity Using 812 Different IP Addresses

Key Points:

• A mystery entity may be gathering Bitcoin users’ IP addresses and correlating them to their BTC addresses, thereby infringing on their privacy.
• The entity has been active since March 2018, and it connects to Bitcoin full nodes using a variety of 812 distinct IP addresses.
• By altering the IP addresses it uses to connect, the entity might get around list that nodes can use to ban LinkingLion from connecting to them.

An unknown person or group called LinkingLion may be collecting the IP addresses of Bitcoin users and linking them to their BTC addresses, violating the privacy of these users, according to a blog post from pseudonymous Bitcoin app developer 0xB10C.

The entity has purportedly been gathering data since March 2018 and has used a variety of 812 different IP addresses to conceal its identity.

0xB10C calls the entity LinkingLion because the IP addresses from three IPv4/24 ranges and one IPv6/32 range connect to listening nodes on the Bitcoin network, and these IP address ranges are all announced by AS54098, LionLink Networks. However, the ranges belong to different companies based on ARIN and RIPE registry information.

This behavior may indicate that the entity is trying to determine if a particular node can be reached at a particular IP address.

Fork Networking and Castle VPN are US-based companies owned by the same person. Fork Networking offers hosting and colocation services, while Castle VPN is a VPN provider. Linama UAB is a Lithuanian company with no web presence. Data Canopy is a US-based company offering cloud and colocation data centers. Since the connections from these IP ranges share very similar behavior, 0xB10C assume they are controlled or rented by the same entity.

0xB10C stated that about 15% of the time, LinkingLion doesn’t close the connection immediately. Instead, they either listen for inventory messages that contain transactions or send a request for an address and listen for both inventory and address messages. They then close the connection within 10 minutes.

The behaviour indicates that the entity may be recording the timing of transactions to determine which node first received a transaction. This information can then be used to determine the IP address associated with a particular Bitcoin address. According to 0xB10C, the entity can use that information to link broadcast transactions to IP addresses.

0xB10C is the developer of several Bitcoin analytics websites, including Mempool.observer and Transactionfee.info. They have also been awarded a Bitcoin developer grant from Brink.dev in the past.

To help protect the community from this privacy threat, 0xB10C has produced an open-source ban list that nodes can use to ban LinkingLion from connecting to them. However, the entity could circumvent this ban list by changing the IP addresses it uses to connect. In 0xB10C’s view, the only permanent solution to the problem is to change the transaction logic within Bitcoin Core, which developers have so far been unable to do.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Harold

Coincu News