entity links IPs to BTC and XMR transactions, bitcoin developer

Open source bitcoin (BTC) developer Timo P — also known by the pseudonym 0xB10C — recently published a blog post highlighting the activities of an unidentified entity named LinkingLion.

The entity has been connecting to bitcoin nodes and listening to transaction announcements since 2018, potentially allowing it to link transactions to IP addresses. It has also been active on the Monero network using the same IP address ranges.

According to 0xB10C, LinkingLion is suspected to be a blockchain analysis company collecting data to improve its products. The entity uses IP addresses from three IPv4 /24 ranges and one IPv6 /32 range, all of which are announced by server co-location and hosting company LionLink Networks.

A spooky bitcoin eavesdropper

The behavior of LinkingLion involves establishing TCP connections to bitcoin nodes, sending version messages with obscure user agents and using 0 as the nonce for all connections. The entity is observed to have a block height that lags behind the network’s best height, with two different configurations identified as lagging by about 700 and 2100 blocks.

Its height is estimated to have matched the network’s height in late Q4 2022 or early Q1 2023 for the connections lagging by about 700 blocks, and in Q3 2022 for connections lagging by 2100 blocks.

LinkingLion has been observed opening short-lived connections and closing them without sending a verack message, indicating that it may be checking if nodes are reachable on given addresses. The entity learns metadata, such as the version and height of the blockchain, from nodes.

It responds to messages after the handshake but never initiates them and doesn’t request blocks or transactions.

Furthermore, LinkingLion has been flooding bitcoin network nodes with hundreds of connections per minute, leading to the eviction of existing connections to make room for new ones. The entity has also been observed opening connections to nodes on the Monero network.

The nature and purpose of LinkingLion’s activities remain unclear, but the entity may be using VPN services to hide its true location and identity.

Short-term prevention measures include manually banning the IP address ranges used by the entity from making inbound connections to nodes. A banlist has been published for this purpose; however, this banlist is optional and centralized.

0xB10C’s findings underscore the need for changes to the initial transaction broadcast and transaction rebroadcast logic on the bitcoin network and in Bitcoin Core. Possible solutions include implementing Dandelion or broadcasting transactions over privacy networks such as Tor.

While banning or reporting the entity’s behavior may serve as a short-term fix, deeper changes to the P2P logic in bitcoin are necessary to tackle the root problem.

Dandelion is a privacy-enhancement proposal designed to improve transaction confidentiality within the bitcoin network.

The core concept involves a two-phase propagation process: during the initial “stem phase,” transactions are relayed serially from one node to another, followed by a “fluff phase” where transactions are broadcasted from one node to all of its peers.

This unique propagation pattern effectively conceals the originating node of a transaction, making it more challenging to link transactions to specific IP addresses.

To further enhance privacy, nodes participating in the stem phase can employ encryption methods, such as Tor or v2 P2P transport, to secure their Bitcoin protocol traffic. In summary, Dandelion offers a robust solution for maintaining transaction privacy and mitigating the risk of exposing users’ identities on the Bitcoin network.