According to a blog post by a pseudonymous Bitcoin app developer called 0xB10C, a mysterious entity has allegedly been gathering the IP addresses of BTC users since March 2018. The entity has reportedly used 812 different IP addresses to conceal its identity while collecting data. 

This activity violates the users’ privacy as the entity is said to be linking the IP addresses to their BTC addresses. Over the past few years, Bitcoin node operators have reported the entity’s IP addresses in several public posts.

0xB10C, the developer behind Bitcoin analytics websites such as Mempool.observer and Transactionfee.info, has previously received a Bitcoin developer grant from Brink.dev. In a recent blog post, 0xB10C revealed an entity that they have named “LinkingLion,” due to the IP addresses associated with it passing through LionLink network’s colocation data center. However, 0xB10C noted that ARIN and RIPE registry information suggests that LionLink may not be the originator of the messages.

LinkingLion reportedly uses 812 different IP addresses to establish connections with Bitcoin full nodes that are visible on the network, and then asks which version of the Bitcoin software they are using. However, the entity often closes its connection without responding, despite the node’s compliance with the request, occurring approximately 85% of the time.

The recent blog post suggests that the mysterious entity may be attempting to determine if a particular Bitcoin node can be reached at a specific IP address. While this behavior may not be alarming on its own, what the entity does the other 15% of the time is what raises concerns. The post by 0xB10C indicates that during this 15% of the time, the entity does not immediately terminate the connection. Instead, it listens for inventory messages containing transactions or requests for an address and then listens for both inventory and address messages before closing the connection within 10 minutes.

Although this behavior is typical of a node updating its copy of the blockchain, LinkingLion never requests blocks or transactions, suggesting that the entity has an ulterior motive for gathering this information.

Tracking the IP address of a specific Bitcoin address

As per 0xB10C’s blog post, LinkingLion might be keeping track of transaction timing to identify the node that received a transaction first, allowing the entity to associate an IP address with a specific Bitcoin address. The developer explained that nodes that complete the version handshake and remain connected obtain knowledge of the node’s inventory, including blocks and transactions. The timing information of when a node announces new inventory is particularly relevant, as the entity may learn about a new wallet transaction from that node first. Given its connections to several listening nodes, the entity can utilize this information to link broadcast transactions with their corresponding IP addresses.

To counteract the potential invasion of privacy caused by LinkingLion, 0xB10C has created an open-source ban list that nodes can utilize to block connections from the entity. However, the developer cautioned that the entity could bypass this ban list by altering the IP addresses it employs to connect. 0xB10C believes that the only long-term solution to the issue is to change the transaction logic in Bitcoin Core, which developers have struggled to achieve thus far.

During a conversation with Cointelegraph, 0xB10C noted that this vulnerability could impact not just users running their own nodes but also users who depend on a third-party server through a wallet such as Electrum or Mycelium. As a result, the privacy of a large number of BTC users is potentially at risk.

According to 0xB10C, when using an Electrum wallet, users connect to a remote Electrum server and communicate information such as which addresses they are interested in and details of their transactions, all of which can be associated with their IP address if they don’t use Tor or a similar tool to protect their privacy. The developer further explained that LinkingLion could operate public Electrum servers and entice users to connect to them, potentially allowing the entity to obtain users’ IP addresses and associated transaction data. As a result, it has been suggested that running an Electrum server connected to one’s node is a safer option.

The issue of privacy has been a persistent concern among Bitcoin and other cryptocurrency users. While Bitcoin addresses are pseudonymous, the entire transaction history associated with them is publicly available. Notably, Breeze Wallet has sought to enhance privacy on the network by utilizing cryptographic puzzles and off-chain transactions. Despite these efforts, Bitcoin educator Andreas Antonopoulos has argued that Bitcoin may never be fully private.