Someone May Be Deanonymizing Your Bitcoin Transactions

Bitcoin Sybil Attack

Last Updated on

NEW YORK (InsideBitcoins) — One week ago, a thread popped up on bitcointalk that questioned whether someone may be attempting to surveil the bitcoin network by way of a large number of nodes that were owned by the same entity. User Evil-Knieval noted that “it is obvious that one person seems to be running hundreds of bitcoin nodes which aggressively try to connect to everyone.” Bitcoin core developer Greg Maxwell popped in on the thread and requested information related to the “naughty peers” while they were connected to Knieval’s node. After Knieval reported back to Maxwell, the bitcoin wizard admitted that “this is moderately concerning.”

A sybil attack on the bitcoin network

Greg Maxwell Nodes
Greg Maxwell

Maxwell explained, “What it looks like to me is a rather ham-fisted sybil attack trying to trick nodes into leaking private data to them.” He then went on to note that the possible attack could cause issues for certain bitcoin wallets. It’s possible that this unusual node activity could be related to issues that Breadwallet users were dealing with recently. Maxwell also noted that bitcoin does have a “degree of resistance” against sybil attacks, but the reason that these sorts of attacks usually fail is because attackers are required to obtain 100% of a victim node’s connections during more sinister activities. Since this potential sybil attack is about leaking private data, the attacker does not need to worry about gaining every last one of a victim’s connections.

The real issue with this particular attack is that a single entity with control over many nodes is attempting to connect to as many peers as possible. Connecting to a large number of peers gives the attacker a better view of what is actually happening on the network because they can attach IP addresses to more bitcoin addresses.

What can be done about this attack?

Maxwell has pointed out that there has been some slow progress in the prevention of sybil attacks recently, but he seemed more concerns with the general attitude of the bitcoin development community as a whole. He stated that interest in implementing better protections against sybil attacks has been “pretty low” outside of the core developers, and he also described his disappointment with “how few people realize how important privacy and fungibility is for bitcoin’s viability as a currency.”

Madars Virza would go on to echo Maxwell’s stance on the importance of bitcoin privacy at the MIT Bitcoin Expo a day later. It was at the event put together by the MIT Bitcoin Club that Virza was able to explain the privacy issues with bitcoin and how Zerocash could be the “perfect solution.” Maxwell’s final comment on the issue — at least for now — was a reminder that users should always use Tor and a full node whenever possible if they want to maintain bitcoin privacy.

[Read More: MIT’s Madars Virza: Bitcoin Privacy Issues and How Zerocash Can Help]

Regulatory compliance company Chainalysis is the culprit

Last night, another bitcointalk user,, was able to figure out that Chainalysis was the entity behind one of the problematic nodes. On their website, Chainalysis claims that they “offer a service that provides financial institutions with the means to obtain regulatory compliance through real-time analysis of the blockchain . . . Chainalysis achieves this by doing sophisticated in-depth real-time transaction analysis to determine unique entities within the blockchain.”

Individuals who formerly worked at both Kraken and Mycelium are involved with Chainalysis, and I reached out to CEO Michael Grønager to confirm that they are behind the node in question. Grønager responded rather quickly by stating, “Yup — the node mentioned with the http login box is ours.” He then went on to explain that the company is collecting data related to “bitcoin transfer activity between different countries.” They plan to share this data in an upcoming blog post.

I then followed up with Grønager to ask more specifically about whether or not the company was using their nodes to deanonymize transactions for their clients and/or regulatory compliance. This was Grønager’s response:

“We are not trying to reveal peoples IP addresses. In doing the [research on bitcoin transfer activity between countries] we see, however, a lot of ‘strange’ nodes connecting and scanning the network all the time, so don’t expect this activity not to happen at all and bear in mind that if you for whatever reason need to hide, you should only connect to bitcoin through Tor.”

Meanwhile, unregulated bitcoin robot scams such as BitcoinTrader, Bitcoin Profit robot and Bitcoin Future threatening the security of thousands of investors who are vulnerable to these fraud products.

A blessing in disguise

At the end of the day, this event should be viewed as a reminder that bitcoin transactions are not anonymous and far from private by default. The reality is the bitcoin revolution has brought a great need for improvements in privacy regulations. Getting angry at how anyone interacts with the bitcoin network is useless; it’s the base incentive structure that matters. If there are any weak spots in the protocol, it will only be a matter of time before someone tries to exploit them. Instead of yelling at the attackers, it would probably make more sense to build better defenses. When there are weaknesses in a decentralized system, there is no point in hoping that everyone will just play nice.

Correction: An earlier version of this article claimed that two individuals from Kraken and Mycelium are involved with Chainalysis. Jan Moller has not worked at Mycelium since October. Michael Grønager is also no longer affiliated with Kraken.

Update: I seeked further clarification from Grønager one last time on the point of whether or not they collect IP addresses for their regulatory compliance offering. This is what he had to say (formatting my own):

“As for your question – no – the IP info we are collecting is not being used for our compliance offerings, and we have no [intention] of selling IP info. Also, I think it is worth stressing that e.g. for several years has had the practice of listing the IP address where the servers first spotted a transaction (e.g. Enabling anyone to go in there and search for an IP address and thereby assess if that IP address has at some point been running a node (even 2 years ago) – this information could actually endanger people in countries where authorities seek to crack down on bitcoin. Again, Chainalysis will never breach peoples privacy in that way, IP adresses are not to be posted and shared that way.”

I have reached out to Blockchain’s Kristov Atlas for a comment on Grønager’s statement that’s setup could endanger bitcoin users in certain countries with authoritarian regimes.

H/t to Peter Todd for sharing the original bitcointalk thread via Reddit.

You can follow @kyletorpey on Twitter.


Remember, all trading carries risk. Views expressed are those of the writers only. Past performance is no guarantee of future results. The opinions expressed in this Site do not constitute investment advice and independent financial advice should be sought where appropriate. This website is free for you to use but we may receive commission from the companies we feature on this site.

About Kyle Torpey

Comments are closed.