0xB10C: Someone is trying to deanonymize all bitcoin wallet addresses

Article Reading Time:
3 min.

According to the Bitcoin network application developer under the pseudonym 0xB10C, the confidentiality of personal data of BTC wallet owners is under threat.

An individual or group united underLinkingLion has been collecting data on Bitcoin owners since March 2018 and has already used more than 800 different IP addresses to hide its activities, says 0xB10C.

LinkingLion establishes a TCP connection withBitcoin node and triggers version confirmation by sending the message: version. Version messages have unclear user agents, such as /bitcoinj:0.14.3/Bitcoin Wallet:4.72/, /Classic:1.3.4(EB8)/, or /Satoshi:0.13.2/. In total, LinkingLion used 118 different user agents. Almost all of them appear in release messages with equal frequency. That is, the user agents are selected from a list and are likely to be fake.

"LinkingLion opens connections withmany nodes on the Bitcoin network using four ranges of IP addresses, and listens for transaction announcements. Uses IP addresses from three IPv4/24 ranges and one IPv6/32 range to connect to listening nodes on the Bitcoin network. This may allow LinkingLion to associate new broadcast transactions with host IP addresses. This behavior may indicate that an unknown entity(ies) is trying to determine whether a specific host is reachable at a specific IP address. All these IP address ranges are advertised by AS54098, LionLink Networks,” writes 0xB10C.

Based on ARIN and RIPE registry information, the ranges belong to different companies: Fork Networking, Castle VPN, Linama UAB and Data Canopys. 

Fork Networking and Castle VPN areAmerican companies owned by the same owner. Fork Networking offers hosting and colocation services, and Castle VPN is a VPN provider. Linama UAB is a Lithuanian company not present on the Internet. Data Canopy is an American company that offers cloud and colocation data centers. Since connections from these IP address ranges have very similar behavior, 0xB10C assumed that they were controlled or leased by LinkingLion.

In approximately 15% of cases LinkingLion does not immediatelycloses the connection. Instead, it either listens to inventory messages containing transactions, or sends an address request and listens to both inventory and address messages. Then closes the connection within ten minutes.

Information that LinkingLion receivesfrom a node, can be divided into metadata, inventory and addresses. All connections learn about the node's metadata, which includes information about when the node is available or unavailable, what version of software is running on that particular node and when it is updated, what block height it considers best and when it changes, what services the node offers.

0xB10C suggested that this wayLinkingLion can record transaction synchronization to determine which node received the transaction first. This information can then be used to determine the IP address associated with a specific Bitcoin address. According to 0xB10C, LinkingLion can use this information to bind broadcast transactions directly to IP addresses.

0xB10C proposes to protect the community fromthreatening to steal sensitive data by creating an open source deny list that nodes can use to deny LinkingLion connectivity. However, 0xB10C points out to developers that LinkingLion may attempt to bypass the list of restrictions by changing the IP addresses it currently uses to connect. A short-term preventive measure would be to manually ban IP address ranges used by LinkingLion for inbound connections to hosts. According to 0xB10C, the only permanent solution to the problem may be to change the transaction logic in Bitcoin Core.

According to the Kaspersky Lab report for 2022, the company recorded
almost 200,000 attempts to steal data from cryptocurrency wallets and crypto investor accounts.