Training & Certification
Request a Proposal
User Behavior Analytics
By Compliance Requirement
Find a Partner
About Our Research
Meet the Team
National Exposure Index
Quarterly Threat Report
Under the Hoodie
Events & Webcasts
Training & Certification
IT & Security Fundamentals
News & Press Releases
Over the past several years, blockchain-based technologies, particularly cryptocurrencies like Bitcoin, have seen a massive surge in popularity. As with any technology, when its popularity grows, so does its attractiveness to attackers, the surface area for attacks, and the challenges for defenders. Members of the Rapid7 research team found this worthy of further investigation, harnessing some of the tools at their disposal to learn more about the participants in the Bitcoin peer-to-peer network, and to offer possible explanations for what we observed.
By combining intelligence from three sources—Rapid7’s Project Heisenberg and Project Sonar, and Addy Yeow’s Bitnodes—we observed curious scanning and probing behavior in the Bitcoin peer-to-peer network. In the end, we determined that the absolute number of badly behaving nodes is relatively low (in the hundreds, or 0.6% of the total). On a bad day, up to 2% of the total Bitcoin network exhibits suspicious or malicious behavior, as seen below:
While these percentages may seem low, consider that the usual "background noise" of malicious activity we detect across the entire IPv4 internet is sourced from around 0.2% of total internet population of machines. Therefore, on a typical day, the Bitcoin network is approximately three times more "evil" than the rest of the internet. On particularly active days, we see ten times as many malicious nodes in the Bitcoin network as we see on the regular internet, by volume.
In this report we analyze what is meant by “the Bitcoin network,” how we detect bad actors on this network, and what we can determine about malicious nodes and their intentions from a honeypot’s perspective.
On a typical day, the Bitcoin network is approximately three times more "evil" than the rest of the internet.
– Off the Chain: Observing Bitcoin Nodes on the Public Internet (May 2018)
Countries with a larger public IP space tend to show up more prominently than those with smaller allocations, and the same approximate group of countries that make up the top 10 or so are not much different than what you see exploring other internet exposure data like this.
Services with a history of vulnerabilities, misconfiguration, and exploitation show traffic across most of our deployed honeypots, including SMB, SSH, and RDP.
If you are actively participating as a Bitcoin miner, one takeaway is to recognize that there are a small number of participants in the Bitcoin network actively taking hostile action against otherwise innocent nodes on the public internet.