Over the past several years, blockchain-based technologies, particularly cryptocurrencies like Bitcoin, have seen a massive surge in popularity. As with any technology, when its popularity grows, so does its attractiveness to attackers, the surface area for attacks, and the challenges for defenders. Members of the Rapid7 research team found this worthy of further investigation, harnessing some of the tools at their disposal to learn more about the participants in the Bitcoin peer-to-peer network, and to offer possible explanations for what we observed.
By combining intelligence from three sources—Rapid7’s Project Heisenberg and Project Sonar, and Addy Yeow’s Bitnodes—we observed curious scanning and probing behavior in the Bitcoin peer-to-peer network. In the end, we determined that the absolute number of badly behaving nodes is relatively low (in the hundreds, or 0.6% of the total). On a bad day, up to 2% of the total Bitcoin network exhibits suspicious or malicious behavior, as seen below:
While these percentages may seem low, consider that the usual "background noise" of malicious activity we detect across the entire IPv4 internet is sourced from around 0.2% of total internet population of machines. Therefore, on a typical day, the Bitcoin network is approximately three times more "evil" than the rest of the internet. On particularly active days, we see ten times as many malicious nodes in the Bitcoin network as we see on the regular internet, by volume.
In this report we analyze what is meant by “the Bitcoin network,” how we detect bad actors on this network, and what we can determine about malicious nodes and their intentions from a honeypot’s perspective.