New research reveals that 2% of the total bitcoin network is behaving suspiciously or maliciously on a bad day. In other words, the bitcoin network is three times more “evil” than the rest of the internet most of the time, but it hits 10 times worse on bad days.
Blockchains are off the rails, with all kinds of cool and crazy blockchain-based tech, as well as some pretty weird cryptocurrencies, hitting the market. It seems like everyone wants a piece of the action.
For almost a year, Rapid7 has been investigating malicious activity and security issues related to blockchain technologies, as well as cryptocurrency and participants of the peer-to-peer bitcoin network. Rapid7’s new report titled “Off the Chain: Observing Bitcoin Nodes on the Public Internet(Pdf), combined the intelligence of its global Project Heisenberg honeypot network and Project Sonar Internet scan with “data from the Bitnodes Project, which aims to study members of the Bitcoin peer-to-peer network.”
When bitcoin node operators opt for “full nodes,” it defaults to spawning a TCP service on port 8333, a port that Project Sonar scans weekly on the public IPv4 Internet. According to Project Sonar data, the top three countries with open port 8333 / TCP are the United States with 6,682, China with 7,618, and Germany with 3,358.
Bitnodes uses seed peers to connect to the bitcoin network. Ninety-seven percent of Bitnodes’ nodes operate on port 8333 / TCP, but another 600 ports could be used. Bitnodes keeps track of how long a given peer has participated in the bitcoin network.
Monitoring of the bitcoin network began in August 2017; Rapid7 has seen between 11,000 and 15,000 unique nodes in the network per day and over 144,000 unique nodes since the start of the research. According to the Bitcoin nodes discovered by Bitnodes, Germany, China, and the United States are the top three countries in the network. Germany has 13,169, China 12,170, and the United States 10,435.
During the same period, over 900 unique nodes known to be in the bitcoin network have interacted with Rapid7’s honeypots, which are neither announced nor published.
“Investigations of these interactions have shown familiar patterns. Port scans and active reconnaissance with tools like Nmap were commonplace, as were repeated attempts to exploit the MS17-010, largely from China ”, wrote Jon Hart of Rapid7.
While some suspicious activity is not necessarily malicious, the report adds that there is no doubt that “17 hosts, mostly from the Chinese IPv4 space, were actively running exploits for MS17-010.”
Top 3 countries with bad actors in the bitcoin network
According to the Heisenberg Project’s global honeypots, the top three countries with bad players in the bitcoin network were the United States with 178, China with 154, and Germany with 132.
The Rapid7 report said:
Ultimately, we determined that the absolute number of misbehaving nodes is relatively low (hundreds), but on a bad day up to 2% of the total Bitcoin network exhibits suspicious or malicious behavior.
While these percentages may seem small, consider that the usual “background noise” of malicious activity that we detect across the IPv4 Internet as a whole comes from around 0.2% of the total Internet machine population. As a result, on a typical day, the Bitcoin network is about three times as “evil” as the rest of the internet. On particularly active days, we see ten times more malicious nodes in the Bitcoin network than we see on the regular internet, in volume.
While there were several observations and takeaways, Rapid7 wrote, “If you are actively participating as a bitcoin miner, one point to remember is to recognize that there are a small number of participants in the bitcoin network taking actively take hostile action against otherwise innocent nodes on the Internet public. “