The privacy of Bitcoin users may be at risk as an unknown person or group has reportedly been gathering the IP addresses of BTC users and linking them to their Bitcoin addresses, according to a blog post by 0xB10C, a pseudonymous Bitcoin app developer. The entity has been active since March 2018, and its IP addresses have appeared on various public posts by Bitcoin node operators over the years.

0xB10C is the creator of various Bitcoin analytics websites such as and and has previously received a Bitcoin developer grant from

The anonymous entity, which 0xB10C has dubbed "LinkingLion," is believed to be associated with LionLink network's colocation data center, based on the IP addresses it uses. However, 0xB10C has stated that ARIN and RIPE registry information suggests that this company may not be the source of the messages.

LinkingLion uses a wide range of 812 IP addresses to establish connections with Bitcoin full nodes that are visible on the network. It then queries the node for the version of Bitcoin software it is running. However, in most cases, the entity closes its connection without responding after the node confirms its software version, leading to speculation that it may be attempting to identify which nodes can be reached at specific IP addresses.

Although the entity's behavior of closing connections without responding most of the time is not necessarily alarming, the remaining 15% of the time may raise concerns. 0xB10C notes that during this 15%, LinkingLion neither immediately closes the connection nor requests for blocks or transactions. Instead, it either listens for inventory messages containing transactions or requests for an address and listens for inventory and addresses messages before closing the connection within ten minutes.

Typically, this behavior would suggest that the user is a node attempting to update their copy of the blockchain. However, as LinkingLion never requests blocks or transactions, it implies that they may be pursuing an alternative agenda, according to the blog post.

According to 0xB10C, LinkingLion could be using the timing of transactions to identify which node initially received a transaction. This data can then be utilized to ascertain the IP address linked to a specific Bitcoin address. The developer clarified that when connections are established and stay connected after completing the version handshake, they acquire information on the node's inventory, such as blocks and transactions.

The timing of this information, specifically when a node announces its new inventory, is critical. LinkingLion is most likely obtaining information about new wallet transactions from nodes it is connected to, and due to its numerous connections, it can link the broadcast transactions to IP addresses.

According to a blog post by 0xB10C, an unknown entity may collect Bitcoin users' IP addresses and link them to their BTC addresses, thus violating users' privacy. The entity, named "LinkingLion" by 0xB10C, connects to Bitcoin full nodes using a range of 812 different IP addresses, asking the nodes which version of Bitcoin software they are using.

While the entity closes its connection about 85% of the time, it stays connected for inventory messages that contain transactions or sends a request for an address and then listens for inventory and address messages before closing the connection within 10 minutes. 0xB10C suggests that the entity might be recording the timing of transactions to determine which node first received a transaction, enabling it to link broadcast transactions to IP addresses. To address this privacy threat, 0xB10C has produced an open-source ban list that nodes can use to ban LinkingLion. However, the entity could get around the ban list by changing the IP addresses it uses to connect.

The post did not clarify whether this vulnerability affects users relying on third-party wallets or whether users can use a virtual private network to defend against the attack. Privacy has been a longstanding concern for Bitcoin and crypto users, and while Bitcoin addresses are pseudonymous, their transaction histories are public.

Got something to say about the unknown entity or anything else? Write to us or join the discussion on our Telegram channel.


Mar 30, 2023
Crypto News

More from 

Crypto News


View All

Join Our Newsletter and Get the Latest
Posts to Your Inbox

No spam ever. Read our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.