New research reveals that 2 percent of the total bitcoin network has suspicious or malicious behavior on a bad day. Put another way, the bitcoin network is three times more “evil” than the rest of the internet on most days, but that spikes to 10 times eviler on bad days.
For nearly a year, Rapid7 has been investigating malicious activity and security issues with blockchain technologies, as well as cryptocurrency, and participants in the bitcoin peer-to-peer network. Rapid7’s new report titled, “Off the Chain: Observing Bitcoin Nodes on the Public Internet” (pdf), combined intelligence from its global honeypot network Project Heisenberg and its internet scanning Project Sonar with “data from the Bitnodes Project, which aims to study the membership of the Bitcoin peer-to-peer network.”
When bitcoin node operators opt for “full nodes,” by default it spawns a TCP service on port 8333, a port that Project Sonar scans for every week on the public IPv4 internet. According to data from Project Sonar, the top three countries with port 8333/TCP open are the U.S. with 6,682, China with 7,618, and Germany with 3,358.
Bitnodes uses seed peers to connect to the bitcoin network. Ninety-seven percent of the nodes in Bitnodes operate on port 8333/TCP, but there are 600 other ports that could be used. Bitnodes keeps track of how long any given peer has been participating in the bitcoin network.
The monitoring of the bitcoin network started in August 2017; Rapid7 saw between 11,000 to 15,000 unique nodes in the network per day and more than 144,000 unique nodes since starting the research. According to bitcoin nodes discovered by Bitnodes, Germany, China, and the U.S. are the top three counties in the network. Germany has 13,169, China has 12,170, and the U.S. has 10,435.
In the same timeframe, more than 900 unique nodes known to be in the bitcoin network interacted with Rapid7’s honeypots, which are neither advertised nor published.
“Investigations into these interactions showed familiar patterns. Port scans and active reconnaissance with tools like Nmap were rampant, as was repeated attempted exploitation of MS17-010, largely from China,” wrote Rapid7’s Jon Hart.
While some suspicious activity may not necessarily be malicious, the report added there was no mistaking that “17 hosts, mostly from the China IPv4 space, were actively slinging exploits for MS17-010.”
Top 3 countries with bad actors in the bitcoin network
According to Project Heisenberg global honeypots, the top three countries with bad actors in the bitcoin network were the U.S. with 178, China with 154, and Germany with 132.
Rapid7’s report stated:
In the end, we determined that the absolute number of badly behaving nodes is relatively low (in the hundreds), but on a bad day, up to 2% of the total Bitcoin network exhibits suspicious or malicious behavior.
While these percentages may seem low, consider that the usual “background noise” of malicious activity we detect across the entire IPv4 internet is sourced from around 0.2% of total internet population of machines. Therefore, on a typical day, the Bitcoin network is approximately three times more “evil” than the rest of the internet. On particularly active days, we see ten times as many malicious nodes in the Bitcoin network as we see on the regular internet, by volume.
Although there were several observations and takeaways, Rapid7 wrote, “If you are actively participating as a bitcoin miner, one takeaway is to recognize that there are a small number of participants in the bitcoin network actively taking hostile action against otherwise innocent nodes on the public internet.”
This article originally appeared on CSOOnline.com