Rapid7 is a research group that recently published a report from a more than a year research about malevolent activities bound to Bitcoin Core (BTC) full nodes. They made use of data collected from a network called ‘Project Heisenberg’ and the internet scanner attached to it ‘Project Sonar’. They used the intelligence from Bitnodes to combine those data and they came out with some important discoveries concerning full blockchain nodes.
Usually, bitcoin full node operators connect by default to a TCP service on port 8,333. There are more than 600 other ports available. The research conducted by Rapid7 reveals the top three countries with the most port 8,333 nodes branch from the U.S., China, and Germany. The research actually began sometime in August 2017. Researchers were able to find over 11000 nodes a day. They also collected data from more than 144000 unique full nodes all through the study process.
“In addition to the Project Sonar intelligence over 900 nodes connected to Rapid7’s honeypot technology Project Heisenberg that revealed interesting and some malicious activities like the distribution of MS17-010 a critical Microsoft operating system vulnerability.”
“Investigations into these interactions showed familiar patterns. Port scans and active reconnaissance with tools like Nmap were rampant, as was repeated attempted exploitation of MS17-010, largely from China,” as Jon Hart, a Rapid7 researcher explains.
Researchers said that not all of the discovery is in the full nodes can be considered as harmful. They observed the nodes used “curious scanning and probing behavior in the Bitcoin peer-to-peer network.” But, almost all the dubious activities come from noted malignant nodes with the most number of connections the U.S. (178), and Germany (132).
According to the report’s closing remarks, the number of bad actors found in the cryptocurrency’s network is a bit low, but such nodes can make up to 2 percent of the BTC network. The data collected by the researchers may be considered low, but if you compare it to the number of malicious activities found on IPv4 internet, the figure calls for concern.
“Therefore, on a typical day, the Bitcoin network is approximately three times more ‘evil’ than the rest of the internet. On particularly active days, we see ten times as many malicious nodes in the Bitcoin network as we see on the regular internet, by volume,” as explained by the Rapid7 report.