The entity has allegedly been collecting data since March 2018 and has used 812 different IP addresses to conceal its identity.
0xB10C refers to the entity LinkingLion because IP addresses from three IPv4/24 ranges and one IPv6/32 range connect to Bitcoin network listening nodes, and these IP address ranges are all announced by AS54098, LionLink Networks. However, based to ARIN and RIPE registry information, the ranges belong to different companies.
An entity I call LinkingLion, active since 2018 and on a Monero banlist, is opening connections to many clearnet Bitcoin nodes. Its presumably attempting to link transactions to node IPs. Maybe a chain analysis company trying to enhance its product?https://t.co/W4PDoln3p3
— 0xB10C (@0xB10C) March 28, 2023
This behavior could indicate that the entity is attempting to determine whether a specific node can be reached at a specific IP address.
Fork Networking and Castle VPN are both based in the United States and are owned by the same person. Castle VPN is a VPN provider, while Fork Networking provides hosting and colocation services. Linama UAB is a Lithuanian company that does not have a website. Data Canopy is a company based in the United States that provides cloud and colocation data centers. Because these IP ranges exhibit very similar behavior, 0xB10C assumes they are controlled or rented by the same entity.
Based on the most recent 0xB10C, LinkingLion does not close the connection immediately 15% of the time. Instead, they either listen for inventory messages containing transactions or send an address request and listen for both inventory and address messages. They then disconnect the connection in 10 minutes.
The behavior suggests that the entity is tracking transaction timing to determine which node received a transaction first. This data can then be used to find the IP address associated with a specific Bitcoin address. The entity can use that information to link broadcast transactions to IP addresses, per the 0xB10C.
Mempool.observer and Transactionfee.info are two Bitcoin analytics websites developed by 0xB10C. They have also previously received a Bitcoin developer grant from Brink.dev.
0xB10C has created an open-source ban list that nodes can use to prevent LinkingLion from connecting to them. However, by changing the IP addresses it uses to connect, the entity could get around this ban list. As shown by 0xB10C, the only long-term solution is to change the transaction logic within Bitcoin Core, which developers have been unable to do thus far.
