Using honeypots, internet scanning and connections to active nodes, researchers have estimated that anywhere from 0.6 to two percent of the entire Bitcoin network engages in suspicious or malicious behavior on a given day.
According to a new report and corresponding blog post issued today by Rapid7, these behaviors appear to include searches for open proxies and ports, scanning for default or easily guessed credentials, and attempts to exploit SMB, HTTP and RDP connections.
A two percent share of the Bitcoin network may sound relatively insignificant. However, “consider that the usual ‘background noise’ of malicious activity we detect across the entire IPv4 internet is sourced from around 0.2% of total internet population of machines,” explains the report, authored by Derek Abdine, senior director of Rapid7 Labs; Jon Hart, senior security researcher; and Bob Rudis, chief data scientist.
“Therefore, on a typical day, the Bitcoin network is approximately three times more ‘evil’ than the rest of the internet,” and on active days “we see ten times as many malicious nodes in the Bitcoin network as we see on the regular internet, by volume.”
Rapid7 combined three information sources to arrive at its findings: Project Heisenberg, which consists of globally distributed honeypots; Project Sonar, an internet scanning-based security research project, and Bitnodes, which studies the size of of the Bitcoin peer-to-peer network by by finding all the reachable nodes in the network.
Of the 900-or-so suspicious nodes whose activity was picked up on Rapid7’s honeypots between August 2017 and March 2018, 178 were traced to operators within the U.S. — more than any other country, followed by China (154) and Germany (132). However, Russia’s nodes were by far the most active, generating nearly 11.5 million honeypot connections per node, with more than nine percent of its total node population (33 out of roughly 359) connecting with Rapid7’s honeypots.
According to the report, Russian Bitcoin nodes initiated almost 380 million honeypot connection attempts — far more than the next closest offender, Canada, which launched about 26 million connection attempts from 35 nodes out 398 in total. Additionally, Curacao and Lithuania were two additional sources of highly active nodes.
Rapid7 reports observing nearly three million attempts to exploit the Microsoft Windows Server Message Block vulnerability CVE-2017-0143 — better known as EternalBlue — via Bitcoin node connections primarily from China and Russia. “Despite the volume of connections and exploit attempts, this all came from just 17 source hosts using 13 different exploit variants,” the report states.
Researchers also saw fewer than a half-dozen nodes conducting around 1.5 million probes for the insecure HTTP protocol over port 80/TCP. “Only 17,000 or so of those TCP sessions turned into HTTP, and almost all of those HTTP sessions were blatant attempts at reconnaissance in one form or other (Nmap probes, open proxy checks, and probes for phpMyAdmin),” the report states.
Meanwhile, 582 Bitcoin nodes — including about 100 each from the U.S. and China — sent over 4.5 million probes to port 30303/UDP, which is normally associated with Ethereum transactions.
The Rapid7 reports offers a number of potential explanations for the suspicious behaviors. While in some instances the nodes’ true owners could have initiated these behaviors, it’s also possible that certain nodes were secretly compromised. Indeed, it’s even possible that some of these nodes were never intended to mine Bitcoin in the first place, but were infected with cryptojacking malware. Finally, the report suggests some of the unusual traffic may actually just be the innocent result of a misconfiguration.