Bitcoin, Fake Nodes Surge to 250,000...Warning of Covert Attack Possibility

▲ Bitcoin (BTC)

The number of fake node addresses on the Bitcoin (BTC) P2P network has surged to over 250,000 per day, raising concerns about the possibility of a technical attack. Jameson Lopp, a Bitcoin Core developer and co-founder of Casa, warned of a potential covert Sybil attack, stating that someone is spreading a large number of false addresses across the Bitcoin network's communication channels.

U.Today reported on May 10 (local time) that a large-scale infrastructure anomaly was detected in the Bitcoin P2P network. Since April 9, 2026, a vertical surge has been observed in the ADDR tracking chart for unwanted network messages, and the number of fake or unreachable node addresses has jumped from the previous level of around 50,000 per day to over 250,000.

This anomaly gained attention after Lopp publicly pointed it out. Lopp stated that if the chart is accurate, someone is spreading a large number of fake Bitcoin node addresses on the Bitcoin P2P network, and it could be preparation for a Sybil attack. A Sybil attack is a method where an attacker creates numerous fake identities to disrupt the network's participation structure.

U.Today reported that the attacker appears to have chosen a quiet strategy rather than directly interfering with block validation or transaction processing functions. Bitcoin nodes exchange their addresses via ADDR commands, helping newly joined nodes quickly find peers for synchronization. It is presumed that the attacker aims to flood this address list with hundreds of thousands of fake IP addresses, guiding newly launched or restarted nodes to connect only to non-existent or attacker-controlled 'ghost nodes'.

Theoretically, this method could lead to an eclipse attack. An eclipse attack refers to a situation where legitimate nodes are informationally isolated and only see the blockchain state presented by the attacker. However, U.Today explained that for a node to remain secure and receive accurate blockchain data, it only needs to connect to at least one honest network participant.

Bitcoin client software is also designed to automatically distribute connections across multiple subnets. This makes it difficult for an attacker to monopolize all connection slots with a single pool of IP addresses. Currently, this anomaly is assessed as being closer to creating a parasitic bandwidth burden rather than a direct threat to the consensus structure itself.

Market reaction was limited. U.Today interpreted this as the market not yet pricing in such an attack possibility, or viewing the risk as not significant, considering existing defense mechanisms and actual impact. As of the time of writing, Bitcoin had risen 0.36% since the start of the new trading session and was trading at $81,000.

*Disclaimer: This article is for investment reference only, and we are not responsible for investment losses based on it. The content should be interpreted for informational purposes only.*