Recently, a largely incompetent attacker bumbled their way through a Sybil attack against Monero, trying to correlate transactions to the IP address of the node that broadcast it. Whilst novel in that it is the 1st Sybil attack of this sort, it was also quite ineffective. 1/n
First off, this clumsy attack had no effect on any of Monero's on-chain privacy mechanisms (ring signatures, stealth addresses, confidential transactions). Additionally, it is important to note that this is an attack that you could execute against nearly every cryptocurrency, 2/n
even privacy-focused cryptocurrencies. This makes it of particular interest, not just to Monero, but to all cryptocurrencies. Naturally, as we've all been aware of the possibility there is lots of work that has been done over the years to mitigate it. 3/n
The biggest mitigation is to use Tor or i2p for your node to broadcast its transactions, and this has been easily supported in Monero for 2 years (see:…) and in Bitcoin for over 8 years (see:…) 4/n
Of course, this isn't a silver bullet, and there are a class of attacks that can still be used to correlate a Tor address with a real-world IP address, & so an excellent group of researchers (Brad Denby, @giuliacfanti, @socrates1024, Shaileshh Bojja Venkatakrishnan, & others) 5/n
created Dandelion in 2017 (see:…). In 2018 they followed it up with Dandelion++ (see:…) which fixed many of the weaknesses of the original proposal. 6/n
Dandelion (and, by extension, Dandelion++) has been proposed for Bitcoin as BIP-156 (see:…), but is not yet implemented. Dandelion++ was implemented in Monero in a PR merged in April this year (see…). 7/n
Without getting technical, Dandelion++ works by randomly "diffusing" transaction broadcasts. This means that for a Sybil attack to link a transaction to a node's IP address it has to be intercepted at the very first node in the "stem" phase of a Dandelion++ broadcast. 8/n
This attack, whilst novel in that it is a live Sybil attack against a network, was simply not large enough to be broadly effective against Dandelion++ - the attacker would have had to launch many thousands more nodes. 9/n
Even if they did do this, they would still not have been able to demonstrably prove a link between a node and a transaction, and it would be a "best guess" heuristic. Naturally this attack was entirely useless against anyone using a light node (eg. MyMonero), 10/n
against anyone using Tor / i2p for their node, against anyone who runs their node behind a VPN, or against anyone using pushtx on a Monero block explorer to broadcast their transactions. It was also largely useless for anyone using a node remotely (eg. Monerujo or the GUI). 11/n
Still, it did teach us some valuable lessons as the Sybil nodes also tried to disrupt the flow of transactions (by not rebroadcasting them), and tried to disrupt nodes syncing up by not serving them blocks. 12/n
Thus, the latest Monero release ( has fine-tuned the way a node deals with misbehaving peers. If you are running a Monero or Bitcoin node (or a node for any other currency), it is important to be aware that Sybil attacks can be more subtle & less clumsy than this. 13/n
They can also be much harder to detect in practice if the attacker has enough money to deploy reasonable infrastructure. There has also been purpose-built Sybil node software created for Bitcoin (see:…) that actually behaves pretty well. 14/n
They do this without even requiring much in the way of server resources (eg. by proxying block requests through to another peer), and thus fully support initial sync, transaction broadcasts, and so on. They are a little diabolical in their ability to masquerade as a node. 15/n
If you are truly concerned about the efficacy of a Sybil attack (whether you're a Bitcoin or a Monero user) then I strongly recommend you run your node behind Tor, or at least broadcast your transactions on a block explorer's pushtx functionality (also accessible via Tor). 16/fin
Bootnote: here's a Reddit thread on the attack, which also includes a link to a flat file of the attacker's IP addresses that you can pass to --ban-list if you want to make sure your node doesn't connect to these.…

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Riccardo Spagni

Riccardo Spagni Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fluffypony

3 Jul
PSA: clever new scam happening on Telegram, here's how it works. Scammer approaches victim (call them A) with an offer to sell some large amount of crypto at a good price - not unbelievably good, but good enough that you can make a bit by flipping it immediately. 1/
Scammer then approaches a friend of A, call them B, asking them to escrow the trade. Scammer then sets up a Telegram group with A and a fake B account, with no username / number visible but with B's username *as the bio* (which would fool most people that don't look closely). 2/
They then set up a *second* Telegram group with B, and a fake A account with the same bio trick. Then they mirror the conversation between the two rooms. A & B can even chat directly without realising that their conversation is being relayed between fake accounts. 3/
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!