Bitcoin network flooded with 200,000 'ghost' nodes; developer warns of covert Sybil attack

币界网

Release Time: 05/10/2026 20:10:46

Share

Copy

$80,706.601.78%

Summary

Bitcoin news reports a surge in suspicious activity on the Bitcoin network, with over 200,000 fake and unreachable node addresses detected daily since April 9, 2026. Jameson Lopp warned of a potential covert Sybil attack, as attackers may be spreading false IP addresses to manipulate new nodes. A network upgrade could help mitigate the risk by improving node validation and network resilience.

CoinDesk reports:

A large-scale infrastructure anomaly has been detected in Bitcoin's P2P network, potentially indicating covert preparation for a technical attack. Starting April 9, 2026, charts tracking unsolicited network messages (ADDR) showed vertical spikes: the number of fake and unreachable node addresses surged from a baseline of 50,000 per day to over 250,000.

The graphical peak was highlighted by renowned developer and Casa co-founder Jameson Lopp. Some believe that false coordinates may have been deliberately spread across communication channels as part of a preparation for a Sybil attack.

Signs of a covert Sybil attack on Bitcoin

Attackers appear to have chosen a stealthy strategy. Rather than directly attacking block validation or transaction processing, they attempted to rewrite Bitcoin’s “address book”—the list of node addresses exchanged via the ADDR command, enabling new participants to quickly discover peers for synchronization.

Popular Stories

Ripple's "Polaris" XRP tokenization breakthrough drives ETF inflows doubling; SHIB and Dogecoin decouple; Bitcoin targets $94,500 as Bollinger Bands signal "May sell-off" — Crypto Morning Report Avalanche founder warns of Bitcoin (BTC) crisis

Attackers sent hundreds of thousands of fake IP addresses to the network, likely to ensure that newly launched or restarted nodes connect only to non-existent or attacker-controlled "ghost nodes."

If this chart is accurate, it suggests someone is attempting to flood Bitcoin’s P2P network with a large number of fake Bitcoin node addresses—possibly preparing for a Sybil attack? pic.twitter.com/IuWkvkUzjm
— Jameson Lopp (@lopp)May 10, 2026

Theoretically, this strategy could lead to an Eclipse attack, in which a legitimate node is isolated in an information vacuum and can only see the blockchain version provided by the attacker. However, to maintain security and obtain accurate information, the following measures must be taken: blockchain for data, a node needs to establish a connection with at least one honest participant in the network.

Bitcoin client software also automatically distributes connections across different subnets, making it difficult for attackers to monopolize all connection slots within a single IP address pool. Currently, this anomaly appears to cause additional bandwidth load rather than pose a direct threat to consensus itself.

Meanwhile, the market has either not yet priced in the potential risks of such attacks or considers them negligible relative to their possible impact and existing countermeasures. As of writing, Bitcoin is up 0.36%, trading at $81,000 since the start of the new trading day.

Source:Show original

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.