Attack on I2P: Bitcoin nodes not reachable via I2P

Observations
,
1

There’s an Ongoing Attack on I2P Network Causing Degraded Performance that’s also affecting Bitcoin node connectivity via I2P. I run four Bitcoin nodes with I2P connectivity, and all seem to be affected.

My monitoring indicates it started on 2026-02-03 at around 7 am UTC when all my nodes lost its peers that were connected via I2P. Since then, connectivity seems to have been close to non-existent.

image
image1563×312 35.8 KB

Interestingly, the number of total I2P peers I had jumped from 19 to 29 right before connectivity stopped.

image
image1563×312 24.7 KB

Splitting it up by node shows that node kane, which is only connected via Tor and I2P, saw the biggest increase in I2P peers.

image
image1553×419 30.1 KB

2 Likes
2

This is pure speculation. I don’t actually know how I2P works in detail:

One idea I had why kane saw more I2P connections shortly before I saw the attack on my nodes was: Other nodes were affected first. So their I2P connections went down and they started to look for a new connection. Since they could still reach me, my I2P connections increased.

3

I see the same on my Electrum server. No i2p connections anymore.

$ bitcoin-cli -netinfo
 Bitcoin Core client v30.1 - server 70016/Satoshi:30.1.0(@emzy)/ 
           ipv4     ipv6    onion    i2p   total   block  manual

 in        145      38      22       0     205
 out         7       4       1       0      12       2       2
 total     152      42      23       0     217
4

Just curious, and maybe not completely related, do you periodically snapshot addrman for your nodes?

5

I have some for the demo.peer.observer nodes here: Historical Bitcoin Core IP address manager snapshots (via getrawaddrman) (added last week).

Also, in peer-observer, with the rpc-extractor, we query both getaddrmaninfo and getrawaddrman since recently and generate various addrman metrics with the metrics tool.

For example, the I2P addresses in the addrman tried table (we tried this address and there was a reachable node behind it) has been declining slowly since the I2P attack started on 2026-02-03:

image
image1068×315 30.6 KB

(time range is “past 14 days”)

2 Likes
6

Some context here: Kimwolf Botnet Swamps Anonymity Network I2P – Krebs on Security

2 Likes