In March 2023, I published https://b10c.me/observations/06-linkinglion/ about an entity which opens connections to many Bitcoin nodes using four IP address ranges and listens to transaction announcements. This might allow the entity to link newly broadcast transactions to node IP addresses. The entity has been active in some capacity since 2018 and is also active on the Monero network using the same IP address ranges. The entity might be a blockchain analysis company collecting data to improve its products.
The entity uses IP addresses from three IPv4 /24 ranges and one IPv6 /32 range to connect to listening nodes on the Bitcoin network. These IP address ranges are all announced by AS54098, LionLink Networks. However, the ranges belong to different companies based on ARIN and RIPE registry information.
As of today (2025-10-13), LinkingLion is still active on the network and makes up about 1%-2% of inbound bandwidth and 3%-5% of outbound traffic (measured in bytes) of my nodes. Due to frequently being evicted and then reconnecting, they make up for about 5%-10% of inbound messages and 7%-13% of outbound messages (measured in count).
Since LinkingLion is a spy, it’s expected that outbound traffic > inbound traffic. We send the Spy more than it sends us.
LinkingLion connections are (and this has been happening for a while now) gossiping the address 10.1.1.71:8333. The 10.0.0.0/8 network is a private network, so this might be unintentional?
This shows connections from LIONLINK networks and from Digital Ocean (see also DigitalOcean /Satoshi:24.0.1/ spy nodes connected during IBD) next to each other. I found it weird that these seem to rise and fall at the same time. Need to look into it further…
While looking at IP address self-announcements that are rate-limited by Bitcoin Core nodes in https://github.com/bitcoin/bitcoin/pull/33699#issuecomment-3613987461, I stumbled across another LinkingLion IP address range announced by the LionLink Networks AS I previously was unaware about:
I was running this commit 0xB10C@159b6fd and getting the following logs:
# LinkingLion seems to heavily self announce their node IPs and seems to be getting rate limited:
Rate-limited addr 199.116.84.88:8333 SELF-ANNOUNCEMENT!? from peer=7620 addr=199.116.84.88:17165 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=550 age=798ms type=inbound
Rate-limited addr 199.116.84.173:8333 SELF-ANNOUNCEMENT!? from peer=7624 addr=199.116.84.173:15987 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=689 age=1223ms type=inbound
Rate-limited addr 199.116.84.7:8333 SELF-ANNOUNCEMENT!? from peer=7854 addr=199.116.84.7:27880 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=161 age=712ms type=inbound
Rate-limited addr 199.116.84.147:8333 SELF-ANNOUNCEMENT!? from peer=7873 addr=199.116.84.147:4150 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=176 age=1090ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=7881 addr=199.116.84.185:20012 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=674 age=1297ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=7890 addr=199.116.84.185:37238 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=693 age=879ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=7958 addr=199.116.84.185:3673 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=61 age=707ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=8159 addr=199.116.84.185:32178 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=348 age=483ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=8396 addr=199.116.84.185:10842 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=669 age=1342ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=8491 addr=199.116.84.185:34938 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=331 age=20710ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=8910 addr=199.116.84.185:54696 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=567 age=1098ms type=inbound
Rate-limited addr 199.116.84.185:8333 SELF-ANNOUNCEMENT!? from peer=8946 addr=199.116.84.185:6062 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=605 age=1203ms type=inbound
Rate-limited addr 199.116.84.203:8333 SELF-ANNOUNCEMENT!? from peer=9049 addr=199.116.84.203:19824 ua=/btcwire:0.5.0/Satoshi:25.0.0/ processed=0 rate-limited=517 age=1240ms type=inbound
A custom client with the user agent /btcwire:0.5.0/Satoshi:25.0.0/ seems to be making connections to Bitcoin nodes from the IP range 199.116.84.0/24, and seems to be sending along the IP addresses of reachable nodes such as e.g. 199.116.84.185:8333. According to Bitnodes, this node is reachable and returning a user agent of /Satoshi:30.0.0/.
I guess the user agent is just fake since it makes no sense. btcwire is a Go package that btcd uses, so it’s a bit weird that Satoshi appears in the user agent also.
I’m seeing similar connections now from IPs announced by “AS401476 - Spruce Creek Networks LLC”. Will publish a full list of IPs after further investigation.
I just did a quick search on one of our nodes for networks with many peers who announce a user agent that includes “breadwallet” which is a very simple heuristic for the LinkingLion behavior. The following networks were found:
I assume the user agents they use were common when they started but were never updated. They don’t seem to care too much about being obvious, otherwise they wouldn’t open connections again and again after they were evicted.