Bitcoin Network Sees Surge in Fake Node Addresses: Is a Sybil Attack Underway?

Bitcoin’s peer-to-peer communication layer for full nodes, known as its gossip channel, has experienced a sudden surge in unique IP addresses. The network’s monitoring system recorded a sharp increase to 250,000 unique IP and IP-like addresses per day in early May 2026, up from a consistent range of 30,000–60,000 over the prior eight years.

Security researcher Jameson Lopp highlighted the concerning trend in a post on May 10, 2026, sharing a chart from a live network monitor. The data, sourced from the Karlsruher Institut für Technologie (KIT) in Germany, tracks daily unique addresses via unsolicited ADDR messages.

"If this chart is accurate, somebody's being naughty and trying to spread a bunch of fake bitcoin node addresses around Bitcoin's p2p network. Possibly preparation for a sybil attack?" — Jameson Lopp (@lopp)

ADDR messages are a type of peer-to-peer communication that Bitcoin nodes use to broadcast IP or IP-like addresses of other full nodes. These messages assist new nodes in discovering peers, enabling efficient transaction and block propagation across the network.

Understanding the Sudden Spike in Bitcoin IP Addresses

For over eight years, the KIT monitoring system recorded daily unique IP addresses in unsolicited ADDR messages ranging between 30,000–60,000. However, starting in mid-April 2026, the numbers diverged sharply upward, reaching 250,000 by early May.

Possible Explanations for the Surge

• Legitimate Network Growth: A sudden increase in real Bitcoin nodes could explain the spike.
• Sybil Attack Preparation: An attacker may be flooding the network with fake node addresses to manipulate reputation systems or disrupt peer discovery.
• Eclipse Attack Threat: An attacker could fill a victim’s IP address table with their own addresses, hijacking connections after a network restart and feeding doctored blockchain data. While Bitcoin Core has implemented countermeasures like address-table bucketing and ADDR rate limits, no decentralized network is entirely immune.
• Network Surveillance: An entity called LinkingLion has previously used short connections from 812 IP addresses to track which nodes first relay transactions, potentially for blockchain analytics. A flood of fake peer entries could obscure such mapping efforts.

Why the Concern?

Bitcoin’s peer-to-peer network relies on a robust mesh of nodes to efficiently broadcast transactions and blocks. A sudden influx of fake or malicious addresses could:

• Disrupt peer discovery, slowing down network operations.
• Enable Sybil attacks, where an attacker creates multiple fake identities to gain disproportionate influence.
• Facilitate eclipse attacks, where a victim’s connections are hijacked to feed false information.
• Obscure surveillance activities, such as tracking transaction origins for analytics.

Bitcoin Core’s developers have introduced safeguards, including rate limits and bucketing, to mitigate these risks. However, the permissionless nature of Bitcoin means anyone can run nodes at any time, making it challenging to entirely prevent such activities.