Key takeaways
- Daily unique IP addresses gossiped on the Bitcoin network spiked from 30,000-60,000 to roughly 250,000 since mid-April 2026
- Karlsruhe Institute of Technology researchers and developer b10c traced early activity to AWS infrastructure and a University of Zurich address
- Jameson Lopp flagged the anomaly on May 10, noting the eight-year baseline had never previously exceeded 65,000
A Quiet But Sudden Departure From Baseline
Bitcoin security researcher Jameson Lopp posted a warning on May 10: somebody was flooding the Bitcoin peer-to-peer network with fake IP addresses. For eight years, the daily count of unique addresses gossiped between nodes via ADDR messages stayed between 30,000 and 60,000. Since mid-April 2026, that number has climbed to roughly 250,000 per day, a four-fold jump with no obvious benign explanation.
ADDR messages are how nodes tell each other about peers. When you spin up a node, you ask your initial contacts who else is on the network, and they respond with batches of IP addresses. The mechanism is foundational to Bitcoin's decentralized peer discovery, and it has a known weakness: if you flood it with bogus entries, you can poison new nodes' address tables and influence which peers they connect to.
Where The Traffic Is Coming From
According to Protos, the spike was confirmed by the Karlsruhe Institute of Technology (KIT) research group, which has monitored the Bitcoin network for years. Independent node operator b10c, posting to the Bitcoin Network Operations Collective, pinpointed the start of the activity to 16:30 UTC on April 10. The sending IPs traced to AWS infrastructure and at least one University of Zurich address.
The behavior pattern is unusual. The sending nodes broadcast addresses but never request transactions, a textbook spy-node signature. They use the older ADDR format rather than the modern ADDRv2. Most of the broadcasted addresses are unreachable on inspection, meaning the IPs themselves do not host functioning Bitcoin nodes. Whoever is behind this is gossiping ghosts.
The Plausible Motives
Several theories are circulating. A Sybil attack would let an adversary saturate the address book of victim nodes and increase the odds of eclipse attacks, where a target node is fed a falsified view of the blockchain. Boston University demonstrated the feasibility of this class of attack back in 2015. A surveillance operation could be mapping the network ahead of more targeted intrusion, similar to the 812-IP LinkingLion entity tracked over the past two years. A research project from the University of Zurich is the most innocuous reading, but it would be an unusually noisy one.
'My first impression is that this is a rather unsuccessful research project from someone at uzh.ch.'
Start9 had a similar event last September, when 1,000 of its 4,468 Knots nodes were initially flagged as sockpuppets before the activity turned out to be the vendor's own product launch. The current spike is roughly an order of magnitude larger and has continued for a month with no claimed origin.
Why It Matters
Bitcoin's peer-to-peer layer is the part of the stack most exposed to this class of meddling. The base-layer chain has never been forked by an external attacker, and the hashrate market remains the most expensive thing on earth to compromise. The gossip layer, by contrast, is permissionless by design and gets harder to police as the network grows. Node operators should update to current Bitcoin Core releases, monitor peer connections, and treat unsolicited ADDR floods as a possible precursor to something more targeted. The takeaway is not panic. It is operational hygiene. Bitcoin is antifragile precisely because Bitcoiners notice these things and respond.
