protos.com
All of a sudden, Bitcoin’s peer-to-peer communication layer for full nodes, known as its gossip channel, found four times more addresses than it did a month ago. Jameson Lopp has questioned whether somebody might be spinning up nodes for a sybil attack.
Lopp posted a concerning chart from a live network monitor on Sunday, flagging a sharp spike to 250,000 unique IP and IP-like addresses per day, after spending the prior eight years below 65,000.
If this chart is accurate, somebody's being naughty and trying to spread a bunch of fake bitcoin node addresses around Bitcoin's p2p network. Possibly preparation for a sybil attack? pic.twitter.com/IuWkvkUzjm
— Jameson Lopp (@lopp) May 10, 2026
The chart, maintained by a research group of the Karlsruher Institut für Technologie in Germany, tracks daily unique addresses via unsolicited ADDR messages.
ADDR and its variants, short for “address,” is a type of peer-to-peer message that Bitcoin nodes broadcast randomly to gossip about IP or IP-like addresses of full nodes with which they have established contact.
Messages sent via ADDR assist nodes with peer discovery. After connecting to a few initial nodes, new nodes during their early moments of entering the Bitcoin network randomly receive ADDR messages on an unsolicited basis, quickly learning about additional nodes.
Establishing a robust mesh empowers nodes to more efficiently broadcast and receive Bitcoin transactions and blocks.
For over eight years, the German researcher’s monitoring system found daily unique IP addresses in unsolicited ADDR messages ranging between roughly 30,000-60,000. Starting in mid-April 2026, however, it diverged sharply to the upside, reaching roughly 250,000 by early May.
A flood of new Bitcoin IP addresses
Innocuous interpretations of the data involve simple housekeeping or a sudden increase in legitimate network participation.
On the other hand, a hostile interpretation flagged preparation for a communication-based attack on Bitcoin nodes.
Lopp’s framing questioned the latter, naming the famous sybil attack as a possibility, i.e. tricking a reputation system by creating multiple, sockpuppet identities.
An eclipse attack is also a possible threat. Boston University researchers demonstrated in 2015, for example, that a Bitcoin node attacker who fills a victim’s IP address table with their own IP addresses could hijack that victim’s connections after a network restart.
Temporarily, an attacker could then feed the eclipsed node a doctored view of the blockchain.
To discourage this type of attack, Bitcoin Core software has tightened address-table bucketing and added ADDR rate limits. Still, no decentralized network is entirely impervious to all types of sybil attacks.
Sudden growth in Bitcoin ADDRs
Another possible explanation for the sudden spike in unique addresses could be surveillance.
As Protos previously documented, an entity dubbed LinkingLion spent years opening short connections to Bitcoin nodes from 812 IP addresses, possibly to record which IP first relayed each transaction for the purposes of downstream blockchain analytics.
A flood of bogus peer entries could provide useful cover for that kind of mapping work.
Moreover, anyone may start any number of Bitcoin nodes for any reason, at any time, permissionlessly. As a voluntary and open source network, there is no requirement to explain the starting or stopping of nodes, nor ADDR messages.
Nodes may also, without explanation, rotate their IP addresses at any time.
Is this anon identifying Bitcoin wallets through IP addresses?
Using Bitcoin nodes to create media
Another final possibility is preparation for a media campaign.
Bitcoin node operators periodically debate software features or fork proposals. The sudden spike of new IP addresses (and presumably nodes, assuming existing nodes are not simply rotating their IP addresses) might be an effort to signal support for a policy or consensus change.
In September 2025, Bitcoin developer SuperTestnet briefly suggested that 1,758 of 4,468 reachable Knots nodes were sockpuppets performing a coordinated sybil attack.
Hardware vendor Start9 then explained that up to 1,000 of those supposed sybil nodes were, in fact, regular customers purchasing equipment from its storefront. SuperTestnet retracted most of his earlier analysis.
As the educational episode demonstrated, one researcher’s sybil cluster could actually be an unremarkable product launch.
Overnight, debate among Bitcoiners about what was causing the spike remained active and ongoing.