#Fingerprinting Bitcoin Nodes Through Addr Message Patterns

Bitcoin nodes unintentionally leak identity across networks through the way they construct and forward addr messages. Each node maintains a table of known peers and periodically shares these with others. But the selection, ordering, and especially the timestamps embedded in these messages are not uniform. They reflect subtle patterns that are consistent over time.

Because timestamps are not randomized and because node address tables (AddrMan) have deterministic behaviors, an observer receiving addr messages from a node over Tor and later over clearnet can correlate the two. This effectively links the two sessions as coming from the same node, even if IP addresses or networks change. The node reveals itself without knowing it.

This is not a protocol bug but an emergent privacy weakness in the design of the address relay mechanism. It allows passive observers to fingerprint a node based purely on how it gossips addresses, without needing access to its mempool, block data, or outbound connections. It affects all Bitcoin Core nodes and any implementation using similar address handling logic.

Mitigations under discussion include stripping timestamps from shared addresses, introducing randomization in the address selection process, or even limiting the amount of shared peer data. But until those changes are widely adopted, the network remains vulnerable to low-effort, high-precision tracking.