Research

Temporal Correlation Links User IP Addresses to Blockchain Pseudonyms

A passive network attack exploits the time difference between transaction confirmation and RPC query packets to deanonymize over 95% of users.
November 22, 20253 min

The image presents a dynamic abstract structure featuring a central mass of interconnected, reflective blue geometric shards enveloped by a sleek, segmented white band. This visual metaphor illustrates a sophisticated blockchain architecture
The image features a central, vibrant blue cylindrical component intersected by translucent, flowing ribbons of light blue material, adorned with fine bubbles. Behind this intricate interplay, metallic, gear-like structures suggest a complex mechanical system

Briefing

The core research problem is the unexamined privacy risk at the interface between the public network and the blockchain’s application layer, where users rely on Remote Procedure Call (RPC) services under the false premise of pseudonymity. The proposed breakthrough is a passive deanonymization attack that exploits the temporal correlation between a user’s network-layer TCP packet timestamp for a transaction status query and the transaction’s public, on-chain confirmation timestamp. This reveals a fundamental, systemic vulnerability in the standard client-to-node communication model, achieving a high success rate and demonstrating that network-level privacy is a critical, unsolved challenge for all major public ledgers.

The image displays a prominent white, textured component moving across a sophisticated digital architecture. This structure comprises translucent blue segments, resembling data conduits, alongside metallic blocks

Context

Prior to this analysis, the primary focus for blockchain privacy was on cryptographic solutions like zero-knowledge proofs or mixing services, assuming the network layer provided a baseline of anonymity through IP obfuscation or the use of public RPC endpoints. The prevailing theoretical limitation centered on costly, active attacks that required transaction fees or direct man-in-the-middle positioning. The foundational challenge remained → formally quantifying the leakage of user identity when a pseudonym (wallet address) interacts with a public ledger via common, latency-sensitive network infrastructure.

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance

Analysis

The core mechanism operates by establishing a cryptographic link between two distinct, time-stamped events. The attacker, positioned as a passive observer on the network backbone, monitors a user’s IP address and records the precise time a TCP packet is sent to an RPC node to check a transaction’s status. Concurrently, the attacker monitors the public blockchain to record the transaction’s final, immutable confirmation timestamp.

The extremely narrow and unique time window, or temporal signature , between the on-chain event and the subsequent off-chain query serves as a unique identifier. This correlation is robust because the latency is a near-constant for a specific user-to-node path, allowing the attacker to link the network-layer source (IP) to the application-layer identity (pseudonym) with high certainty.

A close-up view reveals a sophisticated metallic mechanism, resembling intricate gears and structural components, partially immersed within a dynamic, effervescent blue liquid. The liquid is densely populated with numerous bubbles of varying sizes, appearing to flow and interact with the polished surfaces of the machinery

Parameters

  • Success Rate Against Normal Users → Over 95%. Explanation: The measured efficacy of the attack against typical users on networks like Ethereum, Bitcoin, and Solana.
  • Transaction Fee Requirement → Zero. Explanation: The attack is passive and does not require the adversary to submit or pay for any transactions.
  • Adversary Model → Strong Passive. Explanation: Assumes the attacker has access to network infrastructure like border routers but does not actively interfere with traffic.

A close-up view reveals vibrant blue and silver mechanical components undergoing a thorough wash with foamy water. Intricate parts are visible, with water cascading and bubbling around them, highlighting the precise engineering

Outlook

The immediate strategic outlook requires a fundamental re-evaluation of client-node communication protocols, prioritizing network-layer privacy primitives. Future research must focus on integrating verifiable delay functions or time-randomization techniques into RPC query responses to break the temporal signature correlation. The long-term implication is the necessity of a “Privacy-by-Default” network architecture, potentially utilizing decentralized, zero-knowledge-enabled RPC relays or fully private transaction mempools to decouple the user’s physical location from their on-chain activity.

The image presents a close-up view of polished metallic cylindrical structures, interconnected by a dark blue flexible tube, with translucent, spherical elements visible in the foreground and background. These components are arranged in a complex, high-tech configuration against a muted grey backdrop

Verdict

This research delivers a decisive, empirical demonstration that the fundamental assumption of network-layer privacy for blockchain users is invalid, necessitating a new generation of privacy-preserving communication standards.

Network layer privacy, RPC service vulnerability, Temporal correlation attack, Blockchain deanonymization, Pseudonymity failure, Passive adversary model, Transaction confirmation latency, On-chain privacy challenge, Network traffic analysis, Public ledger forensics, Zero fee attack, Distributed systems security, User anonymity breach, IP address linking, Application layer security, Network border routers, TCP packet timestamp, Wallet address exposure, Cross-layer vulnerability, Transaction status query. Signal Acquired from → arxiv.org

Micro Crypto News Feeds

application layer

Definition ∞ The Application Layer refers to the topmost layer of a network architecture where user-facing applications and services operate.

network infrastructure

Definition ∞ Network infrastructure refers to the underlying architecture and systems that support the operation of a communication network.

confirmation

Definition ∞ A confirmation signifies the validation of a transaction on a blockchain.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

network

Definition ∞ A network is a system of interconnected computers or devices capable of communication and resource sharing.

privacy

Definition ∞ In the context of digital assets, privacy refers to the ability to conduct transactions or hold assets without revealing identifying information about participants or transaction details.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

Tags:

Tags: