Cryptocurrency and DPI: Unearthing threats in the blockchain world

Sebastian Müller portrait

By Sebastian Müller
Published on: 15.06.2022

Reading time: ( words)
Categories: Network security

Blockchain is a distributed ledger technology that has been disrupting finance over the last several years and may have the potential to upend traditional systems of governance and economics. This is because it eliminates the need for a middle man in validating transactions, guaranteeing that all sorts of interactions can take place and programs can run without central control. Accompanying blockchains and enabling these economic interactions are cryptocurrencies. They are a means of exchanging and storing value digitally, outside the purview of banks or other centralized institutions, and thus provide anonymity and freedom.

With a market cap of USD 556.61 billion as of May 21, 2022, the most common cryptocurrency used is Bitcoin. It is sometimes touted as digital gold and presented as an alternative to national currencies. Beyond transactions of the kind enabled by Bitcoin, blockchains can also be distributed ledgers for code. As modifying a blockchain poses immense mathematical and social challenges, running a program on a blockchain guarantees that various applications run in a way initially specified and cannot be altered by a small group of agents. The biggest blockchain used for these so-called 'smart contracts' is Ethereum, with its corresponding currency Ether, which has a market cap of USD 237.59 billion as of May 21, 2022. It is the second biggest cryptocurrency and is used for a wide range of purposes – from being the basis of decentralized apps (or dApps) to ascribing value and ownership to digital art (through non-fungible tokens or NFTs).

Deep packet inspection for crypto traffic insights

Cryptocurrencies are created through a process known as mining, which involves the use of powerful crypto miners to run intensive computations that are aimed at deriving the correct ‘hash’. Mined currencies are bought and sold on cryptocurrency exchanges. From there, they are stored in cryptocurrency wallets and transferred between them. Cryptocurrency transactions use IP networks and their exponential growth has led to a sharp rise in crypto traffic. Like any other application, traffic flows created by crypto transactions have their own implications on the network, leading to operators seeking means to observe and control these flows.

One of the tools that can be deployed to identify and understand cryptocurrency traffic is deep packet inspection (DPI). The scalar packet processing DPI engine R&S®PACE 2 and its vector packet processing counterpart R&S®vPACE by ipoque, for example, use pattern matching, behavioral analysis, statistical/heuristic analysis as well as machine learning (ML) and deep learning (DL) to classify network traffic by protocols and applications. Cryptocurrency networks essentially run their own peer-to-peer (P2P) communication protocols. The bitcoin network, for example, uses the Bitcoin P2P protocol and Lightning Network Protocol, while DEVp2p defines the set of network protocols used in the Ethereum network. Many subprotocols are involved in these implementations and identifying these protocols based on signatures stored in a DPI library enables accurate classification of different crypto networks. Given that encryption is a key feature of the anonymization of crypto traffic, the AI techniques used by R&S®PACE 2 and R&S®vPACE, such as ML and DL, play an important role in identifying these traffic flows. While the matching of flow source and destination to the core nodes and active peers stored in the active node library of any cryptocurrency network can be used to perform some form of initial filtering, R&S®PACE 2 and R&S®vPACE ascertain if the ensuing flows are related to crypto transactions.

Lurking dangers: What can cryptocurrency traffic reveal?

There are many reasons why visibility into cryptocurrency traffic is critical. Where crypto mining is illegal due to local laws, DPI can be handy for telco operators, ISPs and enterprise networks in uncovering such activities. DPI software can identify the intensity of these transactions and the platforms that are involved via the protocols and applications used. It can also identify the locations from where the transactions take place and their effect on local networks.

Illicit mining often takes place through cryptojacking, which means hijacking computing resources or networks to perform crypto mining. This can affect any compromised devices on a network whose CPU, GPU and memory are manipulated to carry out proof-of-work that earns the perpetrator rewards in the form of cryptocurrencies. In this scenario, DPI software can help ISPs and enterprises to identify internal devices that have been force-converted into a peering point. DPI software does this by detecting the device’s traffic to core nodes or other active peer nodes of known cryptocurrency networks. It can correlate this information with overall network and device performance, which typically deteriorates following the infestation with malware or botnets that run resource-intensive mining software. This information can be delivered to security tools which block such traffic and to pinpoint the possible sources of the attacks.

Moreover, DPI software can identify attacks on the cryptocurrency networks themselves. In 2021, more than 20 hacks on cryptocurrency exchanges took place, with losses of at least $10 million.1 Then, there are cases of crypto wallets being hacked and drained of their funds. This is what happened in 2021 with the hack of the BadgerDAO platform with about $120 million stolen.2 Finally, there are 51% attacks, in which a group of hackers coordinates the 51% majority needed to overwrite a blockchain and conduct fraud simply by erasing or reversing transactions. By classifying cryptocurrency protocols and applications in real time, DPI software can uncover traffic anomalies that can be indicative of DDoS or botnet attacks. These include irregularities in traffic frequency, timing, intensity as well as source and destination addresses. In the case of 51% attacks, DPI software can alert cryptocurrency wallets and exchanges of incongruities on the network involving specific clusters of active nodes engaging in a collusive behavior and targeting specific transaction types.

Unfortunately, cryptocurrency can also be used to fund criminal activity and wars, owing to the anonymity it confers on fund flows. For example, both sides in the current Ukrainian conflict have sought to use crypto as a financial vehicle. Overall, such use of cryptocurrency can negatively impact economies and even destabilize nations as funds move in and out without the authorities having information on their source, destination and purpose. This makes transparency regarding such flows paramount. DPI software can also help with transparency through its capacity to identify surges in cryptocurrency traffic and the ability to trace the networks and parties involved. Such information can be useful for authorities in discovering funding arrangements supporting a range of events that seem to leave no conventional money trail.

The right balance of secrecy and transparency

Cryptocurrencies have introduced a new level of fluidity and transparency across financial and non-financial dealings. However, the lure of crypto has led to manipulation, abuse and attacks by threat actors capitalizing on network loopholes to gain access to valuable resources and assets. By identifying crypto traffic and its attributes in real time and with deep granularity, DPI software provides the insights necessary to safeguard crypto platforms, currencies, networks, and devices involved in delivering the limitless possibilities of the crypto world.



Sebastian Müller portrait

Sebastian Müller

Contact me on LinkedIn

Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility