Skip to main content

Sybil Attack | Bitcoin Glossary | Mapping Bitcoin

Sybil Attack

Security

Also known as: sybil resistance, identity attack

An attack where a single adversary creates many fake network identities to gain disproportionate influence over a peer-to-peer system like Bitcoin.

Overview

A Sybil attack, named after the subject of the 1973 book about a person with multiple personalities, occurs when a single adversary creates and operates a large number of pseudonymous identities within a peer-to-peer network. The goal is to gain disproportionate influence over the network's operations — whether by controlling routing, manipulating consensus, censoring transactions, or surveilling other participants.

In permissionless networks like Bitcoin, where anyone can join without identity verification, Sybil attacks are a fundamental threat model. Because there is no central authority to verify that each node represents a unique, independent participant, an attacker with sufficient resources can spin up thousands of nodes that all appear to be independent but are secretly coordinated.

How Sybil Attacks Threaten Bitcoin

Honest Network:                    Sybil-Attacked Network:
┌─────┐ ┌─────┐ ┌─────┐           ┌─────┐ ┌─────┐ ┌─────┐
│  A  │ │  B  │ │  C  │           │  A  │ │ S1  │ │ S2  │
└──┬──┘ └──┬──┘ └──┬──┘           └──┬──┘ └──┬──┘ └──┬──┘
   │       │       │                  │       │       │
   └───┬───┘       │               ┌─┴───────┴───────┴─┐
       │           │               │     Attacker       │
   ┌───┴───┐       │               │   Controls S1-S6   │
   │       │       │               └─┬───────┬───────┬─┘
┌──┴──┐ ┌──┴──┐ ┌──┴──┐           ┌──┴──┐ ┌──┴──┐ ┌──┴──┐
│  D  │ │  E  │ │  F  │           │ S3  │ │ S4  │ │  B  │
└─────┘ └─────┘ └─────┘           └─────┘ └─────┘ └─────┘

6 independent nodes               2 honest + 6 Sybil nodes
                                   Attacker has 75% of "peers"

The specific threats posed by Sybil attacks on the Bitcoin network include:

  • Eclipse attacks: If a victim node's peer connections are all Sybil nodes, the attacker can feed it a false view of the blockchain. Sybil attacks are often a prerequisite for eclipse attacks.
  • Transaction surveillance: Sybil nodes can monitor transaction propagation to determine which node first broadcast a transaction, potentially linking transactions to IP addresses.
  • Transaction censorship: Sybil nodes can refuse to relay specific transactions, delaying or preventing their confirmation.
  • Network partitioning: A sufficient number of Sybil nodes can fragment the network, isolating groups of honest nodes from each other.

Bitcoin's Sybil Resistance

Bitcoin's primary defense against Sybil attacks is proof-of-work. While an attacker can create unlimited fake nodes, they cannot create fake computational work. The consensus rules ensure that the valid chain is the one with the most accumulated proof-of-work, not the one supported by the most nodes. This means Sybil nodes cannot forge blocks or rewrite history without also commanding a majority of the network's hash power.

However, proof-of-work only protects consensus — it does not prevent all Sybil-based attacks. Network-layer attacks like transaction surveillance and eclipse attacks operate below the consensus layer and remain viable even with strong proof-of-work protection.

Mitigations in Bitcoin Core

Bitcoin Core implements several strategies to limit the effectiveness of Sybil attacks at the networking layer:

  • Diverse peer selection: Outbound connections are chosen from different IP address ranges (/16 subnets) to reduce the probability that all peers belong to one attacker
  • Connection limits: Caps on inbound connections from the same subnet prevent a single operator from monopolizing a node's connection slots
  • Anchor connections: Two block-relay-only connections persist across node restarts, making it harder for Sybil nodes to capture all slots after a restart
  • Tor and I2P support: Running nodes over multiple network transports forces an attacker to maintain Sybil identities across different networks simultaneously
  • Feeler connections: Bitcoin Core periodically probes random addresses to verify peer diversity

Sybil Attacks Beyond Node Networks

Sybil attacks are not limited to the node network. They can target any Bitcoin-adjacent system that relies on counting participants:

  • Mining pool voting: Creating fake miners to influence pool governance
  • Social consensus: Astroturfing developer mailing lists or forums to manufacture support for controversial protocol changes
  • Lightning Network routing: Operating many Lightning nodes to attract routing traffic for surveillance or fee extraction
  • Eclipse Attack — a targeted attack that often relies on Sybil nodes to isolate a victim
  • Node — the network participant that Sybil attacks impersonate
  • Proof-of-Work — Bitcoin's primary Sybil resistance mechanism for consensus
  • P2P — the network architecture that Sybil attacks exploit
  • Decentralization — the property that Sybil resistance helps preserve

Related Terms

Eclipse AttackSecurity

An attack where an adversary monopolizes all peer connections of a Bitcoin node to feed it false blockchain data, enabling double spending or censorship.

NodeProtocol

A Bitcoin network computer that independently validates all transactions and blocks against consensus rules, relays valid data, and rejects invalid ones.

P2PProtocol

Bitcoin P2P network where nodes connect directly. The decentralized mesh propagates transactions and blocks globally with no single point of failure.

DecentralizationGeneral

The distribution of control across many participants rather than a single entity. Bitcoin achieves this via P2P architecture and proof-of-work mining.

Proof of WorkMining

Consensus mechanism requiring energy-intensive hash computation to produce blocks. Makes it prohibitively expensive to rewrite confirmed Bitcoin history.