Friend or Foe? Identifying Anomalous Peers in Moneros P2P Network

Monero, the leading privacy-focused cryptocurrency, relies on a peer-to-peer (P2P) network to propagate transactions and blocks. Growing evidence suggests that non-standard nodes exist in the network, posing as honest nodes but are perhaps intended for monitoring the network and spying on other nodes. However, our understanding of the detection and analysis of anomalous peer behavior remains limited. This paper presents a first comprehensive study of anomalous behavior in Monero's P2P network. To this end, we collected and analyzed over 240 hours of network traffic captured from five distinct vantage points worldwide. We further present a formal framework which allows us to analytically define and classify anomalous patterns in P2P cryptocurrency networks. Our detection methodology, implemented as an offline analysis, provides a foundation for real-time monitoring systems. Our analysis reveals the presence of non-standard peers in the network where approximately 14.74% (13.19%) of (reachable) peers in the network exhibit non-standard behavior. These peers exhibit distinct behavioral patterns that might suggest multiple concurrent attacks, pointing to substantial shortcomings in Monero's privacy guarantees and network decentralization. To support reproducibility and enable network operators to protect themselves, we release our examination pipeline to identify and block suspicious peers based on newly captured network traffic.