The reviewed record of science sign in
Pith

arxiv: 2606.12887 · v1 · pith:YTQB3UTR · submitted 2026-06-11 · cs.CR · cs.DC· cs.NI

LNTest: A Testbed for Evaluating Bitcoin Lightning Network-Based Botnets

Reviewed by Pith2026-06-27 06:41 UTCgrok-4.3pith:YTQB3UTRopen to challenge →

classification cs.CR cs.DCcs.NI
keywords lightning networkbotnetcommand and controltestbednetwork topologybitcoinregtesttakdown
0
0 comments X

The pith

LNTest shows Lightning botnets form clustered chains with bridge nodes and spread commands linearly with size.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces LNTest, the first reusable testbed for Lightning Network botnets, built from containerized Core Lightning nodes on a shared regtest chain. It supports experiments with deterministic chains, autonomous peer discovery, and custom graphs to move beyond prior simulations. The testbed reveals that autonomous formation creates cliques connected by bridge nodes instead of the designed uniform chain. Command propagation scales linearly with botnet size and gains nothing from extra neighbors. Different topologies respond differently to node removals, with the clustered chain proving fragile under both targeted and random attacks.

Core claim

Using LNTest, we report three main findings. First, D-LNBot's autonomous formation protocol does not produce the uniform chain from its design; instead, it creates a clustered chain in which cliques are linked by bridge nodes whose removal fragments the network. Second, command propagation scales linearly with botnet size (Θ(n)), not the O(m log n) previously claimed. Third, the overlay topology determines the effectiveness of takedown strategies: uniform-degree chains resist targeted removal but fragment under random failure, scale-free topologies show the opposite pattern, and the autonomous clustered chain is fragile under both.

What carries the argument

LNTest, a testbed of Docker-containerized Core Lightning nodes sharing a Bitcoin Core regtest chain that supports deterministic, autonomous, and user-supplied overlay topologies for botnet experiments.

If this is right

  • Bridge nodes in the clustered chain can be removed to fragment the botnet.
  • Higher neighbor counts per bot do not shorten command propagation time.
  • Uniform chains resist targeted node removal but are vulnerable to random failures.
  • Scale-free topologies are resilient to random failures but weak against targeted removal.
  • The autonomous clustered chain is the most vulnerable to both targeted and random takedowns.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Monitoring for high-betweenness nodes in the Lightning Network could help identify potential botnet structures.
  • The open release of LNTest allows independent teams to test new defense mechanisms against LN-based command channels.
  • Adding real fee market dynamics and node churn to the testbed would test whether the linear scaling holds under more variable conditions.

Load-bearing premise

The experiments rely on a controlled regtest environment with containerized nodes that may not capture real-world Lightning Network dynamics such as node churn, actual fee markets, network latency variation, or adversarial node behavior.

What would settle it

Running the same autonomous formation protocol on the live Lightning Network and observing either a uniform non-clustered chain or command propagation times that scale better than linearly would falsify the reported findings.

Figures

Figures reproduced from arXiv: 2606.12887 by Abdullah Aydeger, Abdul-Salem Beibitkhan, Abraham Watkins, Ahmet Kurt, Estela Rodriguez, Jesus Maria Romo Diaz de Leon, Joshua Kramer, Tag Kalat, Thomas Bakaysa.

Figure 1
Figure 1. Figure 1: Overview of LNTest’s architecture. The botmaster, innocent node, and C&C servers are Core Lightning containers in Docker, while Bitcoin Core, the shared memory, and the orchestrator run on the host. On-chain links to the single regtest Bitcoin Core are omitted for clarity. The example overlay is an autonomous clustered chain (Section 5.2): cliques joined by a bridge node (red) whose removal splits it [PIT… view at source ↗
Figure 2
Figure 2. Figure 2: Propagation delay vs. number of C&C servers (m = 4, D-LNBot chain, mid-chain injection). Markers show the mean of 10 commands with ±1 standard deviation error bars; coverage is 100% at every size. The two regimes are fit separately: t = 0.143n−1.20 (R 2 = 0.993) for n ≤ 100 and t = 0.229n − 11.28 (R 2 = 0.998) for n ≥ 100. The inset zooms into the n ≤ 100 regime. The linear fit is near-perfect through n = … view at source ↗
Figure 3
Figure 3. Figure 3: A representative overlay produced by D-LNBot’s autonomous formation protocol at n = 50, m = 4: a clustered chain of cliques (cores at degree 2m = 8, dark blue; peripheral nodes at degree m = 4, light blue) joined by bridge nodes (red) whose removal splits the overlay; intermediate-degree nodes are gray. Because formation is nondeterministic, the bridge count varies across runs. Why cliques form instead of … view at source ↗
Figure 4
Figure 4. Figure 4: Coverage vs. fraction of nodes removed for three topologies under random and targeted takedown (n = 50, m = 4), with each command injected from the highest￾degree node in the largest surviving component. A drop below 100% means the network has partitioned. For the autonomous topology, the only nondeterministic one, the line is the mean over five runs and the shaded band their min–max range. the four lowest… view at source ↗
read the original abstract

Bitcoin's Lightning Network (LN) can be exploited as a covert, low-cost command-and-control (C&C) channel for botnets, as demonstrated by the LNBot and D-LNBot designs. However, both remain proof-of-concept prototypes evaluated only through simulation, leaving key questions about real-world topology formation, propagation complexity, and resilience to takedowns unanswered. We present LNTest, the first reusable testbed for LN-based botnets, built from Core Lightning nodes containerized with Docker over a shared Bitcoin Core regtest chain. LNTest supports three overlay topology modes (a deterministic chain, autonomous peer discovery, and user-supplied graphs), enabling controlled experiments across different botnet structures. Using LNTest, we report three main findings. First, D-LNBot's autonomous formation protocol does not produce the uniform chain from its design; instead, it creates a clustered chain in which cliques are linked by bridge nodes whose removal fragments the network. Second, command propagation scales linearly with botnet size ($\Theta(n)$), not the $O(m \log n)$ previously claimed, and gains nothing from higher neighbor connectivity. Third, the overlay topology determines the effectiveness of takedown strategies: uniform-degree chains resist targeted removal but fragment under random failure, scale-free topologies show the opposite pattern, and the autonomous clustered chain is fragile under both, making it the most vulnerable of the three. LNTest is released as open source, with a script that reproduces all our experiments, to support reproducible research on LN-based botnet defenses.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents LNTest, the first reusable testbed for LN-based botnets, implemented with containerized Core Lightning nodes on a shared Bitcoin Core regtest chain and supporting deterministic chain, autonomous peer-discovery, and user-supplied graph topologies. Using the testbed, the authors report three empirical findings: D-LNBot's autonomous formation produces clustered chains linked by bridge nodes rather than uniform chains; command propagation scales linearly as Θ(n) independent of neighbor count, contradicting prior O(m log n) claims; and overlay topology governs takedown resilience, with the autonomous clustered topology being fragile under both targeted and random removals. The testbed and a reproduction script are released as open source.

Significance. If the reported measurements hold under the testbed conditions, the work supplies the first controlled empirical data on LN botnet topology formation and resilience, directly challenging simulation-derived claims on propagation complexity. The open-source release with a script that reproduces all experiments is a clear strength, enabling future reproducible research on defenses.

major comments (2)
  1. [Section 3] Testbed setup (Section 3): The regtest containerized environment enforces static connectivity, zero churn, uniform low latency, and no fee/routing competition. This idealization is load-bearing for the first finding (bridge-linked cliques in autonomous mode) and the third finding (differential fragility), because real LN node churn, variable channel fees, and geographic latency could alter effective neighbor sets and message paths, potentially changing the observed clustering and scaling exponents.
  2. [Section 5] Propagation results (Section 5): The claim that command propagation scales as Θ(n) rather than O(m log n) and 'gains nothing from higher neighbor connectivity' rests on measurements whose statistical details (number of trials, variance, data exclusion rules) are not reported. Without these, it is not possible to determine whether the linear scaling is robust or an artifact of the idealized testbed conditions.
minor comments (2)
  1. [Abstract] In the abstract, the notation O(m log n) is used without defining m (presumably the number of neighbors per node); this should be clarified on first use.
  2. Figure captions and axis labels for the scaling and fragmentation plots should explicitly state the number of independent runs and any error bars or confidence intervals.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the significance of LNTest. Below we respond point-by-point to the major comments.

read point-by-point responses
  1. Referee: [Section 3] Testbed setup (Section 3): The regtest containerized environment enforces static connectivity, zero churn, uniform low latency, and no fee/routing competition. This idealization is load-bearing for the first finding (bridge-linked cliques in autonomous mode) and the third finding (differential fragility), because real LN node churn, variable channel fees, and geographic latency could alter effective neighbor sets and message paths, potentially changing the observed clustering and scaling exponents.

    Authors: We agree that the testbed deliberately uses idealized conditions (static connectivity, zero churn, uniform latency) to enable controlled, reproducible experiments that isolate topology effects. This is a standard approach for establishing baseline empirical results. We will add a dedicated limitations paragraph in Section 3 explicitly discussing how real-world factors such as churn, variable fees, and latency could affect clustering and resilience, and we will note that LNTest is designed to be extensible for incorporating such dynamics in follow-on studies. revision: partial

  2. Referee: [Section 5] Propagation results (Section 5): The claim that command propagation scales as Θ(n) rather than O(m log n) and 'gains nothing from higher neighbor connectivity' rests on measurements whose statistical details (number of trials, variance, data exclusion rules) are not reported. Without these, it is not possible to determine whether the linear scaling is robust or an artifact of the idealized testbed conditions.

    Authors: We acknowledge that the statistical details of the propagation experiments were insufficiently reported. In the revised manuscript we will specify the number of independent trials per configuration, report means accompanied by standard deviations or error bars, and clarify any data exclusion or aggregation rules. These additions will allow readers to evaluate the robustness of the observed linear scaling. revision: yes

Circularity Check

0 steps flagged

No circularity; results are direct empirical measurements from new testbed.

full rationale

The paper introduces LNTest as a Dockerized regtest testbed and reports three findings obtained by executing autonomous formation, propagation timing, and takedown simulations inside it. These are measurements of observed behavior under controlled conditions, not derivations, fitted parameters renamed as predictions, or claims whose justification reduces to self-citation chains. The scaling result Θ(n) is measured directly; the topology-formation and fragility observations are likewise outputs of running the supplied graphs and protocols. No equations or self-referential definitions appear in the reported claims. The open-source release and reproduction script further separate the results from any definitional loop.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities are described in the abstract; the contribution is an experimental platform rather than a theoretical derivation.

pith-pipeline@v0.9.1-grok · 5847 in / 1303 out tokens · 21604 ms · 2026-06-27T06:41:32.455492+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

42 extracted references

  1. [1]

    ACINQ: A scala implementation of the Lightning Network.https://github.com /ACINQ/eclair(2015)

  2. [2]

    Nature406(6794), 378–382 (2000)

    Albert, R., Jeong, H., Barabási, A.L.: Error and attack tolerance of complex networks. Nature406(6794), 378–382 (2000)

  3. [3]

    In: Financial Cryptography and Data Security

    Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: ZombieCoin: Powering next-generation botnets with Bitcoin. In: Financial Cryptography and Data Security. pp. 34–48. Springer Berlin Heidelberg (2015)

  4. [4]

    International Journal of Information Security 17(4), 411–422 (2018)

    Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: ZombieCoin 2.0: managing next- generation botnets using Bitcoin. International Journal of Information Security 17(4), 411–422 (2018)

  5. [5]

    International Journal of Information and Computer Security17(1-2), 147–163 (2022)

    Alibrahim, O., Malaika, M.: Botract: abusing smart contracts and blockchain for botnet command and control. International Journal of Information and Computer Security17(1-2), 147–163 (2022)

  6. [6]

    Blockstream: Core Lightning: Lightning Network implementation focusing on spec compliance and performance.https://github.com/ElementsProject/lightning (2015)

  7. [7]

    In: 2019 APWG Symposium on Electronic Crime Research (eCrime)

    Böck, L., Alexopoulos, N., Saracoglu, E., Mühlhäuser, M., Vasilomanolakis, E.: Assessing the threat of blockchain-based botnets. In: 2019 APWG Symposium on Electronic Crime Research (eCrime). pp. 1–11 (2019)

  8. [8]

    In: Proceedings of the 26th An- nual Computer Security Applications Conference

    Calvet, J., Davis, C.R., Fernandez, J.M., Marion, J.Y., St-Onge, P.L., Guizani, W., Bureau, P.M., Somayaji, A.: The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. In: Proceedings of the 26th An- nual Computer Security Applications Conference. pp. 141–150. Association for Computing Machinery (2010)

  9. [9]

    IEEE Transactions on Dependable and Secure Computing21(1), 186–203 (2024)

    Sáez-de Cámara, X., Flores, J.L., Arellano, C., Urbieta, A., Zurutuza, U.: Gotham testbed: A reproducible IoT testbed for security experiments and dataset generation. IEEE Transactions on Dependable and Secure Computing21(1), 186–203 (2024)

  10. [10]

    In: 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)

    De Vivo, S., Obaidat, I., Dai, D., Liguori, P.: DDoShield-IoT: A testbed for sim- ulating and lightweight detection of IoT botnet DDoS attacks. In: 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). pp. 1–8 (2024)

  11. [11]

    In: Financial Cryptography and Data Security

    Franzoni, F., Abellan, I., Daza, V.: Leveraging Bitcoin testnet for bidirectional botnet command and control systems. In: Financial Cryptography and Data Security. pp. 3–19. Springer International Publishing (2020)

  12. [12]

    Frkat, D., Annessi, R., Zseby, T.: ChainChannels: Private botnet communication over public blockchains. In: 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). pp. 1244–1252 (2018)

  13. [13]

    Electronics 11(7) (2022)

    Gao, H., Li, L., Chang, X., Wan, J., Li, J., Du, J., Zhang, X.: BlockchainBot: A novel botnet infrastructure enhanced by blockchain technology and IoT. Electronics 11(7) (2022)

  14. [14]

    IEEE Internet of Things Journal11(5), 9107–9126 (2024)

    Gao, H., Li, L., Lei, H., Tian, N., Lin, H., Wan, J.: One IOTA of countless legions: A next-generation botnet premises design substrated on blockchain and internet of things. IEEE Internet of Things Journal11(5), 9107–9126 (2024)

  15. [15]

    Gao, H., Li, L., Lin, H., Chang, X., Wan, J., Li, J., Zhu, F.: ZombieCoin3.0: On the looming of a novel botnet fortified by distributed ledger technology and internet of things. In: 2021 IEEE 23rd Int Conf on High Performance Computing LNTest 21 & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependab...

  16. [16]

    ACM Computing Surveys55(11), 219:1–219:39 (2023)

    Georgoulias, D., Pedersen, J.M., Falch, M., Vasilomanolakis, E.: Botnet business models, takedown attempts, and the darkweb market: A survey. ACM Computing Surveys55(11), 219:1–219:39 (2023)

  17. [17]

    In: 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020)

    Kamenski, D., Shaghaghi, A., Warren, M., Kanhere, S.S.: Attacking with Bitcoin: Using Bitcoin to build resilient botnet armies. In: 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020). pp. 3–12. Springer International Publishing (2021)

  18. [18]

    In: Iphofen, R., O’Mathúna, D

    Kolstoe, S.E.: A framework for reviewing dual use research. In: Iphofen, R., O’Mathúna, D. (eds.) Ethical Issues in Covert, Security and Surveillance Research. Emerald Publishing Limited (2021)

  19. [19]

    In: Testbeds and Research Infrastructures for the Development of Networks and Communities

    Kumar, A., Lim, T.J.: A secure contained testbed for analyzing IoT botnets. In: Testbeds and Research Infrastructures for the Development of Networks and Communities. pp. 124–137. Springer International Publishing (2019)

  20. [20]

    IEEE Transactions on Dependable and Secure Computing21(4), 2162–2180 (2024)

    Kurt, A., Erdin, E., Akkaya, K., Uluagac, S., Cebe, M.: D-LNBot: A scalable, cost- free and covert hybrid botnet on Bitcoin’s Lightning network. IEEE Transactions on Dependable and Secure Computing21(4), 2162–2180 (2024)

  21. [21]

    In: Computer Security – ESORICS 2020

    Kurt, A., Erdin, E., Cebe, M., Akkaya, K., Uluagac, A.S.: LNBot: A covert hybrid botnet on Bitcoin Lightning network for fun and profit. In: Computer Security – ESORICS 2020. pp. 734–755. Springer International Publishing (2020)

  22. [22]

    It’s rust-lightning, not Rusty’s Lightning!https://github.com/lightningdevkit /rust-lightning(2018)

    Lightning Dev Kit: A highly modular Bitcoin Lightning library written in Rust. It’s rust-lightning, not Rusty’s Lightning!https://github.com/lightningdevkit /rust-lightning(2018)

  23. [23]

    Lightning Labs: Lightning Network Daemon.https://github.com/lightningne twork/lnd(2016)

  24. [24]

    In: ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

    Liu, C., Wang, Z., Yin, J., Liu, Y., Mao, K., Huang, Z., Deng, C.: SCBot: Building lightweight and flexible C&C based on smart contract. In: ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). pp. 1–5 (2025)

  25. [25]

    Technology in Society63, 101382 (2020)

    Macnish, K., van der Ham, J.: Ethics in cybersecurity research and practice. Technology in Society63, 101382 (2020)

  26. [26]

    Master’s thesis, International Hellenic University (2019),https://repository.i hu.gr/handle/11544/29362

    Mengidis, A.: Blockchain-based command and control for next generation botnets. Master’s thesis, International Hellenic University (2019),https://repository.i hu.gr/handle/11544/29362

  27. [27]

    In: Financial Cryptography and Data Security

    Mizrahi, A., Zohar, A.: Congestion attacks in payment channel networks. In: Financial Cryptography and Data Security. pp. 170–188. Springer Berlin Heidelberg (2021)

  28. [28]

    org/bitcoin.pdf(2008)

    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system.https://bitcoin. org/bitcoin.pdf(2008)

  29. [29]

    In: 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

    Obaidat, I., Kahn, B., Tavakoli, F., Sridhar, M.: Creating a large-scale memory error IoT botnet using NS3DockerEmulator. In: 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 470–479 (2023)

  30. [30]

    Bulletin of Electrical Engineering and Informatics 14(3), 2077–2096 (2025) 22 T

    Parthipan, M., Laghari, S.U.A., Jaisan, A., Baig, A., Ali, M.A., Karuppayah, S.: Insights into peer-to-peer botnet dynamics: reviewing emulation testbeds and proposing a conceptual model. Bulletin of Electrical Engineering and Informatics 14(3), 2077–2096 (2025) 22 T. Bakaysa and A. Kurt et al

  31. [31]

    Poon, J., Dryja, T.: The Bitcoin Lightning network: Scalable off-chain instant payments. Tech. rep., Lightning Network (2016),https://lightning.network/li ghtning-network-paper.pdf

  32. [32]

    In: 2019 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW)

    Rohrer, E., Malliaris, J., Tschorsch, F.: Discharged payment channels: Quantifying the Lightning network’s resilience to topology-based attacks. In: 2019 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW). pp. 347–356. IEEE (2019)

  33. [33]

    In: Mathematical Research for Blockchain Economy

    Seres, I.A., Gulyás, L., Nagy, D.A., Burcsi, P.: Topological analysis of Bitcoin’s Lightning network. In: Mathematical Research for Blockchain Economy. pp. 1–12. Springer International Publishing (2020)

  34. [34]

    Sweeny, J.: Botnet resiliency via private blockchains. Tech. rep., SANS Institute (2017),https://www.sans.org/white-papers/38050

  35. [35]

    In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

    Taniguchi, T., Griffioen, H., Doerr, C.: Analysis and takeover of the Bitcoin- coordinated Pony malware. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. pp. 916–930. Association for Computing Machinery (2021)

  36. [36]

    Future Internet13(8) (2021)

    Thanh Vu, S.N., Stege, M., El-Habr, P.I., Bang, J., Dragoni, N.: A survey on botnets: Incentives, evolution, detection and current trends. Future Internet13(8) (2021)

  37. [37]

    Securelist(Kaspersky) technical blog (Nov 2025),https://securelist.com/tsu ndere-node-js-botnet-uses-ethereum-blockchain/117979/

    Ubiedo, L.: Blockchain and node.js abused by Tsundere: an emerging botnet. Securelist(Kaspersky) technical blog (Nov 2025),https://securelist.com/tsu ndere-node-js-botnet-uses-ethereum-blockchain/117979/

  38. [38]

    In: Information and Communications Security

    Yin, J., Cui, X., Liu, C., Liu, Q., Cui, T., Wang, Z.: CoinBot: A covert botnet in the cryptocurrency network. In: Information and Communications Security. pp. 107–125. Springer International Publishing (2020)

  39. [39]

    Telecommunications Policy48(2), 102696 (2024)

    Zabka, P., Foerster, K.T., Decker, C., Schmid, S.: A centrality analysis of the Lightning network. Telecommunications Policy48(2), 102696 (2024)

  40. [40]

    In: Information Security Theory and Practice

    Zarpelão, B.B., Miani, R.S., Rajarajan, M.: Detection of Bitcoin-based botnets using a one-class classifier. In: Information Security Theory and Practice. pp. 174–189. Springer International Publishing (2019)

  41. [41]

    PLOS ONE14(12), e0226594 (2019)

    Zhong, Y., Zhou, A., Zhang, L., Jing, F., Zuo, Z.: DUSTBot: A duplex and stealthy p2p-based botnet in the Bitcoin network. PLOS ONE14(12), e0226594 (2019)

  42. [42]

    Zohar, O.: Unblockable Chains - a POC on using blockchain as infrastructure for malware operations.https://github.com/platdrag/UnblockableChains(2018)