pith. sign in

arxiv: 2605.19437 · v1 · pith:SXJQ5EPMnew · submitted 2026-05-19 · 💻 cs.NI · cs.CR

Fifty Shades of Darknet

Siddique Abubakr Muntaka , Jacques Bou Abdo This is my paper

Pith reviewed 2026-05-20 02:44 UTC · model grok-4.3

classification 💻 cs.NI cs.CR
keywords I2PExclusive NetworkNetDBanonymous networksfloodfill queriesmalwarecovert networksoverlay networks
0
0 comments X

The pith

I2P contains an Exclusive Network sublayer where nodes host services without publishing to the NetDB database.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper identifies a previously uncharacterized sublayer in the I2P anonymous network called the Exclusive Network. Nodes in this sublayer host operational services and use the network's routing but do not publish their information to the distributed database. Tests in a small controlled setup show these nodes can withstand repeated queries from other routers without appearing in database results, while still allowing authorized access to their services. This feature can be exploited for hidden command-and-control in malware operations and resembles infrastructure used by nation states. The discovery indicates that current ways of mapping the network miss this layer, calling for mathematical models to analyze such hidden structures instead.

Core claim

The central discovery is the existence and behavior of the Exclusive Network in I2P. This sublayer consists of nodes that provide services using I2P routing resources without registering their RouterInfo in the NetDB. In a three-node testbed, an Exclusive Network node evades detection by surviving sequential floodfill queries from a pool of routers, recording zero NetDB hits, while its hosted service stays accessible to authorized peers. This configuration supports persistent operations by I2P-based malware such as I2PRAT and is structurally similar to Operational Relay Box setups. The paper argues that top-down empirical mapping cannot fully characterize this sublayer, motivating the use of

What carries the argument

The Exclusive Network sublayer, defined as nodes hosting services without publishing RouterInfo records to NetDB, which enables query survival while maintaining peer access.

Load-bearing premise

The small three-node testbed reflects the query survival and NetDB interaction patterns of Exclusive Network nodes in the actual large-scale I2P network.

What would settle it

A measurement study that successfully locates an operational Exclusive Network node via NetDB floodfill queries would falsify the survival property.

Figures

Figures reproduced from arXiv: 2605.19437 by Jacques Bou Abdo, Siddique Abubakr Muntaka.

Figure 1
Figure 1. Figure 1: Three-layer network hierarchy. Layer 1 ( [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: I2P inbound tunnel. The LeaseSet (LS) publishes only the gateway [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Shade 8 classification output from node-lookup.py. After 500 floodfill probes from a pool of 1,556, router H1 (PB5dY5...) produces zero NetDB hits, confirming Layer 2 exclusive status. 3) Floodfill probe (500 floodfills, batches of 5, re-check after each): no hit at any checkpoint. The Shade 8 criterion is satisfied: ¬ RIlocal(H1) ∧ ¬ RIconsole(H1) ∧ ^ f∈F500 ¬ RIf (H1) (5) [PITH_FULL_IMAGE:figures/full_f… view at source ↗
Figure 4
Figure 4. Figure 4: NetDB hit count vs. cumulative floodfill probes for three router types. [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Shade 1 (Beacon) classification output for router [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Shade 2 (Relay) classification for router [PITH_FULL_IMAGE:figures/full_fig_p006_7.png] view at source ↗
read the original abstract

The Invisible Internet Project (I2P) is a peer-to-peer anonymous overlay network whose architecture includes a structurally distinct sublayer not characterized in existing security literature. We term this sublayer the Exclusive Network: nodes here host operational services and draw on I2P's routing resources, but publish no RouterInfo record to the network's distributed database (NetDB). In a controlled three-node testbed, we demonstrate that an Exclusive Network node survives sequential floodfill queries from a pool of routers with zero NetDB hits, while its hosted service remains continuously accessible to authorized peers. This property is exploitable by documented I2P-based malware, for example, I2PRAT (RATatouille), for persistent command-and-control operations against national assets or corporate networks. The structure is analogous to nation-state Operational Relay Box (ORB) infrastructure. The existence of this sublayer, together with the inability of top-down empirical mapping to characterize it, motivates a move toward formal analytical methods to understand the emergence and behavior of covert networks within I2P.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that I2P contains an uncharacterized 'Exclusive Network' sublayer of nodes that host operational services without publishing RouterInfo to NetDB. In a controlled three-node testbed, an unpublished node evades sequential floodfill queries (zero NetDB hits) while its service remains reachable to authorized peers. This property is linked to I2P-based malware (e.g., I2PRAT) for persistent C2 and analogized to nation-state ORB infrastructure, motivating a shift from empirical mapping to formal analytical methods.

Significance. If the testbed behavior generalizes, the work identifies a covert architectural feature in I2P that current top-down measurement techniques cannot capture, with implications for anonymity, malware defense, and overlay-network security. The controlled demonstration of query survival plus authorized reachability is a concrete observation that could stimulate formal modeling of hidden subnetworks.

major comments (2)
  1. [Testbed / Experimental Setup] The central claim rests on the three-node testbed observation of zero NetDB hits and continuous service accessibility. The manuscript sketches the setup but does not specify the size or diversity of the floodfill router pool, the exact query sequence and timing, or controls for indirect discovery paths (tunnel handshakes, lease-set exchanges, or out-of-band peer lists). Without these details, it is unclear whether non-publication alone suffices for undetectability at I2P scale.
  2. [Abstract and Discussion] The generalization from the three-node controlled environment to production I2P behavior is asserted but not demonstrated. At network scale the floodfill set is large and dynamic; nodes learn RouterInfo through multiple channels. The paper does not report measurements or simulations that close this gap, leaving the load-bearing claim of 'survives sequential floodfill queries' vulnerable to scale-related confounds.
minor comments (2)
  1. [Title] The title 'Fifty Shades of Darknet' introduces an informal tone that may not match the formal security-analysis content; consider a more descriptive title.
  2. [Introduction] Terminology for 'Exclusive Network' and 'NetDB hits' should be defined on first use with a brief comparison to standard I2P RouterInfo publication mechanics.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive comments on our manuscript. We address each major comment below, indicating where we will revise the paper and where we must clarify the scope of our claims.

read point-by-point responses

  1. Referee: [Testbed / Experimental Setup] The central claim rests on the three-node testbed observation of zero NetDB hits and continuous service accessibility. The manuscript sketches the setup but does not specify the size or diversity of the floodfill router pool, the exact query sequence and timing, or controls for indirect discovery paths (tunnel handshakes, lease-set exchanges, or out-of-band peer lists). Without these details, it is unclear whether non-publication alone suffices for undetectability at I2P scale.

    Authors: We agree that the testbed description requires more detail to support reproducibility. In the revised manuscript we will expand the experimental setup section to report the exact number and selection method for the floodfill routers in the query pool, the precise sequence and timing of sequential queries, and the controls implemented to isolate direct NetDB lookups from indirect paths such as tunnel handshakes or lease-set exchanges. These additions will make explicit that the zero-hit result is attributable to non-publication of RouterInfo. revision: yes

  2. Referee: [Abstract and Discussion] The generalization from the three-node controlled environment to production I2P behavior is asserted but not demonstrated. At network scale the floodfill set is large and dynamic; nodes learn RouterInfo through multiple channels. The paper does not report measurements or simulations that close this gap, leaving the load-bearing claim of 'survives sequential floodfill queries' vulnerable to scale-related confounds.

    Authors: The manuscript frames the three-node result as a controlled demonstration of an architectural feature rather than a claim that the same behavior necessarily holds at full production scale. We will revise the abstract and discussion to state the limitations of the testbed more explicitly and to position the observation as motivation for formal modeling instead of an assertion of network-wide undetectability. No new large-scale simulations are added, as the work focuses on identifying the sublayer and its implications. revision: partial

standing simulated objections not resolved
  • Large-scale measurements or simulations on the live I2P network to close the gap between the controlled testbed and production behavior.

Circularity Check

0 steps flagged

No circularity: empirical testbed claim stands independent of inputs

full rationale

The paper defines the Exclusive Network descriptively from observed non-publication behavior and supports its central claim via direct results from a controlled three-node testbed experiment. No equations, fitted parameters, or self-citations are invoked to derive the survival or reachability properties; the demonstration is presented as an empirical observation rather than a reduction to prior definitions or author-specific theorems. The forward-looking motivation for formal methods does not retroactively load the testbed result. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on introducing a new conceptual entity without upstream independent evidence and on a small-scale empirical demonstration whose assumptions about I2P node behavior are not externally validated.

axioms (1)
  • domain assumption I2P nodes can host operational services and draw on routing resources while publishing no RouterInfo record to NetDB.
    This premise defines the Exclusive Network and is invoked to explain the testbed results.
invented entities (1)
  • Exclusive Network no independent evidence
    purpose: To label the sublayer of I2P nodes that host services without NetDB publication.
    New term coined by the authors to describe observed behavior.

pith-pipeline@v0.9.0 · 5708 in / 1267 out tokens · 42059 ms · 2026-05-20T02:44:42.543176+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

18 extracted references · 18 canonical work pages

  1. [1]

    Optimizing anonymity and efficiency: A critical review of path selection strategies in tor,

    S. A. Muntaka and J. B. Abdo, “Optimizing anonymity and efficiency: A critical review of path selection strategies in tor,” in2025 IEEE/ACS 22nd International Conference on Computer Systems and Applications (AICCSA). IEEE, 2025, pp. 1–8

    work page 2025

  2. [2]

    Attributing cyber attacks,

    T. Rid and B. Buchanan, “Attributing cyber attacks,”Journal of Strategic Studies, vol. 38, no. 1–2, pp. 4–37, 2015

    work page 2015

  3. [3]

    I2p data communication system,

    B. Zantout and R. A. Haraty, “I2p data communication system,” in Proceedings of the 10th International Conference on Networks (ICN), Gosier, Guadeloupe, 2011, pp. 401–409

    work page 2011

  4. [4]

    The attribution of cyber operations to states in international law,

    H. Chen, A. Coco, A. Rotondo, and Y . Ying, “The attribution of cyber operations to states in international law,” Geneva Centre for Security Policy (GCSP), Tech. Rep., 2025

    work page 2025

  5. [5]

    Cyber conflict and international humanitarian law,

    H. S. Lin, “Cyber conflict and international humanitarian law,”Inter- national Review of the Red Cross, vol. 94, no. 886, pp. 515–531, Jun. 2012

    work page 2012

  6. [6]

    Practical attacks against the i2p network,

    C. Egger, J. Schlumberger, C. Kruegel, and G. Vigna, “Practical attacks against the i2p network,” inProceedings of the 16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Rodney Bay, Saint Lucia, 2013, pp. 432–451

    work page 2013

  7. [7]

    Trawling for Tor hidden services: Detection, measurement, deanonymization,

    A. Biryukov and I. Pustogarov, “Trawling for Tor hidden services: Detection, measurement, deanonymization,” inProc. IEEE Symp. Security & Privacy, San Jose, CA, 2013, pp. 80–94

    work page 2013

  8. [8]

    An empirical study of the i2p anonymity network and its censorship resistance,

    N. P. Hoang, P. Kintis, M. Antonakakis, and M. Polychronakis, “An empirical study of the i2p anonymity network and its censorship resistance,” inProceedings of the internet measurement conference 2018, 2018, pp. 379–392

    work page 2018

  9. [9]

    I2P network specifications,

    I2P Project, “I2P network specifications,” [Online], 2024, available: https://i2p.net/en/docs/specs/

    work page 2024

  10. [10]

    Resilience of the invisible internet project: A computational analysis,

    S. A. Muntaka and J. Bou Abdo, “Resilience of the invisible internet project: A computational analysis,”Internet Technology Letters, vol. 8, no. 5, p. e70119, 2025

    work page 2025

  11. [11]

    Ratatouille: Cooking up chaos in the i2p kitchen,

    P. L. Bourhis, “Ratatouille: Cooking up chaos in the i2p kitchen,” Feb. 2025. [Online]. Available: https://blog.sekoia.io/ ratatouille-cooking-up-chaos-in-the-i2p-kitchen/

    work page 2025

  12. [12]

    IOC extinction? China-nexus cyber espionage actors use ORB networks to raise cost on defenders,

    M. Raggi, “IOC extinction? China-nexus cyber espionage actors use ORB networks to raise cost on defenders,” Google Cloud Mandiant, Tech. Rep., May 2024, available: https://cloud.google.com/blog/topics/ threat-intelligence/china-nexus-espionage-orb-networks

    work page 2024

  13. [13]

    Emergence of scaling in random networks,

    A.-L. Barabási and R. Albert, “Emergence of scaling in random networks,” Science, vol. 286, no. 5439, pp. 509–512, Oct. 1999

    work page 1999

  14. [14]

    Systemic flaws in the invisible internet project: Analysis of exploitable design choices,

    S. A. Muntaka and J. B. Abdo, “Systemic flaws in the invisible internet project: Analysis of exploitable design choices,” 2026

    work page 2026

  15. [15]

    Kademlia: A peer-to-peer information system based on the xor metric,

    P. Maymounkov and D. Mazieres, “Kademlia: A peer-to-peer information system based on the xor metric,” inProceedings of the 1st International Workshop on Peer-to-Peer Systems (IPTPS), ser. Lecture Notes in Computer Science, vol. 2429. Springer, 2002, pp. 53–65

    work page 2002

  16. [16]

    Fiftyshadesdarknet: Research datasets, scripts, and analysis tools for darknet and anonymous network investigations,

    S. A. Muntaka, “Fiftyshadesdarknet: Research datasets, scripts, and analysis tools for darknet and anonymous network investigations,” 2026. [Online]. Available: https://github.com/abksiddique/FiftyShadesDarknet

    work page 2026

  17. [17]

    MATA: Multi-platform targeted mal- ware framework,

    Kaspersky GReAT, “MATA: Multi-platform targeted mal- ware framework,” Kaspersky Securelist, Tech. Rep., Jul. 2020. [Online]. Available: https://securelist.com/ mata-multi-platform-targeted-malware-framework/97746/

    work page 2020

  18. [18]

    Mapping the invisible internet: Framework and dataset,

    S. A. Muntaka, J. B. Abdo, K. Akanbi, S. Oluwadare, F. Hussein, O. Konyo, and M. Asante, “Mapping the invisible internet: Framework and dataset,”Data in Brief, p. 112175, 2025

    work page 2025