LNTest: A Testbed for Evaluating Bitcoin Lightning Network-Based Botnets
Reviewed by Pith2026-06-27 06:41 UTCgrok-4.3pith:YTQB3UTRopen to challenge →
The pith
LNTest shows Lightning botnets form clustered chains with bridge nodes and spread commands linearly with size.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Using LNTest, we report three main findings. First, D-LNBot's autonomous formation protocol does not produce the uniform chain from its design; instead, it creates a clustered chain in which cliques are linked by bridge nodes whose removal fragments the network. Second, command propagation scales linearly with botnet size (Θ(n)), not the O(m log n) previously claimed. Third, the overlay topology determines the effectiveness of takedown strategies: uniform-degree chains resist targeted removal but fragment under random failure, scale-free topologies show the opposite pattern, and the autonomous clustered chain is fragile under both.
What carries the argument
LNTest, a testbed of Docker-containerized Core Lightning nodes sharing a Bitcoin Core regtest chain that supports deterministic, autonomous, and user-supplied overlay topologies for botnet experiments.
If this is right
- Bridge nodes in the clustered chain can be removed to fragment the botnet.
- Higher neighbor counts per bot do not shorten command propagation time.
- Uniform chains resist targeted node removal but are vulnerable to random failures.
- Scale-free topologies are resilient to random failures but weak against targeted removal.
- The autonomous clustered chain is the most vulnerable to both targeted and random takedowns.
Where Pith is reading between the lines
- Monitoring for high-betweenness nodes in the Lightning Network could help identify potential botnet structures.
- The open release of LNTest allows independent teams to test new defense mechanisms against LN-based command channels.
- Adding real fee market dynamics and node churn to the testbed would test whether the linear scaling holds under more variable conditions.
Load-bearing premise
The experiments rely on a controlled regtest environment with containerized nodes that may not capture real-world Lightning Network dynamics such as node churn, actual fee markets, network latency variation, or adversarial node behavior.
What would settle it
Running the same autonomous formation protocol on the live Lightning Network and observing either a uniform non-clustered chain or command propagation times that scale better than linearly would falsify the reported findings.
Figures
read the original abstract
Bitcoin's Lightning Network (LN) can be exploited as a covert, low-cost command-and-control (C&C) channel for botnets, as demonstrated by the LNBot and D-LNBot designs. However, both remain proof-of-concept prototypes evaluated only through simulation, leaving key questions about real-world topology formation, propagation complexity, and resilience to takedowns unanswered. We present LNTest, the first reusable testbed for LN-based botnets, built from Core Lightning nodes containerized with Docker over a shared Bitcoin Core regtest chain. LNTest supports three overlay topology modes (a deterministic chain, autonomous peer discovery, and user-supplied graphs), enabling controlled experiments across different botnet structures. Using LNTest, we report three main findings. First, D-LNBot's autonomous formation protocol does not produce the uniform chain from its design; instead, it creates a clustered chain in which cliques are linked by bridge nodes whose removal fragments the network. Second, command propagation scales linearly with botnet size ($\Theta(n)$), not the $O(m \log n)$ previously claimed, and gains nothing from higher neighbor connectivity. Third, the overlay topology determines the effectiveness of takedown strategies: uniform-degree chains resist targeted removal but fragment under random failure, scale-free topologies show the opposite pattern, and the autonomous clustered chain is fragile under both, making it the most vulnerable of the three. LNTest is released as open source, with a script that reproduces all our experiments, to support reproducible research on LN-based botnet defenses.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents LNTest, the first reusable testbed for LN-based botnets, implemented with containerized Core Lightning nodes on a shared Bitcoin Core regtest chain and supporting deterministic chain, autonomous peer-discovery, and user-supplied graph topologies. Using the testbed, the authors report three empirical findings: D-LNBot's autonomous formation produces clustered chains linked by bridge nodes rather than uniform chains; command propagation scales linearly as Θ(n) independent of neighbor count, contradicting prior O(m log n) claims; and overlay topology governs takedown resilience, with the autonomous clustered topology being fragile under both targeted and random removals. The testbed and a reproduction script are released as open source.
Significance. If the reported measurements hold under the testbed conditions, the work supplies the first controlled empirical data on LN botnet topology formation and resilience, directly challenging simulation-derived claims on propagation complexity. The open-source release with a script that reproduces all experiments is a clear strength, enabling future reproducible research on defenses.
major comments (2)
- [Section 3] Testbed setup (Section 3): The regtest containerized environment enforces static connectivity, zero churn, uniform low latency, and no fee/routing competition. This idealization is load-bearing for the first finding (bridge-linked cliques in autonomous mode) and the third finding (differential fragility), because real LN node churn, variable channel fees, and geographic latency could alter effective neighbor sets and message paths, potentially changing the observed clustering and scaling exponents.
- [Section 5] Propagation results (Section 5): The claim that command propagation scales as Θ(n) rather than O(m log n) and 'gains nothing from higher neighbor connectivity' rests on measurements whose statistical details (number of trials, variance, data exclusion rules) are not reported. Without these, it is not possible to determine whether the linear scaling is robust or an artifact of the idealized testbed conditions.
minor comments (2)
- [Abstract] In the abstract, the notation O(m log n) is used without defining m (presumably the number of neighbors per node); this should be clarified on first use.
- Figure captions and axis labels for the scaling and fragmentation plots should explicitly state the number of independent runs and any error bars or confidence intervals.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback and for recognizing the significance of LNTest. Below we respond point-by-point to the major comments.
read point-by-point responses
-
Referee: [Section 3] Testbed setup (Section 3): The regtest containerized environment enforces static connectivity, zero churn, uniform low latency, and no fee/routing competition. This idealization is load-bearing for the first finding (bridge-linked cliques in autonomous mode) and the third finding (differential fragility), because real LN node churn, variable channel fees, and geographic latency could alter effective neighbor sets and message paths, potentially changing the observed clustering and scaling exponents.
Authors: We agree that the testbed deliberately uses idealized conditions (static connectivity, zero churn, uniform latency) to enable controlled, reproducible experiments that isolate topology effects. This is a standard approach for establishing baseline empirical results. We will add a dedicated limitations paragraph in Section 3 explicitly discussing how real-world factors such as churn, variable fees, and latency could affect clustering and resilience, and we will note that LNTest is designed to be extensible for incorporating such dynamics in follow-on studies. revision: partial
-
Referee: [Section 5] Propagation results (Section 5): The claim that command propagation scales as Θ(n) rather than O(m log n) and 'gains nothing from higher neighbor connectivity' rests on measurements whose statistical details (number of trials, variance, data exclusion rules) are not reported. Without these, it is not possible to determine whether the linear scaling is robust or an artifact of the idealized testbed conditions.
Authors: We acknowledge that the statistical details of the propagation experiments were insufficiently reported. In the revised manuscript we will specify the number of independent trials per configuration, report means accompanied by standard deviations or error bars, and clarify any data exclusion or aggregation rules. These additions will allow readers to evaluate the robustness of the observed linear scaling. revision: yes
Circularity Check
No circularity; results are direct empirical measurements from new testbed.
full rationale
The paper introduces LNTest as a Dockerized regtest testbed and reports three findings obtained by executing autonomous formation, propagation timing, and takedown simulations inside it. These are measurements of observed behavior under controlled conditions, not derivations, fitted parameters renamed as predictions, or claims whose justification reduces to self-citation chains. The scaling result Θ(n) is measured directly; the topology-formation and fragility observations are likewise outputs of running the supplied graphs and protocols. No equations or self-referential definitions appear in the reported claims. The open-source release and reproduction script further separate the results from any definitional loop.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
ACINQ: A scala implementation of the Lightning Network.https://github.com /ACINQ/eclair(2015)
2015
-
[2]
Nature406(6794), 378–382 (2000)
Albert, R., Jeong, H., Barabási, A.L.: Error and attack tolerance of complex networks. Nature406(6794), 378–382 (2000)
2000
-
[3]
In: Financial Cryptography and Data Security
Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: ZombieCoin: Powering next-generation botnets with Bitcoin. In: Financial Cryptography and Data Security. pp. 34–48. Springer Berlin Heidelberg (2015)
2015
-
[4]
International Journal of Information Security 17(4), 411–422 (2018)
Ali, S.T., McCorry, P., Lee, P.H.J., Hao, F.: ZombieCoin 2.0: managing next- generation botnets using Bitcoin. International Journal of Information Security 17(4), 411–422 (2018)
2018
-
[5]
International Journal of Information and Computer Security17(1-2), 147–163 (2022)
Alibrahim, O., Malaika, M.: Botract: abusing smart contracts and blockchain for botnet command and control. International Journal of Information and Computer Security17(1-2), 147–163 (2022)
2022
-
[6]
Blockstream: Core Lightning: Lightning Network implementation focusing on spec compliance and performance.https://github.com/ElementsProject/lightning (2015)
2015
-
[7]
In: 2019 APWG Symposium on Electronic Crime Research (eCrime)
Böck, L., Alexopoulos, N., Saracoglu, E., Mühlhäuser, M., Vasilomanolakis, E.: Assessing the threat of blockchain-based botnets. In: 2019 APWG Symposium on Electronic Crime Research (eCrime). pp. 1–11 (2019)
2019
-
[8]
In: Proceedings of the 26th An- nual Computer Security Applications Conference
Calvet, J., Davis, C.R., Fernandez, J.M., Marion, J.Y., St-Onge, P.L., Guizani, W., Bureau, P.M., Somayaji, A.: The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet. In: Proceedings of the 26th An- nual Computer Security Applications Conference. pp. 141–150. Association for Computing Machinery (2010)
2010
-
[9]
IEEE Transactions on Dependable and Secure Computing21(1), 186–203 (2024)
Sáez-de Cámara, X., Flores, J.L., Arellano, C., Urbieta, A., Zurutuza, U.: Gotham testbed: A reproducible IoT testbed for security experiments and dataset generation. IEEE Transactions on Dependable and Secure Computing21(1), 186–203 (2024)
2024
-
[10]
In: 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)
De Vivo, S., Obaidat, I., Dai, D., Liguori, P.: DDoShield-IoT: A testbed for sim- ulating and lightweight detection of IoT botnet DDoS attacks. In: 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). pp. 1–8 (2024)
2024
-
[11]
In: Financial Cryptography and Data Security
Franzoni, F., Abellan, I., Daza, V.: Leveraging Bitcoin testnet for bidirectional botnet command and control systems. In: Financial Cryptography and Data Security. pp. 3–19. Springer International Publishing (2020)
2020
-
[12]
Frkat, D., Annessi, R., Zseby, T.: ChainChannels: Private botnet communication over public blockchains. In: 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). pp. 1244–1252 (2018)
2018
-
[13]
Electronics 11(7) (2022)
Gao, H., Li, L., Chang, X., Wan, J., Li, J., Du, J., Zhang, X.: BlockchainBot: A novel botnet infrastructure enhanced by blockchain technology and IoT. Electronics 11(7) (2022)
2022
-
[14]
IEEE Internet of Things Journal11(5), 9107–9126 (2024)
Gao, H., Li, L., Lei, H., Tian, N., Lin, H., Wan, J.: One IOTA of countless legions: A next-generation botnet premises design substrated on blockchain and internet of things. IEEE Internet of Things Journal11(5), 9107–9126 (2024)
2024
-
[15]
Gao, H., Li, L., Lin, H., Chang, X., Wan, J., Li, J., Zhu, F.: ZombieCoin3.0: On the looming of a novel botnet fortified by distributed ledger technology and internet of things. In: 2021 IEEE 23rd Int Conf on High Performance Computing LNTest 21 & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependab...
2021
-
[16]
ACM Computing Surveys55(11), 219:1–219:39 (2023)
Georgoulias, D., Pedersen, J.M., Falch, M., Vasilomanolakis, E.: Botnet business models, takedown attempts, and the darkweb market: A survey. ACM Computing Surveys55(11), 219:1–219:39 (2023)
2023
-
[17]
In: 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020)
Kamenski, D., Shaghaghi, A., Warren, M., Kanhere, S.S.: Attacking with Bitcoin: Using Bitcoin to build resilient botnet armies. In: 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020). pp. 3–12. Springer International Publishing (2021)
2020
-
[18]
In: Iphofen, R., O’Mathúna, D
Kolstoe, S.E.: A framework for reviewing dual use research. In: Iphofen, R., O’Mathúna, D. (eds.) Ethical Issues in Covert, Security and Surveillance Research. Emerald Publishing Limited (2021)
2021
-
[19]
In: Testbeds and Research Infrastructures for the Development of Networks and Communities
Kumar, A., Lim, T.J.: A secure contained testbed for analyzing IoT botnets. In: Testbeds and Research Infrastructures for the Development of Networks and Communities. pp. 124–137. Springer International Publishing (2019)
2019
-
[20]
IEEE Transactions on Dependable and Secure Computing21(4), 2162–2180 (2024)
Kurt, A., Erdin, E., Akkaya, K., Uluagac, S., Cebe, M.: D-LNBot: A scalable, cost- free and covert hybrid botnet on Bitcoin’s Lightning network. IEEE Transactions on Dependable and Secure Computing21(4), 2162–2180 (2024)
2024
-
[21]
In: Computer Security – ESORICS 2020
Kurt, A., Erdin, E., Cebe, M., Akkaya, K., Uluagac, A.S.: LNBot: A covert hybrid botnet on Bitcoin Lightning network for fun and profit. In: Computer Security – ESORICS 2020. pp. 734–755. Springer International Publishing (2020)
2020
-
[22]
It’s rust-lightning, not Rusty’s Lightning!https://github.com/lightningdevkit /rust-lightning(2018)
Lightning Dev Kit: A highly modular Bitcoin Lightning library written in Rust. It’s rust-lightning, not Rusty’s Lightning!https://github.com/lightningdevkit /rust-lightning(2018)
2018
-
[23]
Lightning Labs: Lightning Network Daemon.https://github.com/lightningne twork/lnd(2016)
2016
-
[24]
In: ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)
Liu, C., Wang, Z., Yin, J., Liu, Y., Mao, K., Huang, Z., Deng, C.: SCBot: Building lightweight and flexible C&C based on smart contract. In: ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). pp. 1–5 (2025)
2025
-
[25]
Technology in Society63, 101382 (2020)
Macnish, K., van der Ham, J.: Ethics in cybersecurity research and practice. Technology in Society63, 101382 (2020)
2020
-
[26]
Master’s thesis, International Hellenic University (2019),https://repository.i hu.gr/handle/11544/29362
Mengidis, A.: Blockchain-based command and control for next generation botnets. Master’s thesis, International Hellenic University (2019),https://repository.i hu.gr/handle/11544/29362
2019
-
[27]
In: Financial Cryptography and Data Security
Mizrahi, A., Zohar, A.: Congestion attacks in payment channel networks. In: Financial Cryptography and Data Security. pp. 170–188. Springer Berlin Heidelberg (2021)
2021
-
[28]
org/bitcoin.pdf(2008)
Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system.https://bitcoin. org/bitcoin.pdf(2008)
2008
-
[29]
In: 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Obaidat, I., Kahn, B., Tavakoli, F., Sridhar, M.: Creating a large-scale memory error IoT botnet using NS3DockerEmulator. In: 2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp. 470–479 (2023)
2023
-
[30]
Bulletin of Electrical Engineering and Informatics 14(3), 2077–2096 (2025) 22 T
Parthipan, M., Laghari, S.U.A., Jaisan, A., Baig, A., Ali, M.A., Karuppayah, S.: Insights into peer-to-peer botnet dynamics: reviewing emulation testbeds and proposing a conceptual model. Bulletin of Electrical Engineering and Informatics 14(3), 2077–2096 (2025) 22 T. Bakaysa and A. Kurt et al
2077
-
[31]
Poon, J., Dryja, T.: The Bitcoin Lightning network: Scalable off-chain instant payments. Tech. rep., Lightning Network (2016),https://lightning.network/li ghtning-network-paper.pdf
2016
-
[32]
In: 2019 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW)
Rohrer, E., Malliaris, J., Tschorsch, F.: Discharged payment channels: Quantifying the Lightning network’s resilience to topology-based attacks. In: 2019 IEEE Euro- pean Symposium on Security and Privacy Workshops (EuroS&PW). pp. 347–356. IEEE (2019)
2019
-
[33]
In: Mathematical Research for Blockchain Economy
Seres, I.A., Gulyás, L., Nagy, D.A., Burcsi, P.: Topological analysis of Bitcoin’s Lightning network. In: Mathematical Research for Blockchain Economy. pp. 1–12. Springer International Publishing (2020)
2020
-
[34]
Sweeny, J.: Botnet resiliency via private blockchains. Tech. rep., SANS Institute (2017),https://www.sans.org/white-papers/38050
2017
-
[35]
In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
Taniguchi, T., Griffioen, H., Doerr, C.: Analysis and takeover of the Bitcoin- coordinated Pony malware. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. pp. 916–930. Association for Computing Machinery (2021)
2021
-
[36]
Future Internet13(8) (2021)
Thanh Vu, S.N., Stege, M., El-Habr, P.I., Bang, J., Dragoni, N.: A survey on botnets: Incentives, evolution, detection and current trends. Future Internet13(8) (2021)
2021
-
[37]
Securelist(Kaspersky) technical blog (Nov 2025),https://securelist.com/tsu ndere-node-js-botnet-uses-ethereum-blockchain/117979/
Ubiedo, L.: Blockchain and node.js abused by Tsundere: an emerging botnet. Securelist(Kaspersky) technical blog (Nov 2025),https://securelist.com/tsu ndere-node-js-botnet-uses-ethereum-blockchain/117979/
2025
-
[38]
In: Information and Communications Security
Yin, J., Cui, X., Liu, C., Liu, Q., Cui, T., Wang, Z.: CoinBot: A covert botnet in the cryptocurrency network. In: Information and Communications Security. pp. 107–125. Springer International Publishing (2020)
2020
-
[39]
Telecommunications Policy48(2), 102696 (2024)
Zabka, P., Foerster, K.T., Decker, C., Schmid, S.: A centrality analysis of the Lightning network. Telecommunications Policy48(2), 102696 (2024)
2024
-
[40]
In: Information Security Theory and Practice
Zarpelão, B.B., Miani, R.S., Rajarajan, M.: Detection of Bitcoin-based botnets using a one-class classifier. In: Information Security Theory and Practice. pp. 174–189. Springer International Publishing (2019)
2019
-
[41]
PLOS ONE14(12), e0226594 (2019)
Zhong, Y., Zhou, A., Zhang, L., Jing, F., Zuo, Z.: DUSTBot: A duplex and stealthy p2p-based botnet in the Bitcoin network. PLOS ONE14(12), e0226594 (2019)
2019
-
[42]
Zohar, O.: Unblockable Chains - a POC on using blockchain as infrastructure for malware operations.https://github.com/platdrag/UnblockableChains(2018)
2018
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.