Many state bodies involved in adversarial action have dedicated budgets for offensive cyber-warfare, credential thefts, supply chain compromises and disinformation. If they haven't used all of their budget by the end of the budget period, they'll be allocated a smaller budget for the next budget period.
I mean this is a common pattern in many large organizations, governmental and non, if you didn't use your budget it means we can save money, yayyyy! I hadn't really considered it would apply to state-backed hacking but makes sense.
Not the attacks themselves, I would expect that kind or sabotage that actively provokes negative outcomes in people’s lives to have a more respectful/competent reasoning behind than “meh there’s a few leftovers and we had to do something”
> Why does i2p (per the article) expect state sponsored attacks every February?
Because The Invisible Internet Project (I2P) allows government dissidents to communicate without the government oversight. Censorship-resistant, peer-to-peer communication
> Where are those forming from, what does the regularity achieve?
At least PR China, Iran, Oman, Qatar, and Kuwait. censor communication between dissidents.
> How come the operators of giant (I’m assuming illegal) botnets are available to voice their train of thought in discord?
How would you identify someone as 'operators of giant botnets' before they identified themselves as 'operators of giant botnets'?
That’s a great question… Currently we’re in the main Chinese holiday period with the Lunar New Year/Spring Festival/Chinese New Year, so perhaps people traveling back home from foreign lands might use the service more during this time?
Likely it's just a coincidence — there were other Sybil attacks that are not in February too, so the chance that you'd get 3 in Feb isn't all that low.
From the main article, I2P has 55,000 computers, the botnet tried to add 700,000 infected routers to I2P to use it as a backup command-and-control system.
That's an interesting stress test for I2P. They should try to fix that, the protocol should be resilient to such an event. Even if there are 10x more bad nodes than good nodes (assuming they were noncompliant I2P actors based on that thread) the good nodes should still be able to find each other and continue working. To be fair spam will always be a thorny problem in completely decentralized protocols.
No. They should not try to survive such attacks. The best defense to a temporary attack is often to pull the plug. Better than than potentially expose users. When there are 10x as many bad nodes as good, the base protection of any anonymity network is likely compromised. Shut down, survive, and return once the attacker has moved on.
This is why Tor is centralized, so that they can take action like cutting out malicious nodes if needed. It’s decentralized in the sense that anyone can participate by default.
While anyone can run a Tor node and register it as available, the tags that Tor relays get assigned and the list of relays is controlled by 9 consensus servers[1] that are run by different members the Tor project (in different countries). They can thus easily block nodes.
It's 10, not 9. And there are severe problems with having a total of 10 DA be the essential source of truth for whole network. It would be trivial to DDoS the DAs and bring down the Tor network or at the very least, disrupt it: https://arxiv.org/abs/2509.10755.
It's the only complaint I have of the current state of Tor. Anyone should be able to run directory authority, regardless if you trust the operator or not (same as normal relays).
Anyone can. The DA code is open source and is used whenever you run a testnet. You can also run a DA on the mainnet - how do you think the 10 primary DAs exist? They're not 10 computers owned by a single organization - they're 10 mutually trusting individuals. However, most of the network won't trust you.
That's why the Web of Trust, or classic GNUPG key signing parties are a forgotten/ignored must have. Anyone can change and go rouge of course, but it's statistically less likely.
It doesn't work for I2P due to its design, but for things like Nostr, it works well. Essentially, the goal is to build up a list of "known" reliable relays over time, while simultaneously blacklisting anyone who joins and proves to be unreliable relying on the statistic that collaborative individuals outnumber hostile ones in any sufficiently large cohort.
Of course, it's far from being 100% effective, but it mitigates the issue significantly.
> Even if there are 10x more bad nodes than good nodes [...] the good nodes should still be able to find each other
What network, distributed or decentralized, can survive such an event? Most of the protocols break down once you hit some N% threshold of the network being bad nodes, asking it to survive 1000%+ bad nodes when others usually is something like "When at least half the nodes are good". Are there existing decentralized/distributed protocols that would survive a 1000% attack of bad nodes?
I guess "predictably" is valid but what actually went wrong? After going through multiple sources I can't tell if the botnet nodes were breaking the protocol on purpose, breaking the protocol on accident, or correct implementations that nevertheless overwhelmed something.
Discord has a lot of terrible servers. This is one of the reasons they were not trusted when they came out and wanted to do identity verification. They already have a lot of information yet fail to do meaningful enforcement at scale.
Only a couple years ago the outrage was that Discord was too eagerly banning servers and users.
I know several people whose Discord accounts were banned because they participated in a server that later had some talk of illegal activities in one of the channels. There are similar stories all over Reddit.
If a Walmart has ~100 people in it and wants to get rid of 4 shoplifters but really sucks at selecting them well then the likely result is 4 normal people are very upset while all of the shoplifters are still there.
In the same scenario, even if Walmart is right about who they ejected 75% of the time then they still have ~1 shoplifter remaining and ~1 very upset person.
Even in an ideal world where Walmart is right about ejection 100% of the time it doesn't mean they start receiving 0 new shoplifters either, it just means the number of people wrongly made upset is 0.
Discord's problem (on both ends) lies in lack of depth in investigating bans. It takes resources to review when someone shouldn't be banned and it takes resources to make sure you ban everybody. Putting too low of resources into banning just means that both sides of the scale manage to get tipped in the wring direction at the same time.
There's servers where they just hang out, but which themselves are legitimate. Cybersecurity related ones etc. You can ban them and they'll just switch to another account within a minute. Occasionally discord or a server owner does, but everyone knows its pointless. There's probably other servers that are mostly used by cybercriminals, maybe command-and-control backups, and security researchers may stumble upon these when taking some malware apart, join them, and end up getting in contact with the owner.
In general I don't think law enforcement wants discord to take these down or ban them. These guys would have no problem to just make some IRC servers or whatever to hang out on instead, which would be much harder to surveil for law enforcement - compared to discord just forwarding them everything said by those accounts and on those servers.
Why wouldn't they? There are Discord servers about anything you can imagine and also what you can't or don't want to image. As long as they don't start disrupting their infra Discord couldn't care less.
Also, how would you even go about classifying them as botnet operators?
The official router implementation is Java. i2pd is an alternative written in C++.
Once established communication can transparently be processed through a socks proxy, or integration with SAM or similar https://i2p.net/en/docs/api/samv3/
I didn’t really understand the link between Alice and Bob until I saw a green floaty dot go through a pile of spaghetti with the word compromise beneath it.
> The I2P development team responded by shipping version 2.11.0 just six days after the attack began.
Not wanting to be overly critical, but any net-infrastructure project kind of has to keep bot-attacks in mind and other attack vectors, in the initial design stage already. Any state-actor (and other actors, though I would assume it is often a state financing the bot network behind-the-scene) can become potentially hostile.
This article (with high slop vibes) and another article on their site (linked in the comments) seem to suggest that post quantum encryption mitigated the Sybil attack, without explanation. I fail to understand how the two are even related.
Is there a shittier summary anywhere, please? Or did the author reached the peak of enshittification?
Honestly, did the bot implementation have bugs or was it a proper implementation that crashed the network due to sheer numbers?
Also, how does changing the encryption standard affect anything if the bots tried to integrate correctly with the network?
Is the problem "fixed" or is it not? Elsewhere I found large number if botnet devs got pissed off with this botnet operator and 600k nodes went offline. Might this have much more to do with the situation getting better than simply changing encryption?
Also, was there any suggestion a quantum breaking attack was attempted? No. So why put the emphasis on "post quantum" in this article?
gnabgib | 20 hours ago
kace91 | 19 hours ago
Why does i2p (per the article) expect state sponsored attacks every February? Where are those forming from, what does the regularity achieve?
How come the operators of giant (I’m assuming illegal) botnets are available to voice their train of thought in discord?
OgsyedIE | 19 hours ago
kace91 | 19 hours ago
bryanrasmussen | 18 hours ago
flipped | 12 hours ago
nigger238 | 11 hours ago
kace91 | 10 hours ago
rollulus | 14 hours ago
WaitWaitWha | 17 hours ago
Because The Invisible Internet Project (I2P) allows government dissidents to communicate without the government oversight. Censorship-resistant, peer-to-peer communication
> Where are those forming from, what does the regularity achieve?
At least PR China, Iran, Oman, Qatar, and Kuwait. censor communication between dissidents.
> How come the operators of giant (I’m assuming illegal) botnets are available to voice their train of thought in discord?
How would you identify someone as 'operators of giant botnets' before they identified themselves as 'operators of giant botnets'?
please read https://en.wikipedia.org/wiki/I2P
Zambyte | 17 hours ago
braingravy | 16 hours ago
margalabargala | 16 hours ago
n2d4 | 14 hours ago
jjmarr | 19 hours ago
https://news.ycombinator.com/item?id=46976825
This, predictably, broke I2P.
infogulch | 18 hours ago
sandworm101 | 18 hours ago
martin-t | 17 hours ago
xmcp123 | 17 hours ago
Either way, it’s opportunity cost.
flipped | 12 hours ago
conradev | 15 hours ago
notpushkin | 13 hours ago
How does that work?
cyphar | 13 hours ago
[1]: https://consensus-health.torproject.org/
flipped | 12 hours ago
It's the only complaint I have of the current state of Tor. Anyone should be able to run directory authority, regardless if you trust the operator or not (same as normal relays).
nigger238 | 11 hours ago
01HNNWZ0MV43FF | 16 hours ago
kkfx | 13 hours ago
kbrkbr | 11 hours ago
kkfx | 11 hours ago
Of course, it's far from being 100% effective, but it mitigates the issue significantly.
nigger238 | 11 hours ago
kkfx | 10 hours ago
seertaak | 11 hours ago
embedding-shape | 11 hours ago
What network, distributed or decentralized, can survive such an event? Most of the protocols break down once you hit some N% threshold of the network being bad nodes, asking it to survive 1000%+ bad nodes when others usually is something like "When at least half the nodes are good". Are there existing decentralized/distributed protocols that would survive a 1000% attack of bad nodes?
Dylan16807 | 14 hours ago
illusive4080 | 19 hours ago
fragmede | 18 hours ago
fragmede | 18 hours ago
ddtaylor | 18 hours ago
Aurornis | 15 hours ago
I know several people whose Discord accounts were banned because they participated in a server that later had some talk of illegal activities in one of the channels. There are similar stories all over Reddit.
zamadatix | 11 hours ago
In the same scenario, even if Walmart is right about who they ejected 75% of the time then they still have ~1 shoplifter remaining and ~1 very upset person.
Even in an ideal world where Walmart is right about ejection 100% of the time it doesn't mean they start receiving 0 new shoplifters either, it just means the number of people wrongly made upset is 0.
Discord's problem (on both ends) lies in lack of depth in investigating bans. It takes resources to review when someone shouldn't be banned and it takes resources to make sure you ban everybody. Putting too low of resources into banning just means that both sides of the scale manage to get tipped in the wring direction at the same time.
nigger238 | 11 hours ago
chmod775 | 18 hours ago
In general I don't think law enforcement wants discord to take these down or ban them. These guys would have no problem to just make some IRC servers or whatever to hang out on instead, which would be much harder to surveil for law enforcement - compared to discord just forwarding them everything said by those accounts and on those servers.
xmcp123 | 17 hours ago
It’s basically impossible. They have money, IPs, identities, anything you could possibly want to evade.
[OP] Cider9986 | 16 hours ago
charcircuit | 15 hours ago
bee_rider | 15 hours ago
Aurornis | 15 hours ago
They aren’t requiring age verification for everyone to join servers and chat. The headlines and panic really got away from the actual story.
bawolff | 17 hours ago
samus | 15 hours ago
Also, how would you even go about classifying them as botnet operators?
Ekaros | 11 hours ago
richardfey | 17 hours ago
hoppp | 17 hours ago
mhitza | 17 hours ago
Once established communication can transparently be processed through a socks proxy, or integration with SAM or similar https://i2p.net/en/docs/api/samv3/
monero-xmr | 16 hours ago
flipped | 12 hours ago
fuzzfactor | 8 hours ago
More people than just myself might want one.
rippeltippel | 15 hours ago
[OP] Cider9986 | 16 hours ago
cookiengineer | 16 hours ago
pmontra | 15 hours ago
nneonneo | 15 hours ago
KennyBlanken | 15 hours ago
SV_BubbleTime | 13 hours ago
I didn’t really understand the link between Alice and Bob until I saw a green floaty dot go through a pile of spaghetti with the word compromise beneath it.
charcircuit | 15 hours ago
>they accidentally disrupted I2P while attempting to use the network as backup command-and-control infrastructure
So were they hostile or were they using it normally?
shevy-java | 14 hours ago
Not wanting to be overly critical, but any net-infrastructure project kind of has to keep bot-attacks in mind and other attack vectors, in the initial design stage already. Any state-actor (and other actors, though I would assume it is often a state financing the bot network behind-the-scene) can become potentially hostile.
rollulus | 14 hours ago
Roark66 | 12 hours ago
Honestly, did the bot implementation have bugs or was it a proper implementation that crashed the network due to sheer numbers?
Also, how does changing the encryption standard affect anything if the bots tried to integrate correctly with the network?
Is the problem "fixed" or is it not? Elsewhere I found large number if botnet devs got pissed off with this botnet operator and 600k nodes went offline. Might this have much more to do with the situation getting better than simply changing encryption?
Also, was there any suggestion a quantum breaking attack was attempted? No. So why put the emphasis on "post quantum" in this article?
Bad. Very bad.
nigger238 | 11 hours ago