Skip to main content

The Curious Case of Bitcoin’s “Moby Dick” Spam and the Miners That Confirmed It

“Six or seven [mining] pools have played a major role in stuffing blocks with spam transactions,” analytics developer LaurentMT said.
Technical - The Curious Case of Bitcoin’s “Moby Dick” Spam and the Miners That Confirmed It

The scaling debate has dominated the Bitcoin space for well over two years now. As a central issue, Bitcoin’s one-megabyte block size limit was often insufficient to include all transactions on the network. This ultimately led to the replacement of this block size limit for a block weight limit through SegregatedWitness, allowing for up to four megabytes of transaction data. And a group of Bitcoin companies plans to deploy a hard fork to double this by November.

But there is reason to believe the “crisis” may have been fabricated, at least partly. A recent analysis by “LaurentMT,” the developer of blockchain analytics tool OXT, in cooperation with Antoine Le Calvez, creator of Bitcoin statistics resource, shows that the Bitcoin network has had to deal with a load of spam transactions throughout the past two years. Now, in a three-part blog post series dubbing the spam attacks “Moby Dick,” their findings suggest that several major Bitcoin mining pools may have had a hand in this.

“Six or seven pools have played a major role in stuffing blocks with spam transactions,” LaurentMT said. “And charts display what looks like a coordination between these pools.”

The Spam Situation

The very concept of “spam” in the context of Bitcoin is sometimes disputed. Differentiating between “good” and “bad” transactions can be controversial on a network designed for permissionlessness innovation and censorship-resistant payments.

But there is little doubt that certain transactions serve no other purpose than to stuff the Bitcoin network and blockchain. LaurentMT and Le Calvez more specifically define spam as transactions that send lots of tiny fractions of bitcoins to lots of different outputs (“addresses”). These kinds of transactions can’t feasibly have been used to make actual payments, while they do present a significant burden on the Bitcoin network: all nodes need to receive, validate, transmit and (at least temporarily) store all this data.

The analysts found that the Bitcoin network has seen many transactions that fit this category: almost three gigabytes worth of data within a two-year span, adding up to more than 2 percent of the total size of the blockchain, or the equivalent of about a month’s worth of normal Bitcoin use.

“We found that there were four waves of ‘fan-out transactions’ during summer 2015,” LaurentMT told Bitcoin Magazine, referring to the transactions that create lots of outputs. “We think that the first two waves were spamming users and services. The third and fourth waves instead mostly sent the fractions of bitcoins to addresses controlled by the attackers themselves.”

These four waves of spam have been relatively easy to notice, as sudden bursts of transactions clogged up the Bitcoin network for brief periods of time. In some cases these spam attacks were even announced as “stress tests” or “bitcoin giveaways.”

What’s more interesting about LaurentMT and Le Calvez’s analysis is that the two focused on the second half of the puzzle. Almost all the fractions of bitcoins that were sent to all these different addresses have slowly been re-spent back into circulation since. These “fan-in” transactions were not as obvious as the initial waves of spam — but were similarly burdensome.

And, LaurentMT explained, blockchain analysis suggests that most of this spam can be tracked down to one or two entities:

“We’ve identified two wallets that seem to have played a central role in the attacks. They’ve funded long chains of fan-out transactions during summer 2015, and they later aggregated the dust outputs.”

The analysts also suggest that the perpetrator(s) of the spam may have been customers of the Canadian exchange QuadrigaCX. But that’s where their analysis stops.

The Mining Pools

Perhaps what is more interesting is who used this spam to fill up Bitcoin blocks: Bitcoin mining pools.

The spam outputs, generated by the first four waves of fan-out transactions, had been starting to move since autumn of 2015 — sort of. Whoever controlled these addresses had been broadcasting transactions to spend these outputs over the network. However, for a long time, miners did not include these “spam broadcasts” in their blocks; the transactions were ignored.

Up until the second half of 2016, that is. At a very specific point in time, a group of seven mining pools started to suddenly accept these spam broadcasts and include them in the blocks they mined: 1-Hash, Antpool, BitClub Network,, HaoBTC, KanoCKPool and ViaBTC.

“So, either these seven pools had an ‘aha moment,’ and suddenly discovered that Bitcoin is about censorship resistance. Or, they had another motivation to fill up blocks with these transactions — perhaps related to the block size debate,” LaurentMT suggested.

For more clues, LaurentMT and Le Calvez looked for notable events that happened around the time of the mining pools’ sudden change of heart. In their research, they did find some correlation with “strange” occurrences. The first is an open letter from HaoBTC (now rebranded as Bixin) to the Bitcoin Core development team. The second was a rumor about a group of Chinese pools planning to end their cooperation with Bitcoin Core: the Terminator Plan.

Of course, something notable happens in Bitcoin just about every week. These events may well be coincidences and, therefore, there could be a very different explanation for the mining pools’ behavior, LaurentMT acknowledged:

“An alternative explanation could be that the different mining pools adopted new mining policies for completely different reasons. I tend to think political motivations are more likely … but that’s just a personal opinion.”

Bitcoin Magazine reached out to the seven mining pools in question. The only mining pool willing to comment on the issue was KanoCKPool, which denied being involved with any sort of manipulation or coordination, stating it just confirms “any and all transactions available.”

UPDATE: After publication of this article (and on reading the comment from Kano CK Pool), LaurentMT pointed out that Kano CK Pool, along with 1Hash and Bitclub Network, are the only pools that had been confirming some of the spam transactions even before the second half of 2016, indicating that the pool could be telling the truth.

UPDATE (2): A representative for Bixin reached out to Bitcoin Magazine to point out that the HaoBTC mining pool had only just started operations at the time when the different mining pools started including spam transactions in their blocks. He said the pool has always confirmed any paying transaction, and denies that HaoBTC (or Bixin) has taken part in any coordination across mining pools.

For a full analysis of the “Moby Dick” spam, read LaurentMT and Le Calvez’s three-part blog post series or watch Le Calvez’s presentation at Breaking Bitcoin in Paris earlier this month.