LNBot: A Covert Hybrid Botnet on Bitcoin Lightning Network for Fun and Profit

TL;DR

LNBot is a novel covert hybrid botnet that leverages Bitcoin Lightning Network's anonymity and speed for efficient command and control, enabling scalable and low-cost malicious activities with potential detection strategies.

Contribution

The paper introduces LNBot, a scalable and fully anonymized hybrid botnet utilizing LN for covert communication, with a proof-of-concept and performance analysis.

Findings

LNBot achieves better scalability than similar blockchain botnets.

The communication delay and cost are negligible for LNBot.

Potential countermeasures for detection are discussed.

Abstract

While various covert botnets were proposed in the past, they still lack complete anonymization for their servers/botmasters or suffer from slow communication between the botmaster and the bots. In this paper, we propose a new generation hybrid botnet that covertly and efficiently communicates over Bitcoin Lightning Network (LN), called LNBot. LN is a payment channel network operating on top of Bitcoin network for faster Bitcoin transactions with negligible fees. Exploiting various anonymity features of LN, we designed a scalable two-layer botnet which completely anonymize the identity of the botmaster. In the first layer, the botmaster sends commands anonymously to the C&C servers through LN transactions. Specifically, LNBot allows botmaster's commands to be sent in the form of surreptitious multihop LN payments, where the commands are encoded with ASCII or Huffman encoding to provide covert communications. In the second layer, C&C servers further relay those commands to the bots they control in their mini-botnets to launch any type of attacks to victim machines. We implemented a proof-of-concept on the actual LN and extensively analyzed the delay and cost performance of LNBot. Our analysis show that LNBot achieves better scalibility compared to the other similar blockchain botnets with negligible costs. Finally, we also provide and discuss a list of potential countermeasures to detect LNBot activities and minimize its impacts.