Fifty Shades of Darknet

TL;DR

This paper identifies a covert sublayer within the I2P network, demonstrating its persistence and potential for malicious use, and advocates for formal methods to analyze such hidden structures.

Contribution

It introduces the concept of the Exclusive Network sublayer in I2P and shows its resilience and exploitation potential through experimental validation.

Findings

Exclusive Network nodes survive floodfill queries without revealing their presence.

Hosted services remain accessible to authorized peers despite the sublayer's stealth.

The sublayer's structure complicates empirical mapping, indicating a need for formal analysis.

Abstract

The Invisible Internet Project (I2P) is a peer-to-peer anonymous overlay network whose architecture includes a structurally distinct sublayer not characterized in existing security literature. We term this sublayer the Exclusive Network: nodes here host operational services and draw on I2P's routing resources, but publish no RouterInfo record to the network's distributed database (NetDB). In a controlled three-node testbed, we demonstrate that an Exclusive Network node survives sequential floodfill queries from a pool of routers with zero NetDB hits, while its hosted service remains continuously accessible to authorized peers. This property is exploitable by documented I2P-based malware, for example, I2PRAT (RATatouille), for persistent command-and-control operations against national assets or corporate networks. The structure is analogous to nation-state Operational Relay Box (ORB) infrastructure. The existence of this sublayer, together with the inability of top-down empirical mapping to characterize it, motivates a move toward formal analytical methods to understand the emergence and behavior of covert networks within I2P.