BA logo

FAQs: July 2021 block withholding/re-organisation attack on the BSV network

Last updated: July 27 – 7pm (UKT)

In response to the block withholding/re-organisation attack on the Bitcoin SV network, Bitcoin Association has prepared answers to the most frequently asked questions that we and our representatives are receiving.

What has happened?

On June 24, 2021 and then again on July 1, 6 and 9, an unknown miner operating (as an apparent impersonator) under the ‘Zulupool’ moniker engaged in malicious block re-organisation attacks on the Bitcoin SV (BSV) network. This type of attack, known as a ‘block withholding’ attack, involves a malicious actor creating a chain of competing
blocks – re-written to the benefit of the attacker, i.e., containing double spends – in parallel with the correct chain. These malicious blocks are created in secret then released all at once to orphan the correct blocks from honest nodes.

The malicious nature of the attack was not initially clear from the first sets of block reorganisations on June 24 and July 1. Block reorganisations are a feature of the Bitcoin system when they occur organically and are used to align participants and nodes on the network; therefore, not all block re-organisations should be treated as problematic and analysis must be done to assess the nature of each situation.

However, using block reorganisations for double-spend attacks is highly illegal. The Bitcoin SV Infrastructure Team began extensively investigating the block re-organisations after learning of them. Further investigation after the July 6 block re-organisation revealed the deliberate and malicious nature of the activity, and then prompted immediate action by the Bitcoin SV Infrastructure Team to mitigate and respond.

Are the attacks ongoing?

The last re-organisation attack by the impersonating ‘Zulupool’ miner occurred on Friday, July 9. Protective measures have been implemented for the BSV network and there have been no further attacks since then. However, at this stage Bitcoin Association and the Bitcoin SV Infrastructure Team continue to treat this as an active situation, and we have a global team closely monitoring the network at all hours.

Update 27/7: Bitcoin Association is not aware of any further block withholding or re-organisation attacks on the BSV network following the last known attack on July 9, 2021. Bitcoin Association and the Bitcoin SV Infrastructure Team both continue to actively monitor the situation.

Who is behind the attack?

At this stage, neither Bitcoin Association nor the Bitcoin SV Infrastructure Team can confirm the exact identity or identities of the attackers. The malicious party is carrying out their attacks under the ‘Zulupool’ moniker. We do not believe that the malicious actor is the same ‘Zulupool’ that has long been associated with the Hathor miner of the same name. Instead, we believe the attacker is impersonating ‘Zulupool’.

Just a few months ago, an actor also using the same ‘Zulupool’ moniker carried out a deep block reorganisation of the Bitcoin ABC (BCHA) chain. While we cannot independently confirm that it is the same party who is behind the recent attacks on BSV, the BCHA chain incident had similarities in methodologies and characteristics with the reorganization attacks on BSV, and also used the same Zulupool name; these factors strongly suggest it is the same actor.

Why would a malicious party attack the BSV blockchain in this way?

There are several reasons why a malicious party may attempt to attack the BSV blockchain (or any blockchain for that matter) in such a fashion. At this stage, however, in the absence of further information, we cannot conclusively determine the motives of the attacker.

Possible motives are:

– The most obvious reason to attempt a block withholding or re-organisation attack would be as part of an effort to double-spend and defraud – that is, spend the same BSV tokens several times by manipulating the records of the blockchain. When these types of attacks occur, it is generally exchanges – which tend to hold significant token liquidity – that are targeted. However, it is important to note that to date, neither Bitcoin Association, nor the Bitcoin SV Infrastructure Team, nor any exchanges with whom we are in contact, have received any reports of anyone claiming to be a victim of a double spend.

– Given that the Bitcoin ABC (BCHA) chain experienced a reorganisation incident with similar characteristics just a few months ago, it is possible that this is a coordinated campaign against competing implementations and chains of Bitcoin. While no direct losses or thefts have yet been attributed to the attack on the BSV blockchain, the response by exchanges to restrict BSV deposit and withdrawals and/or trading activities and the attending reputational harm caused by the attacks could indicate that the detrimental intangible impact was the primary goal, not a secondary repercussion.

– Another possibility is that the malicious actor is undertaking these block re-organisations to move coins around in an effort to obfuscate the history of certain coins and make them harder to track. If this is what is motivating the attacks, however, it has been entirely unsuccessful, as the heightened awareness and forensic tools being used to track and document the attacks have only served to draw attention to these transactions, in addition to providing the impetus to collect comprehensive evidence for all connected transactions.

Has there been a successful double-spend on the BSV network as a result of the re-organisation attacks?

BSV transactions have been double spent, but at this stage, there is no evidence that these fraudulent activities have been carried out to the detriment of another (innocent) party. It is possible that the malicious ‘Zulupool’ has been double-spending their own transactions.

Update 27/7: Bitcoin Association has been made aware that digital asset exchange Bitmart has claimed that the attacker has used its exchange to deposit ‘fake’ BSV from the double-spend attack and trade them for other coins; the attacker was then able to move some of these fraudulently acquired to other exchanges.  On July 23, Bitmart filed a legal action for injunctive relief in the U.S. District Court for the Southern District of New York seeking to prevent the attacker(s) from further transferring traded coins from Bitmart’s exchange accounts and asking for third-party exchanges to freeze traded coins they received from the attacker.

Bitmart’s legal action is being taken independent of Bitcoin Association; however, Bitcoin Association intends to offer its assistance to Bitmart.  Bitcoin Association also continues to regularly update law enforcement authorities in relevant jurisdictions concerning the attacks.

How is Bitcoin Association responding from a technical perspective?

Bitcoin Association, together with its development arm, the Bitcoin SV Infrastructure Team, have undertaken certain technical measures to respond to the malicious actions of the ‘Zulupool’ impersonating-miner and to mitigate the impact of any potential future attacks. This includes coordinating with miners and transaction processors on the Bitcoin SV network to implement both reactive and preventative measures – including fork detection tools that enable ecosystem participants and partners to move expeditiously in the face of attacks. Since these measures have been initiated, there have so far been no further attacks on the network.

Is Bitcoin Association invoking legal mechanisms to respond?

Since the malicious nature of the re-orgs on the Bitcoin SV network were identified following the July 6 attacks, the Bitcoin SV Infrastructure Team have taken action to both help protect the network and collect evidence of the illegal activity. This information is being collated and shared at regular intervals with Bitcoin Association’s legal team. Bitcoin Association’s representatives have already started to contact relevant law enforcement authorities. Bitcoin Association is also preparing to submit criminal complaints in one or more relevant jurisdictions; its affected constituents may also initiate proceedings independently.

Update 27/7: Bitcoin Association has been made aware that digital asset exchange Bitmart has claimed that the attacker has used its exchange to deposit ‘fake’ BSV from the double-spend attack and trade them for other coins; the attacker was then able to move some of these fraudulently acquired to other exchanges.  On July 23, Bitmart filed a legal action for injunctive relief in the U.S. District Court for the Southern District of New York seeking to prevent the attacker(s) from further transferring traded coins from Bitmart’s exchange accounts and asking for third-party exchanges to freeze traded coins they received from the attacker.

Bitmart’s legal action is being taken independent of Bitcoin Association; however, Bitcoin Association intends to offer its assistance to Bitmart.  Bitcoin Association also continues to regularly update law enforcement authorities in relevant jurisdictions concerning the attacks.

Why have some exchanges suspended deposits, withdrawals or trading of BSV?

Bitcoin Association representatives have been in contact with BSV-supporting exchanges since the malicious activity was first identified. The Association also released a public statement about the situation on July 8, 2021.

It has been – and continues to be – our view that the primary response from exchanges should be to freeze deposits of any coins associated with the double-spend addresses.

In addition, Bitcoin Association believes an exchange will be adequately insulated from any negative impact of attacks if it: 1) actively monitors the blockchain for block re-orgs; and 2) as an interim protective measure, maintains or extends to at least 20 the number of block confirmations required before BSV deposits are considered valid. We believe this provides sufficient protection against the block reorg attacks. We do not believe exchanges need to completely halt all deposit, withdrawal and trading activity associated with BSV coins. However, Bitcoin Association can only act in an advisory capacity in this instance, as exchanges are independent and will act according to their own procedures and tolerances in such events.

Bitcoin Association continues to actively communicate with exchanges throughout this process, and are doing all that we can to support the reinstatement of BSV deposit, withdrawal and trading services as soon as possible.

Update 27/7: Bitcoin Association can report that several digital asset exchanges have implemented the recommended preventative security measures and re-activated BSV deposit and withdrawal facilities, as well as trading functionality.

For an up-to-date list of exchanges that have restored BSV services, visit the Bitcoin Association Twitter @BitcoinAssn.

When will I be able to deposit, withdraw or trade BSV from exchanges?

Each exchange will make its own decisions about when and how to re-enable BSV services. At this stage, we cannot provide exact timings for when BSV deposit, withdrawal or trading facilities will be active at your chosen exchange. Bitcoin Association and its representatives remain in contact with exchanges and will share any news and updates on this front, as and when it becomes available.

Is my BSV safe on exchanges?

Any BSV kept at exchanges or that isn’t being actively transacted with an untrusted party remains unaffected by the attacks.

Is the Bitcoin SV network safe to use?

Yes. The Bitcoin SV network remains safe to use and is operating as it usually would. However, in the short term, Bitcoin Association recommends only sending and receiving BSV between identified parties where possible. When transacting with unknown or untrusted parties, for an interim period, we advise waiting for at least 20 block confirmations before considering the transaction safe and settled.

Will my favourite BSV app continue to work?

Yes. So long as the BSV app in question isn’t involved in illegal double-spending, the app will continue to operate unimpeded and unaffected.

Should you have any further inquiries, please direct them to:

Alex Speirs
Head of Communications
[email protected]

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.