What is an Eclipse Attack?

An eclipse attack is a cyberattack that targets peer-to-peer networks, particularly in blockchain technology. In this attack, a malicious actor isolates a victim node from the rest of the network, effectively "eclipsing" it. This allows the attacker to control the information the victim node receives and sends, potentially leading to the manipulation of transactions, double-spending, or other malicious activities and also leads to the various harmful outcomes like:

• Isolation: The attacker manipulates the target node's network connections, cutting it off from other legitimate peers.
• Control of Information: Once isolated, the attacker can feed false or misleading data to the victim node, influencing its decision-making and transactions.
• Double Spending: The attacker can create fraudulent transactions that the isolated node may accept as valid.
• Transaction Manipulation: The attacker can prevent the victim from seeing legitimate transactions, potentially leading to financial losses.=
• Network Disruption: Eclipse attacks can undermine the overall trust and stability of the network.

Working of Eclipse Attack

An eclipse attack occurs in peer-to-peer networks when a malicious actor isolates a target node from the rest of the network. Here’s a concise overview of the process:

1. Target Identification: The attacker selects a vulnerable node within the network. A weak mean a device like a Bitcoin wallet, mining rig, or crypto exchange server—that’s easy to trick. They look for nodes with outdated software, poor network security, or limited connections, like picking the weakest lock in a vault.
2. Network Positioning: The attacker establishes multiple connections to the target node, often using techniques like creating fake nodes (Sybil attack) to gain control over its connections. Eclipse Attacks rely on Sybil Attacks to generate fake nodes, each with a unique IP address (often via VPNs or cloud servers). These fakes mimic real Bitcoin or Ethereum nodes, sending valid-looking data. Hackers use fake nodes to reject or ignore requests from honest nodes, ensuring the target can’t reconnect. They might also send fake “peer lists” to trick the node into avoiding real peers.
3. Isolation: The attacker severs the target node's connections to other legitimate peers, effectively isolating it. The node is now “eclipsed,” seeing only the hacker’s version of the blockchain.
4. Information Manipulation: The attacker controls the data that the isolated node receives and sends, allowing them to feed false information and prevent the node from seeing legitimate transactions like hackers send fake blockchain blocks claiming, e.g., “You received 10 Bitcoin!” or “This transaction is valid.” The node, cut off from honest peers, accepts these as true.
5. Exploitation: This manipulation can lead to outcomes like double spending or acceptance of fraudulent transactions, undermining the integrity of the network and the node approves fake transactions, sending Bitcoin or Ethereum to the hacker’s wallet. For example, a 2018 Bitcoin Gold Eclipse Attack enabled $18 million in double-spending. The node might broadcast fake blocks, confusing other nodes and slowing the blockchain, like a 2020 Ethereum Classic attack delaying transactions for hours.

By executing these steps, the attacker can significantly disrupt the target node's operation and compromise its transactions.

Types of Eclipse Attacks

Here are some types of Eclipse Attacks:

1. Simple Eclipse Attack: The attacker isolates a single target node by connecting to it with multiple fake nodes while disconnecting it from legitimate peers. The goal is to control the victim’s transactions and manipulate its view of the network.
2. Sybil Attack: The attacker creates numerous identities (or nodes) in the network to gain a majority presence and isolate specific nodes. This allows the attacker to exert control over the network, making it easier to conduct eclipse attacks.
3. Network Partitioning: The attacker disrupts the network's topology, separating the victim node from others by manipulating routing. This method can create isolated segments in the network, making it difficult for the victim to access accurate information.
4. Double-Spending Eclipse Attack: A specialized form of the simple eclipse attack where the attacker isolates a node to make it accept fraudulent transactions. The attacker can successfully double spend by convincing the isolated node that the fraudulent transaction is legitimate.
5. Race Condition Eclipse Attack: The attacker exploits the timing of transaction submissions to confuse the victim node during transaction processing. By manipulating the order in which transactions are seen, the attacker can make the victim accept incorrect transaction histories.
6. Self-Eclipse Attack: The attacker can intentionally eclipse their own node to manipulate information being processed. This can be used to create advantages in a competitive environment, such as claiming rewards for processing transactions.

Impact of Eclipse Attacks

During an Eclipse attack, the attacker hides the actual current state of the blockchain ledger from the target, by doing that the attacker can perform:

1. Double spending through Eclipse attack: Attackers can exploit isolated nodes to execute double spending, leading to direct financial losses for users and undermining trust in the network.
2. Miner Power Disruption: The attacker can hide the information that a block has been mined from the target, thereby misleading the victim into wasting computing power mining orphaned blocks. An orphaned block is a block that has been solved within the blockchain network but was not accepted by the network. This way, the attacker is able to increase their relative hash rate within the network and bias the block mining race in their favor. Another way is combining the target's ability to mine blocks faster as we saw in double-spending, collaborating with the target to combine your hashing power.
3. Transaction Censorship: The attacker can censor transactions from the target by preventing them from being included in the blockchain. This can lead to delays in transactions or even the failure of transactions, which can harm the network's usability and reputation.
4. Sybil Attacks: In an Eclipse attack, the attacker may use Sybil attacks to create fake identities and nodes to manipulate the target. By creating a large number of fake nodes, the attacker can increase their influence in the network and undermine the target's ability to verify the authenticity of the network.
5. Centralization: An Eclipse attack can lead to centralization of the network, where a few nodes or a single entity gains control over the network. This can undermine the decentralization and security features of the network, leading to a loss of trust in the network by users and stakeholders.
6. Network Instability: An Eclipse attack can cause network instability, as the target node may be overwhelmed with traffic or disrupted from the rest of the network. This can lead to a breakdown in communication between nodes, making it difficult to maintain consensus and verify transactions.
7. Financial Loss: An Eclipse attack can lead to financial loss for the victims, as the attacker may be able to carry out fraudulent transactions, double-spending, and other malicious activities. This can lead to a loss of trust in the network and a decline in its overall value.

Common Targets in 2025

Eclipse Attacks target the particular user within the cryptocurrency space, where a single node can reveal substantial profits:

• Miners: These are machines which are used for cracking puzzles to add blockchain blocks and receive rewards such as 6.25 Bitcoin per block (~$500,000 in 2025). An eclipsed miner could mine a fraudulent block, losing millions in electricity and hardware.
• Crypto Exchanges: Services such as Coinbase or Binance operate nodes to execute trades. An Eclipse Attack might dupe an exchange into paying out double crypto, at a cost of millions, such as happened in a 2020 Bitcoin Gold attack.
• Wallet Apps: Smartphone or desktop wallets (e.g., MetaMask, Electrum) are a soft target, particularly if old. A compromised wallet might send Bitcoin to a hacker rather than a friend.
• Full Nodes: Individuals operating full Bitcoin nodes (hosting the entire blockchain) to authenticate transactions are vulnerable if not protected, affecting network integrity.
• IoT Devices: New blockchain-enabled smart devices (such as supply chain monitors) are vulnerable since weak IoT security is exploited by hackers.

Preventive Measures

1. Increased Node Connections: If each node in the network gets connected to a large number of nodes, it will get difficult for the attacker to isolate the target in the network, thereby reducing the possibility of an Eclipse attack.
2. Random Node Selection: The network should be designed in such a way, that each node connects to a random set of nodes when it comes in sync with the network.
3. Secure Communication: The nodes in the network should use secure communication protocols such as SSL/TLS to encrypt the data transmitted between them. This prevents attackers from eavesdropping on the communication and gaining information that can be used to launch an Eclipse attack.
4. Regular Updates: The software running on each node should be updated regularly to ensure that it is free from known vulnerabilities that can be exploited by attackers.
5. Diverse Implementation: The network should encourage the use of diverse implementation of the software running on each node. This makes it difficult for attackers to exploit a common vulnerability across all nodes in the network.
6. Use of Firewalls: Firewalls can be used to filter traffic to and from each node in the network. This helps to prevent attackers from sending malicious traffic to the target node and also helps to prevent the target node from sending malicious traffic to other nodes in the network.
7. Monitoring: The network should be monitored for any unusual activity or traffic patterns. This can help to identify and mitigate an Eclipse attack before it causes significant damage to the network.
8. Redundancy: The network should be designed with redundancy in mind. This means that there should be multiple nodes providing the same service, so if one node is compromised, the network can still function without disruption.
9. Peer Review: The code of the software running on each node should be reviewed by peers to ensure that it is free from any vulnerabilities that can be exploited by attackers.
10. Education: Users of the network should be educated on how to identify and prevent Eclipse attacks. This can help to prevent attackers from gaining access to the network through social engineering techniques such as phishing.

Case Studies on Eclipse Attack

These attacks threaten cryptocurrency networks like Bitcoin, Ethereum, and Ripple, risking millions in theft or market chaos. Here are real life attacks which was happen:

Ethereum Classic (ETC) Eclipse Attack (2019)

Ethereum Classic (ETC), a smaller blockchain that forked from Ethereum, was hit in January 2019 with a debilitating Eclipse Attack that exposed obvious node software vulnerabilities. Hackers isolated ETC nodes, caused them to perceive the blockchain differently, and performed double-spending attacks that stole millions.

Hackers targeted ETC nodes (possibly miners or full nodes) with an Eclipse Attack, overloading the nodes with fake nodes with a Sybil Attack. By commanding the nodes' connections (ETC nodes have 8-13 peers), they isolated legitimate blockchain updates, sending in forged transaction details instead. Double-spending became possible, with hackers spending the same ETC coins multiple times, tricking nodes into accepting scam transfers.

The attackers caused over $1.1 million in damage, with attackers double-spending ~88,500 ETC (~$4-5 per coin in 2019). They attacked crypto exchanges like Gate.io, losing $200,000 after fake deposits. There were at least seven double-spend attacks in days, using the low mining power of ETC (~5% of Ethereum's hash rate).

The hackers likely used a botnet or cloud servers to create hundreds of fake nodes, filling the target nodes’ peer slots. Isolated nodes accepted fake blocks showing valid transactions (e.g., “User A sent 10,000 ETC”), while hackers spent the same coins elsewhere on the real blockchain. Exchanges credited funds based on fake confirmations, unaware of the eclipsed nodes.

ETC node software (earlier versions of Geth or Parity before 2019) had poor peer choice, which was binding to determinable peers, and hence the fake nodes could easily take over. The low hash power (mining power) also made the blockchain forks easy, making the attack more severe.

ETC developers issued security advisories, urging nodes to update to patched Geth releases (post-v5.0) with enhanced peer randomization. Exchanges increased confirmation times (e.g., 400 blocks vs. 10) to avoid double-spends. Post-2019, ETC introduced random node selection and IP filtering to limit imposter nodes, as a response to Bitcoin countermeasures from a 2015 Usenix paper. They also tested checkpointing (freezing older blocks) to avoid blockchain rewrites.

The attack triggered blockchain security talks, with Bitcoin and Ethereum teams doubling down on node software. ETC's low hash rate resulted in calls for Proof-of-Stake (PoS) migrations, though ETC stuck with Proof-of-Work (PoW).

Note: ETC now runs Geth v6.0+ with enhanced Kademlia protocols, reducing Eclipse Attack risks.

Bitcoin Network Simulation

Researchers at Boston University and Hebrew University simulated Eclipse Attacks on the peer-to-peer Bitcoin network in 2015, demonstrating that a small percentage of imitated nodes could shut down isolated nodes. The researchers' work appeared in a Usenix Security paper and proved hackers could cheat transactions or attempts to mine coins, demonstrating that tighter peer choice and network observance were essential.

Headed by Ethan Heilman and Sharon Goldberg, researchers attacked live Bitcoin nodes with 400 spoofed IP addresses in a simulated test, according to the 2015 Usenix paper. They hit nodes with half-full peer tables (7% valid addresses), modeling a one-hour Eclipse Attack. The attack populated ~57% of the attempted bucket (a node's trusted peer list) with spoofed addresses, with a 84% success rate.

How It Worked

Bitcoin nodes hold peer IPs in buckets (256 for attempted, 1,024 for new). Hackers took advantage of weaknesses:

• Timestamp Bias: Nodes preferred recent IPs, so spurious nodes sent repeated pings to remain "fresh."
• Random Eviction: Full buckets removed random IPs, allowing hackers to replace legitimate ones over time.
• Reboot Trick: Once the peer table was filled, a node reboot caused connections to spurious nodes, isolating it.

With this just 400 IPs (~$100 worth of cloud servers), hackers could overpower a node, controlling its blockchain view. Scaled up to 4,000 IPs would be threatening many nodes at once, destabilizing the network, although the size of Bitcoin made this costly.

After this many fixes are comes and bitcoin upgrades it post-2015 and Bitcoin Core (v0.12+) adopted:

• Random Peer Selection: Nodes talk to random IPs, not necessarily recent ones, according to Usenix recommendations.
• More Buckets: Increased peer table size to hold 2,000+ IPs, dispersing spurious nodes.
• IP Filtering: Restricted connections per IP block to stop botnets.

Conclusion

In conclusion, an eclipse attack is a type of cyber attack that targets a peer-to-peer network, particularly in blockchain and cryptocurrency systems. In this attack, a malicious actor isolates a specific node from the rest of the network, effectively controlling its view of the network and its transactions. By doing so, the attacker can manipulate the information the isolated node receives, potentially leading to double-spending, misinformation, or denial of service. To mitigate eclipse attacks, users can implement measures such as using multiple connections to different peers, regularly updating software, and employing network monitoring tools.