LNTest: A Testbed for Evaluating Bitcoin Lightning Network-Based Botnets

Thomas Bakaysa,Ahmet Kurt,Abdul-Salem Beibitkhan,Jesus Maria Romo Diaz de Leon,Tag Kalat,Joshua Kramer,Estela Rodriguez,Abraham Watkins,Abdullah Aydeger

from arxiv, Accepted at the 21st International Conference on Availability, Reliability and Security (ARES 2026)

Bitcoin's Lightning Network (LN) can be exploited as a covert, low-cost command-and-control (C&C) channel for botnets, as demonstrated by the LNBot and D-LNBot designs. However, both remain proof-of-concept prototypes evaluated only through simulation, leaving key questions about real-world topology formation, propagation complexity, and resilience to takedowns unanswered. We present LNTest, the first reusable testbed for LN-based botnets, built from Core Lightning nodes containerized with Docker over a shared Bitcoin Core regtest chain. LNTest supports three overlay topology modes (a deterministic chain, autonomous peer discovery, and user-supplied graphs), enabling controlled experiments across different botnet structures. Using LNTest, we report three main findings. First, D-LNBot's autonomous formation protocol does not produce the uniform chain from its design; instead, it creates a clustered chain in which cliques are linked by bridge nodes whose removal fragments the network. Second, command propagation scales linearly with botnet size ($Θ(n)$), not the $O(m \log n)$ previously claimed, and gains nothing from higher neighbor connectivity. Third, the overlay topology determines the effectiveness of takedown strategies: uniform-degree chains resist targeted removal but fragment under random failure, scale-free topologies show the opposite pattern, and the autonomous clustered chain is fragile under both, making it the most vulnerable of the three. LNTest is released as open source, with a script that reproduces all our experiments, to support reproducible research on LN-based botnet defenses.

翻译：比特币闪电网络（LN）可被利用作为僵尸网络的隐蔽、低成本命令与控制（C&C）通道，如LNBot和D-LNBot设计所证明。然而，两者目前仍是仅通过仿真评估的概念验证原型，关于实际拓扑形成、传播复杂性以及抗拆除能力的核心问题尚待解答。我们提出LNTest——首个基于LN的僵尸网络可复用测试平台，基于在共享的Bitcoin Core回归测试链上通过Docker容器化的Core Lightning节点构建而成。LNTest支持三种覆盖拓扑模式（确定性链、自主对等发现和用户自定义图），可针对不同僵尸网络结构开展受控实验。通过LNTest的验证，我们获得三项主要发现：第一，D-LNBot的自主形成协议并未生成其设计中的均匀链，而是形成由桥接节点连接的聚集型链结构，移除这些桥接节点会导致网络分片；第二，命令传播规模与僵尸网络规模呈线性关系（Θ(n)），而非先前声称的O(m log n)，且更高的邻居连接度并未带来增益；第三，覆盖拓扑决定了拆除策略的有效性：均匀度链能抵抗定向移除但会在随机故障下分片，无标度拓扑呈现相反模式，而自主聚集型链在两种策略下均表现脆弱，成为三种拓扑中最易受损的结构。LNTest已作为开源项目发布，并附带可复现所有实验的脚本，旨在支持基于LN的僵尸网络防御可重复研究。