TL;DR: If you operate a node (locally for your own use or as a public service), you can add the Monero Research Lab’s spy node ban list to improve your privacy.
About a year ago, the Monero Research Lab (MRL) released a recommended ban list of suspected spy nodes. The spy nodes stayed at the same IP addresses for about a year. Last month (December 2025), the vast majority of spy nodes switched to new IP address ranges. The Monero Research Lab is releasing version 2 of the spy node ban list to help users protect their privacy. The list has been cryptographically signed by several Monero developers and researchers: boog900, hinto-janai, jeffro256, SyntheticBird, and Rucknium.
The ban list isn’t activated automatically. Node operators must download the list and tell their nodes to use it:
How do I enable the ban list?
Download the ban list from https://raw.githubusercontent.com/Boog900/monero-ban-list/refs/heads/main/ban_list.txt and remember the directory on your computer where you saved it so you can replace --ban-list <file-path-to-ban-list> below with it. For example, if you saved the file in /home/user/Downloads, they you would replace <file-path-to-ban-list> with /home/user/Downloads/ban_list.txt.
Running monerod from the terminal
If you run the node from the terminal, add --ban-list <file-path-to-ban-list> when you start up monerod, i.e.
./monerod --ban-list <file-path-to-ban-list>
If you use a config file instead of command line flags, add this line to the config file:
ban-list=<file-path-to-ban-list>
Monero GUI wallet
If you use a remote node, whoever operates the remote node will decide if the ban list is enabled. If your run your own local node through the GUI wallet, go to Settings. In the “Daemon startup flags” box, input “--ban-list <file-path-to-ban-list>”. Then click the orange “Stop daemon” button. It will take a few seconds for the daemon to shut down. Then click the orange “Start daemon” button.
Docker
If you use SethForPrivacy’s monerod Docker file, update to the latest version, which has the ban list: https://github.com/sethforprivacy/simple-monerod-docker
If you run the Docker Monero node with any custom flags or custom config file, you need to add to --ban-list=/home/monero/ban_list.txt to the set of flags or ban-list=/home/monero/ban_list.txt to the config file.
FAQs
1) What has happened since the first version of the MRL ban list was released?
-
In June 2025, the method used to detect the spy nodes was published: https://github.com/Boog900/p2p-proxy-checker
-
July: A daily network scanner and webapp data visualizer was deployed: MoneroNet.info . Network scans suggest that about 8 percent of honest nodes were using the MRL ban list.
-
Early October: New version of the Monero node software included the “subnet deduplication” countermeasure. Spy node adversaries rent contiguous ranges of IP addresses called “subnets” in bulk to minimize their costs. Subnet deduplication is a peer choice rule that lowers the probability of connecting to a node in a densely-populated IP address subnet. According to simulations, subnet deduplication reduces the number of connections to spy nodes by 70 percent for node operators who do not use the MRL ban list. (Operators who do use the MRL ban list would not try to connect to the spy nodes in the first place.) The subnet deduplication code was written by rbrunner7 and reviewed by vtnerd, jeffro256, and Rucknium.
-
Late October: Spy nodes using IP addresses belonging to the Digital Ocean and Hetzner server rental companies begin hiding their spy node “fingerprint”. These spy nodes are still operating but no longer respond to ping requests with the telltale spy node behavior.
-
Early December: Almost all spy nodes on the LionLink Autonomous System (AS) shut down. The LionLink spy nodes were the most numerous spy nodes on the Monero network. A few days later, a roughly equal number of spy nodes appear on IP addresses within the Spruce Creek AS. The Spruce Creek AS was registered in November 2024 by an unknown party. The migration of these spy nodes to new IP addresses triggered the release of this new MRL ban list.
-
Mid-January: The DNS-disseminated ban list, managed by Monero contributors, is updated to include the MRL version 2 ban list. The DNS ban list can be enabled by adding the
--enable-dns-blockliststartup flag to the Monero node. According to network scans, about 50 percent of honest reachable nodes do enable the DNS ban list.
2) What is the evidence that spy nodes run at these IP addresses?
The numerous spy node IP addresses are pretending to be distinct nodes, but the spying adversary is proxying a few nodes through a large number of IP addresses. That way, the spying adversary can spy on the node network, but does not have to pay the full cost of running one node per IP address.
The spy nodes are incorrectly reporting (“spoofing”) their peer IDs. A full explanation and code to run the spy node checker is here: https://github.com/Boog900/p2p-proxy-checker
A large number of the suspected spy IP addresses were the same IP addresses implicated in “LinkingLion” spying on the BTC node network as far back as 2020. The spying adversary is likely using the same IP addresses to spy on BTC and Monero.
Furthermore, most of the spying IP addresses are in a few “subnets”, which are basically consecutive IP address numbers that can be purchased at a bulk price rate from IP address providers. Almost every IP address in the subnets have a suspected spy node, a status MRL is calling “subnet saturation”. More details are in the MRL GitHub issue.
3) Can I tell how many spy nodes my node is connected to?
Yes. You can run the peers.ip.collect() function in the xmrpeers R package. See the “Examples” in the documentation here. The function will also start to show the subnet saturation after running for about 24 hours.
4) What is the privacy issue?
Monero uses Dandelion++ for privacy of transactions relayed on its peer-to-peer node network. Dandelion++ provides strong privacy, but even its privacy can be weakened if there are too many spy nodes on the network. An adversary who controls a lot of spy nodes may be able to guess which user’s IP address was the original sender of a Monero transaction.
5) Are more universal fixes possible so that a specific ban list doesn’t have to be used?
In October 2025, a method to reduce the probability of connecting to a spy node was implemented in the Monero node software. “Subnet deduplication” prevents a node from establishing a connection with too many peers that are concentrated in IP address ranges, a technique that spy nodes have used.
In the long term, there may be ways for nodes to verify that their peers are truly running a node instead of just proxying one node through many IP addresses.
6) Why not block these IP addresses by default in the Monero node software?
Blocking the IP addresses by default is technically possible, but it would set a precedent of blocking IP addresses by a decision making process that is semi-centralized. MRL has decided to ask node operators to block these IP addresses voluntarily instead of by default.
Oh, I didn’t realize there was an update. Good post. I block the entire list in my firewall.
