Time will Tell: Large-scale De-anonymization of Hidden I2P Services via Live Behavior Alignment
Hongze Wang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Web Security
The **Invisible Internet Project (I2P)** is an anonymous communication network that protects the identity of both clients and servers through multi-layered encryption and tunnel-based routing. Hidden services hosted on I2P are designed to be unreachable by anyone who does not know their destination address, and even those who access a service should not be able to determine the IP address of the hosting router. This talk presents **I2Perception**, an attack that shatters this anonymity guarantee by exploiting a fundamental side channel: **user behavior patterns**. Because I2P routers go online and offline as users start and stop their software, the on/off pattern of a hidden service inherently correlates with the on/off pattern of its hosting router. By deploying just **15 floodfill routers** to passively collect router information and actively probing target services, the researchers can **uniquely identify the IP address of any hidden I2P service** within days. The attack was validated on a live I2P deployment, and the I2P project has adopted the researchers' proposed mitigations.
AI review
A devastating de-anonymization attack against I2P hidden services that exploits user behavior as a side channel. With just 15 floodfill routers, the attack passively identifies the real IP address of any hidden service by correlating on/off patterns. Elegant, practical, low-footprint, and already extended to Tor. This is top-tier anonymity research.