If you have any Bitcoin locked on Lightning, it’s worth considering taking it out, with researchers demonstrating funds are at risk.

Researchers at Florida International University have demonstrated how Bitcoin’s Lightning Network is the perfect breeding ground for malware botnets – leaving the $6.3 million of Bitcoin currently locked on the network vulnerable.

A worrying paper released by the researchers on Christmas Eve maps out exactly how the attack could occur – essentially providing detailed instructions for would-be malicious actors to follow.

The researchers have even built their own covert hybrid botnet called LNBot to demonstrate how easy and cheap it is to do.

Botnets are large numbers of malware-infected computers that a botmaster controls using Command and Control (C&C) servers.

LNBot’s 100 C&C servers are running on the Bitcoin testnet right now. That’s enough to control a couple of million infected computers.

It’s not expensive to do either, with the cost of running 100 C&C Servers around $400.

What does this mean for the Lightning Network?

Malicious botmasters would be able to make Bitcoin payments from any Lightning nodes under their control which, if it happened, could lead to a collapse in user trust in the network.

With the attack vectors laid out, the race is now on for the Bitcoin community and developers working on the Lightning Network to come up with countermeasures to thwart the attack.

We’ve seen similar occurrences in the past few weeks.

It took just two weeks after Blockonomics identified a simple Bitcoin double spend exploit using the Electrum wallet in early December for Bitcoin Cash proponent Hayden Otto to use the attack against payment network rival TravelByBit.

But the very strengths of Bitcoin’s Lightning Network – anonymous transactions that are censorship-resistant – mean that effective countermeasures are extremely difficult to implement.

What makes Lightning so susceptible for botnet armies then?

In their research paper, the researchers note that it’s difficult for hackers to maintain control over centralised C&C servers without getting caught, due to security measures.

They also detailed other research that attempted to use the Bitcoin or Ethereum networks for botnets however both of these proved to be impractical.

In the case of Bitcoin it was because transactions are exposed on the blockchain making it difficult for botmasters to operate in secret and with Ethereum, a botnet could easily be shut down.

Bitcoin’s Lightning Network however offers mostly anonymous transactions that are not available on a ledger – the transactions are faster and are at low cost.

What the researchers concluded

“In addition to anonymity, LN reduce the fees by performing off-chain transactions,” the paper notes.

“This provides a perfect opportunity for covert communications as no transactions are recorded in the blockchain.

“The idea was to control the C&C servers through messages that are sent in the form of payments through the LN.

“Furthermore, we designed a novel one-to-many architecture for communication. The proof-of-concept implementation of this architecture indicated that LNBot can be successfully created and commands for attacks can be sent to C&C servers through LN with very high anonymity.

“We have also shown that LNBot is resilient to the attacks (countermeasures) assumed in our threat model.”

The researchers said that the decentralised architecture of Lightning means that communications from the C&C server to the botnet army cannot be censored because there’s no one in charge to shut them down.

While its likely the C&C servers on LN will be detected at some point, even if the C&C server is seized it would not reveal the location of/IP address of the botmaster or reveal the other C&C servers (unlike on centralised systems).

All of which makes Lightning the perfect place to build a botnet army.

“For 100 servers, this cost is equal to 0.060462 Bitcoin (around $400 at current Bitcoin price of $6700).

“This is a one-time non-recurring investment cost of forming LNBot with 100 C&C servers which is a very small amount considering the fact that each C&C server can control tens of thousands of bots.”

That’s $436 at today’s Bitcoin price.

‘Don’t put more money on Lightning than you’re willing to lose’

This is not the first time the trouble-plagued Lightning Network has had security issues.

Back in September Lightning Labs told users ‘don’t put more money on Lightning than you’re willing to lose’ after a vulnerability was exploited by hackers.

This is also a great time to remind folks that we have limits in place to mitigate widespread funds loss at this early stage. There will be bugs. Don't put more money on Lightning than you're willing to lose! — Lightning Labs⚡️ (@lightning) September 10, 2019