How to Detect Monero Spy Nodes in 2026

In 2020 the IRS quietly offered up to $625,000 to anyone who could build a working Monero-tracing tool, and awarded contracts to Chainalysis and Integra FEC that September. Six years later the chain itself still hasn't been cracked — RingCT hides amounts, stealth address technology hides recipients, and ring signatures (soon FCMP++) muddy the sender. So surveillance firms changed targets. Instead of breaking the cryptography, they attack the network layer, and the easiest way in is a "spy node": a public remote node that quietly logs every wallet that connects to it.

If you swap into Monero through a privacy-first service like MoneroSwapper, your on-chain privacy is genuinely strong. But the moment your wallet talks to the wrong remote node, that node can record your IP address, the exact second you broadcast a transaction, and which decoy outputs you requested. None of that breaks Monero's math — it just sidesteps it. This guide shows you how to recognise spy nodes in 2026 and shut the leak down.

What a Monero Spy Node Can Actually See

A remote node is just someone else's copy of the blockchain that your lightweight wallet queries instead of syncing 200+ GB yourself. Convenient — but you are trusting a stranger with your network traffic. The good news is what they cannot see; the bad news is what they can.

• Cannot see: transaction amounts (hidden by RingCT and Bulletproofs+), your spend key, your real recipient (stealth address), or which ring member is the true input — the key image alone doesn't reveal it.
• Can see: your IP address, the timestamp you submit a transaction, your wallet's restore height and refresh pattern, and the `get_outs` decoy set your wallet pulls.
• Can infer: that a given IP is "a Monero user," roughly how many wallets sit behind it, and — by correlating broadcast timing across many nodes — a probabilistic guess at which IP originated a transaction.

That last point is the whole game. A single spy node is mildly nosy. A coordinated cluster of dozens, planted across cheap cloud providers, can build a timing graph that links transactions to IPs with uncomfortable accuracy. This is the metadata that exchanges, chain-analysis vendors, and the occasional academic actually collect.

How Spy Nodes Operate in 2026

The economics are brutal in the surveillance firm's favour. Spinning up 50 monerod instances on Hetzner or OVH costs a few hundred dollars a month. Each one advertises itself on the peer-to-peer layer and on public node lists, waits for wallets to connect, and logs everything to a central database. There is no exploit involved — the protocol is working exactly as designed; the node operator is simply hostile.

The Dandelion++ speed bump

Monero deployed Dandelion++ back in version 0.15 (late 2019) specifically to blunt this. When your wallet broadcasts, the transaction first travels a randomised "stem" path through several peers before "fluffing" out to the whole network. A node that receives your transaction in the stem phase can't be sure you originated it versus relayed it. Dandelion++ is real protection, but it is probabilistic — against an adversary running a large share of the nodes you might connect to, the odds shift back toward them.

Why running many nodes pays off

The more of the public node population an adversary controls, the better their timing correlation works. Community researchers have repeatedly flagged clusters where 30–40% of reachable public nodes traced back to a handful of operators. After Binance delisted Monero on 20 February 2024 and Kraken pulled XMR for EEA users the same year, fewer "honest" exchange-run nodes remained — which, perversely, raises the relative weight of suspicious clusters on the public list.

The cryptography protects what's in your transaction. Node hygiene protects the fact that you sent it. You need both.

Telltale Signs of a Spy Node

You can't read a node's logging config from the outside, so detection is about heuristics and reputation rather than proof. The following signals, especially in combination, mark a node as untrustworthy.

• Datacenter clustering: many nodes appearing simultaneously inside the same ASN (Hetzner AS24940, OVH AS16276, AWS, DigitalOcean) with near-identical uptime and version strings.
• Suspiciously permissive RPC: open restricted RPC on port 18089 with wide-open CORS, accepting connections from ancient wallet versions no honest hobbyist would bother supporting.
• No onion, no I2P: a node that is only reachable on a clearnet IP and discourages Tor connections is a node that wants to see your real address.
• Aggressive availability: nodes that never seem to ban, never go down, and answer every height — uptime that costs money someone is happy to spend.
• Inconsistent `get_info`: a reported height or hardfork flag that doesn't match an independent block explorer is a red flag the node is misrepresenting state.

None of these is a smoking gun on its own. A legitimate community node might live in a datacenter too. But when you cross-reference against a maintained ban list and the pattern lines up, treat the node as compromised.

How to Detect and Avoid Spy Nodes: Step by Step

Here is the practical workflow, from the highest-leverage move to the quick checks you can run in five minutes with the standard CLI tools.

1. Run your own node. This eliminates the problem entirely — no third party sees your traffic because there is no third party. A full monerod node needs ~210 GB and an initial sync, but afterward your wallet only ever talks to localhost.
2. If you must use a remote node, force it over Tor. Start monerod or your wallet with a `--proxy 127.0.0.1:9050` setting and connect to a `.onion` node. The spy node then logs a Tor exit, not your IP — the single most valuable piece of metadata is gone.
3. Apply a community ban list. monerod accepts `--ban-list `. Maintainers like Boog900 publish curated lists of suspected malicious node IPs; load one so your node refuses those peers outright.
4. Inspect your peers. In the monerod console, run `print_cn` and `print_pl` to dump current connections and the peer list. Check the IPs against their ASNs — a wall of identical Hetzner addresses is a tell.
5. Cross-check the node isn't lying. Query the node's reported height and compare it to a public block explorer. A mismatch means it is feeding you stale or fabricated chain state.
6. Prefer nodes with history and onion reachability. Aggregators such as monero.fail rank public nodes; favour ones with long uptime records, Tor/I2P availability, and SSL, and rotate rather than pinning a single stranger.

Comparing Your Connection Options

Most of the spy-node risk comes down to one decision: whose copy of the blockchain does your wallet trust? The table below weighs the three realistic choices.

The pattern is simple: convenience and privacy trade off directly. Running your own node is the gold standard; a Tor-fronted trusted remote is the pragmatic middle ground; a random clearnet node is the one surveillance firms are counting on you to pick.

A Real-World Detection Walkthrough

Say you've been handed a public node address — `nodexyz.example:18089` — and you want to vet it before pointing your wallet at it. First you resolve the IP and look up its ASN; it comes back as a Hetzner data-center block. Not damning by itself, but worth noting.

Next you load a community ban list and the IP is already on it, flagged months ago as part of a 20-node cluster with synchronized uptime. You query its `get_info` and the reported height trails a public explorer by several blocks — it is serving slightly stale state. Finally you check for an onion address; there isn't one, and the operator's docs nudge you toward clearnet "for speed." Three independent signals now agree.

The verdict writes itself: don't connect, or if you already have, assume your IP and recent broadcast times were logged. The fix going forward is the same regardless of one node's status — route through Tor and lean on your own node when funds matter. When you bring fresh XMR in through MoneroSwapper, this is exactly the discipline that keeps the swap's privacy from leaking at the network edge.

Spy Nodes Versus Other Network Attacks

It's worth separating spy nodes from the other network-layer threats they get confused with, because the defences differ. A spy node is passive: it logs and reports, but it plays by the rules. The more aggressive attacks try to manipulate what your node sees.

• Eclipse attack: an adversary surrounds your node with peers they control, so you only see the chain they choose to show you. A loaded ban list and a healthy, diverse peer set are the main mitigations.
• Sybil attack: flooding the peer-to-peer network with many fake identities to dominate connections — the same cluster behaviour that powers large-scale spy operations.
• Hashrate/consensus pressure: distinct from nodes entirely, but relevant to trust. In August 2025 the Qubic pool briefly approached a dangerous share of Monero's RandomX hashrate, reviving fears of selfish-mining and reorgs. P2Pool exists precisely to keep mining decentralised and reduce that risk.

Spy nodes are the most common and most underestimated of these because they require no skill — just a budget and patience. That's also what makes them easy to neutralise once you know the signals.

FAQ

Can a Monero spy node steal my coins?

No. A remote node never touches your spend key, which stays in your wallet, so it cannot move or sign for your funds. The risk is purely metadata — your IP address and transaction timing — not theft. Always combine a trusted node with a wallet you control.

Does using a remote node deanonymise my transactions on-chain?

Not the on-chain part. RingCT, stealth addresses, and ring signatures still hide amounts, recipients, and the true sender from anyone reading the blockchain. A spy node only learns network-layer facts: that your IP is a Monero user and roughly when you transacted. That metadata is the leak, and Tor closes it.

Is running my own node really necessary in 2026?

It is the only option that leaks nothing, so for serious privacy it is strongly recommended. If storage or bandwidth makes that impractical, connecting to a reputable remote node over Tor gets you most of the protection. The setup most adversaries exploit is a casual user on a random clearnet node.

Will FCMP++ or Seraphis fix the spy node problem?

Not directly. FCMP++ and the Seraphis/Jamtis next-generation address scheme strengthen on-chain privacy — they replace ring signatures with full-chain membership proofs and improve the wallet model. Spy nodes attack the network layer, which those upgrades don't touch, so Dandelion++, Tor, and your own node remain the relevant defences.

How do I know if a public node list is trustworthy?

Prefer aggregators that show node history, onion reachability, and uptime rather than a bare IP dump. Cross-reference any candidate against a community-maintained ban list before connecting. When in doubt, rotate between several onion nodes instead of pinning one stranger indefinitely.

Conclusion

Monero's cryptography has held up against a six-figure government bounty and years of chain-analysis effort. That is precisely why the surveillance pressure moved to the network layer, where a cheap fleet of spy nodes can harvest IPs and timing without breaking a single proof. Detecting them is less about clever forensics and more about hygiene: know what a node can see, watch for datacenter clustering and clearnet-only operators, apply a ban list, and verify rather than trust.

The strongest move is still the simplest — run your own node, or front a trusted remote with Tor so your IP never leaves your machine. Do that, and the metadata leak that spy nodes depend on simply isn't there to collect. Whether you're consolidating outputs or bringing new XMR in through MoneroSwapper, pair strong on-chain privacy with disciplined node selection, and the whole picture stays private from the cryptography down to the packets.