Fifty Shades of Darknet
For security researchers and defenders, this reveals a previously uncharacterized attack surface in I2P that can be exploited by malware for stealthy command-and-control.
The paper identifies a covert sublayer within I2P, called the Exclusive Network, where nodes host services without publishing to the network database. In a testbed, such nodes survived floodfill queries with zero database hits while remaining accessible, enabling persistent malware C2 operations.
The Invisible Internet Project (I2P) is a peer-to-peer anonymous overlay network whose architecture includes a structurally distinct sublayer not characterized in existing security literature. We term this sublayer the Exclusive Network: nodes here host operational services and draw on I2P's routing resources, but publish no RouterInfo record to the network's distributed database (NetDB). In a controlled three-node testbed, we demonstrate that an Exclusive Network node survives sequential floodfill queries from a pool of routers with zero NetDB hits, while its hosted service remains continuously accessible to authorized peers. This property is exploitable by documented I2P-based malware, for example, I2PRAT (RATatouille), for persistent command-and-control operations against national assets or corporate networks. The structure is analogous to nation-state Operational Relay Box (ORB) infrastructure. The existence of this sublayer, together with the inability of top-down empirical mapping to characterize it, motivates a move toward formal analytical methods to understand the emergence and behavior of covert networks within I2P.