Test

Monero Isn’t Bulletproof: Meet XMRPot - The Honeypot Proxy for Passive Surveillance

May 18, 2025By Cristian Sindile

Most people treat Monero like it’s a black box. They assume once they hit "send", it’s all invisible. Anonymous. Untouchable.

But Monero’s privacy guarantees start at the protocol level - not the network level. And that’s where most people get exposed.

We built a tool to show how.

🔥 Enter XMRPot -  a honeypot proxy designed to look like a public Monero remote node.

Except it’s not.

  • It doesn’t mine.
  • It doesn’t broadcast honestly.
  • It doesn’t care about helping the network.

What it does do is log every connection that comes through:

  • IP address
  • Endpoint requested
  • Raw POST data
  • Response returned
  • Timestamps

All of it - Base 64 encoded and archived.
In short: it’s a silent observer.

🎯 What Does It Do?

XMRPot acts as a fake Monero node that forwards requests to a real upstream node while recording everything in the middle.

It exposes two hidden routes (secured via UUID):

  1. /monitor/ - dumps all logged request data
  2. /statistics/ - returns summarized analytics:
  • Total requests.
  • Unique IP's.
  • Per-route usage breakdown.
  • No authentication. No complexity. Just spin it up and watch.

🧠 How It Works (Technical Breakdown)

  1. Proxy Handling
    • It proxies any whitelisted Monero RPC endpoint to an upstream node.
    • It supports both GET and POST methods.
    • Unsupported routes return 404.

2. Logging

    • IP (Via X-Forwarded-For or remote address).
    • Requested endpoint.
    • Sent data.
    • Received data.
    • Status code.
    • Timestamp.

Logs are stored in a flat "request_log.json" file (JSON array of entries).
All data is Base64 encoded to preserve binary payload integrity.

3. Monitoring and Statistics

    • /monitor/ - Dumps full log of actions.
    • /statistics/ - see below...
      • Unique IP count.
      • Request counts per route.
      • Total request volume.
      • Deployment.

4. Runing the Tool

    • Run with: "python3 xmrpot.py" and that's it.
    • Listens on 0.0.0.0:18081 by default.
    • You get a randomized UUID for accessing sensitive routes on startup.

🧨 Why This Matters

Monero’s protocol is strong - no question.

But the network layer is full of holes.
If you connect to a malicious remote node (like this one), your metadata is exposed:

  • Home IP's.
  • Timing correlation.
  • Potential to fingerprint wallet behavior.

Most users never verify what node they’re talking to. They trust random ones. And trust, in a privacy system, is the biggest vulnerability.

🔗 Source

Tool source code:
👉 github.com/covertsecurity/xmrpot

If you care about privacy, run your own node.
If you're curious what people leak when they don’t pay attention - now you can watch.