A routing attack is a network-level exploit where an adversary manipulates the paths data travels across the internet, redirecting, intercepting, or delaying traffic without the parties' knowledge. In blockchain and cryptocurrency systems, routing attacks pose a serious infrastructure threat because they operate below the application layer, so smart contract auditing or wallet security alone cannot fully neutralize them.
The internet does not move data along fixed lines. Instead, it relies on dynamic routing protocols that continuously announce and update paths between networks. The dominant protocol is the Border Gateway Protocol (BGP), which acts as the internet's global postal sorting system. Networks, called Autonomous Systems (ASes), use BGP to broadcast the IP address ranges they control and learn how to reach other networks.
BGP was designed when trust between network operators was taken for granted and has no native way to verify if a route announcement is legitimate. Any AS can announce it "owns" IP address space it does not control. When other routers receive and propagate this false announcement, large volumes of internet traffic redirect to the attacker's infrastructure. This is the core mechanism behind a BGP hijack, the most common routing attack.
Researchers at ETH Zurich identified two primary categories of routing attacks that bear directly on blockchain networks, both demonstrated against Bitcoin in a landmark 2017 study.
A partition attack splits a blockchain network into two or more isolated parts by hijacking the IP prefixes used by targeted nodes. Once isolated, each side mines its own chain in parallel. When the attack ends and the network reconnects, the shorter chain and its transactions are discarded, and any mining rewards earned during the split are erased. ETH Zurich research showed that hijacking fewer than 100 BGP prefixes could isolate about 50% of Bitcoin's mining power, highlighting how centralized the network's routing footprint is.
A delay attack is subtler. An on-path attacker, whose network naturally carries traffic to or from a Bitcoin node, can interfere with specific protocol messages to slow block propagation by up to 20 minutes while remaining undetected. The delay creates windows for double-spending and causes honest miners to waste resources on blocks that will be orphaned.
Beyond disrupting network topology, routing attacks have been used as direct theft tools against cryptocurrency users. In these cases, attackers do not just observe or delay traffic; they redirect users to fraudulent infrastructure designed to drain funds.
In April 2018, attackers hijacked a portion of Amazon's Route 53 DNS infrastructure via a BGP hijack and used it to serve a forged version of MyEtherWallet.com. Users who logged into what appeared to be a legitimate website had their Ethereum drained from their wallets. The attack resulted in approximately $150,000 in losses.
In August 2022, the Celer Bridge suffered a similarly structured attack. The attacker prepared by deploying malicious smart contracts on Ethereum, Binance Smart Chain, and Polygon several days in advance. They then created a fraudulent entry in an Internet Routing Registry, announced a more specific IP route that routers naturally preferred over the legitimate one, and obtained a valid TLS certificate for the Celer Bridge subdomain by temporarily controlling the corresponding IP address. Users who visited the bridge were served a manipulated frontend that redirected their funds to the attacker's contracts. Losses reached approximately $235,000. Shortly before this incident, attackers had used a similar BGP hijack against the KLAYswap exchange in South Korea, making off with over $2 million.
In a separate, widely documented case from 2014, attackers used BGP hijacking to redirect cryptocurrency miners away from their legitimate mining pools. The redirected miners continued receiving work assignments and expending hashing power, but all block rewards flowed to the attacker. Researchers traced the malicious announcements to a single router at a Canadian ISP and documented 51 compromised networks across 19 service providers, including major hosting platforms.
Blockchain networks are attractive targets for routing attacks for several structural reasons. First, the routing footprint of major networks like Bitcoin is highly concentrated. A large share of nodes and mining infrastructure sits within a few ASes, so a modest BGP hijack can affect much of the network. Second, blockchain transactions are irreversible. Unlike bank transfers that can be reversed after fraud, confirmed cryptocurrency transactions cannot be recalled, making manipulation especially consequential. Third, the peer-to-peer architecture means no central operator can detect anomalous routing behavior in real time.
Defending against routing attacks requires action at multiple network layers. At the routing protocol level, Resource Public Key Infrastructure (RPKI) is a cryptographic framework that lets IP address holders publish signed certificates, called Route Origin Authorizations (ROAs), stating which ASes can announce their prefixes. Routers performing RPKI Route Origin Validation (ROV) can reject announcements lacking a valid ROA or conflicting with one. The Celer Bridge attack showed both the value and limits of RPKI: the attacker bypassed it by appending a legitimate Amazon ASN to the spoofed route's path, making the announcement appear valid.
At the network monitoring level, continuous observation of BGP routing tables can surface anomalies such as unexpected new announcements for known IP ranges, sudden changes in AS path length, or the appearance of more-specific prefix announcements that displace established routes. Tools and initiatives such as MANRS (Mutually Agreed Norms for Routing Security) provide a community framework for network operators and Internet Exchange Points to implement filtering, anti-spoofing, and global route validation practices that reduce the propagation of malicious announcements.
At the application layer, blockchain clients can adopt encrypted transport protocols such as TLS and QUIC to make traffic interception less useful even when routing is compromised. Randomizing peer connections and using relay infrastructure hosted in networks with strong routing security properties, an approach demonstrated by the SABRE relay system from ETH Zurich, further reduces the leverage an attacker gains from any single BGP manipulation.
.webp)