Abstract
Blockchain technologies are widely promoted as enabling privacy and censorship resistance through decentralization. In practice, however, these properties are shaped not only by the underlying cryptographic protocols, but also by the network-facing behavior of the client software through which users access blockchain networks. We present the first systematic study of DNS resolution behavior in cryptocurrency client software, showing that this behavior produces application-specific fingerprints observable by passive network intermediaries. We characterize these fingerprints across 303 versions of 40 applications and validate their real-world observability using global passive DNS records and enterprise URL filtering logs from a major network security provider.
Our results show that DNS resolutions during routine cryptocurrency application use exhibit application-specific patterns that allow intermediaries to identify the application in use and infer sensitive user behavior. These findings reveal a gap between the privacy expectations commonly associated with blockchain-based applications and the passive visibility they afford to network operators.