I think there are some nodes, which IPs are tagged as malicious by MalewareBytes. This message pops up many times, when using Torrent, too.
I think you are right:
The Malwarebytes Anti-Malware web protection is typically activated when a website loads your browser and links embedded attempt to access an IP range which our research has found to deliver malicious content to users when they access a website which is on the IP range indicated. If the alerts only appear when you are surfing with a browser open then the possible trigger is a banner ad.
Users who run peer-to-peer(P2P) programs will see these alerts frequently. Due to the heavy amount of malicious content on these networks we block most by default, until cleaned of all threats.
The explanation above about P2P is BS though, P2P comes from primarily end-user IP space, and ad content from content delivery networks.
Just looking at the forum where they completely ignore the actual issue, and as a hurdle to providing support cut-and-paste instructions to run (registry-hosing) ccleaner and publicly posting an intrusive system scan dump, makes me very wary of their software. I have previously used this software as one of many to detect malware, but like just about every AV, they've turned to bloated crap.
If an AV company actually set up a honeypot and characterized malicious Bitcoin port traffic sources, and based per-app blocking rules on this, it could be a useful service, but this looks like they are messing with your internet just so they can pop up a window to remind you that their software is doing something for your annual credit card charge.
