What risks come with using a public Bitcoin node for handling your transactions?

[darkwebdeveloper]

What are the significant privacy and security risks associated with using a public Bitcoin node for processing transactions, and how might these risks impact user anonymity and transaction security?

[Charles-Tim]

You mean wallets that are depending on central servers to synchronize. Your IP addresses and wallet addresses can be known by the central servers. Although, if you use Tor with the wallet, the IP address is not known but still your bitcoin addresses would be known. That is why people that wants privacy are advised to run their own node with Tor instead.

[Zaguru12]

If what you mean by public node is actually those SPV clients like electrum the major danger is privacy which the fact that while connected to a third party server your IP will be exposed although you can hide by using Tor but also all your address will be collected and could be accessed if a large number of funds are on it then you’re at risk of been monitored or targeted by bad people. This is only for most open source wallets. Closed source are even worse off as they can collect more.

Another security challenge is, if the node you connect is a single node and not multiple nodes that SPV clients connect to then it can pose risk of feeding you with wrong information or data when you sync if it is broken.

[satscraper]

Public nodes may be run by surveillance agencies ( and I’m sure most of them are already run by bodies subjected to government). Thus, by connecting your SPV client to such nodes you in fact  sacrifice the sensitive data (like balances, active addresses,  history of transactions which may be easily reconstructed, end even personally identifiable information if some of those addresses where previously involved into routines that requiered KYC ).

Thus I would advocate the connection to  own bitcoin node rather than to public one.

[Findingnemo]

What are the significant privacy and security risks associated with using a public Bitcoin node for processing transactions, and how might these risks impact user anonymity and transaction security?

Connecting to the third-party node will not compromise the security of the transaction in any way, so you no need to worry about the funds you are sending to someone who will be at any risk if the transaction has been confirmed already.

But the privacy part which has been explained already, your IP will be exposed which can be avoided by connecting via TOR and all the addresses will be known to the node that you connect.

What else it will cause is, you always have to rely on someone to validate your transactions that is why it is advised to run your own node.

[Charles-Tim]

Another security challenge is, if the node you connect is a single node and not multiple nodes that SPV clients connect to then it can pose risk of feeding you with wrong information or data when you sync if it is broken.

Connecting to a single server manually or setting it as automatic to connect to any available servers has no security challenges. Nodes information are valid. The only problem I have noticed if you connect to a single server is that the server may not be available and that will not make your wallet synchronized with the blockchain. If that is what you meant, you will know on your wallet that the wallet is not synchronizing with the blockchain.

[o_e_l_e_o]

Connecting to a single server manually or setting it as automatic to connect to any available servers has no security challenges. Nodes information are valid.

And how do you verify that without running your own node?

If I connect to a single third party node, that node can feed me fake transactions and fake balances and I have no way of validating that information and discovering it is fake. Connecting to multiple nodes lessens this risk, but you still cannot completely verify that all these nodes aren't malicious and aren't all sending you fake data. Only by running your own node and validating everything yourself can you be certain.

[Pmalek]

If I connect to a single third party node, that node can feed me fake transactions and fake balances and I have no way of validating that information and discovering it is fake. Connecting to multiple nodes lessens this risk, but you still cannot completely verify that all these nodes aren't malicious and aren't all sending you fake data. Only by running your own node and validating everything yourself can you be certain.

I have heard about this several times before, but I don't remember a case where this was used to scam someone and make them think, for example, that a transaction was made, when it wasn't. How big of a threat is this realistically, not just in theory? In other words, do you know of any cases where someone was scammed by node operators feeding them wrong data, which they trusted and couldn't/didn't verify otherwise? 

[o_e_l_e_o]

How big of a threat is this realistically, not just in theory?

For SPV wallets like Electrum or Sparrow, the risk is very small. This is because an SPV wallet still downloads headers, so an attacker would still have to have the ability to fake a valid header which involves mining a fake block (and therefore losing the block reward), as well as have the ability to control the multiple nodes these wallets connect to. I'm also not aware of any such attacks on such wallets.

For wallets which depend entirely on one company's servers or nodes though, or closed source wallets that could be doing anything at all, like Trust wallet, Coinomi, Atomic, and so on, then the risk is significant. We have seen endless numbers of users losing coins from using these wallets, and it would be near impossible to prove that such an attack was responsible for any of these losses.