Researchers at the University of California San Diego and the University of Maryland have revealed a concerning vulnerability: a significant portion, approximately half, of data transmissions from GEO satellites are unencrypted.
Furthermore, their findings indicate that intercepting this unencrypted data is surprisingly affordable, requiring only around $800 worth of commercially available hardware.
As reported by WIRED, the research team successfully captured various types of data, including telecommunications backhaul, industrial control system communications, and even law enforcement transmissions. Where possible, they informed the affected service providers about the security flaws.
The UCSD’s Systems and Networking research group is presenting their findings in a paper titled “Don’t Look Up” at the CCS 2025 conference in Taipei. This highlights that the issue is a verified and peer-reviewed security concern, not merely an academic curiosity. The exploitation method targets older satellite backhaul systems and is not specific to any single application layer.
Importantly, the study was limited to satellites visible from San Diego, suggesting that the problem could be much more widespread globally.
Bitcoin in space: Emerging Risks from Affordable Technology
For Bitcoin mining operations and pools located in remote areas, this vulnerability directly impacts the security of their Stratum protocol communications.
Stratum serves as the communication bridge between miners and mining pools, facilitating the distribution of work, collection of mining results, direction of computational power, and allocation of rewards.
Historically, Stratum V1 deployments often relied on unencrypted TCP connections. Unless operators actively enabled TLS encryption, pool endpoints, miner identifiers, and job templates were transmitted in the clear, making them vulnerable during satellite communication backhaul.
The newer Stratum V2 specification addresses this issue by incorporating authenticated encryption by default, using a Noise handshake and AEAD ciphers. This approach prevents passive interception and strengthens integrity against malicious share hijacking attempts that rely on upstream traffic manipulation.
According to the Stratum V2 security spec, operators can utilize a translation proxy to connect older mining equipment, eliminating the need for firmware upgrades on ASICs to enable encryption.
It is important to note that this satellite vulnerability does not affect every system that uses “Bitcoin over space.”
Blockstream Satellite, which broadcasts public Bitcoin block data as a one-way downlink, and its Satellite API, which supports encrypted messages from senders, operate differently. They are not the same as GEO backhaul, which transmits private control traffic.
According to Blockstream, their service aims to improve network resilience for receiving blocks in areas with limited internet access and is not designed to transmit pool credentials or miner control sessions. Blockstream’s May network update confirms ongoing operations, including frequency changes. The update does not change the threat model for Stratum connections that miners control.
Cost considerations are a factor in security upgrades. With the total Bitcoin hashrate near 1.22 exahashes per second (EH/s), and recent miner economics placing hashprice around $51 per petahash per day in late September, with the forward curve projecting figures in the high-forties to low-fifties for the first half of 2026.
According to Hashrate Index, the updated Q4 2025 heatmap details country shares, which can help infer where satellite backhaul is more prevalent due to limitations with terrestrial infrastructure. In the current revenue environment, operators closely manage operating costs. However, the primary expense associated with transport encryption is engineering effort, not new hardware, which makes near-term security hardening more achievable.
A basic sensitivity model helps illustrate the potential risks if parts of the network still use unencrypted Stratum V1 connections via satellite.
Security Modeling
Let H represent the total hashrate, approximately 1,223 EH/s. We define p_sat as the percentage of hashrate using satellite backhaul, p_geo as the percentage using GEO satellites rather than encrypted LEO satellites or terrestrial connections, and p_v1 as the percentage still using Stratum V1 without TLS.
The hashrate at risk can be calculated as: H × p_sat × p_geo × p_v1. The scenarios below demonstrate the magnitude of the potential exposure and the value of migrating to TLS or Stratum V2.
| Scenario | Assumptions (p_sat / p_geo / p_v1) | EH/s at confidentiality risk |
|---|---|---|
| Low | 0.5% / 30% / 20% | 0.37 |
| Base | 1% / 50% / 40% | 2.45 |
| High | 3% / 60% / 50% | 11.01 |
| Worst-case | 5% / 60% / 60% | 22.01 |
The operational recommendations are straightforward, based on the protocol stack.
First, enforce TLS encryption across all Stratum V1 endpoints and the routers that front them. Then, prioritize Stratum V2 for new connections and implement an SV1→SV2 translation proxy where hardware limitations exist.
TLS 1.3 handshakes are completed in a single round trip, and real-world measurements have shown minimal CPU and network overhead on modern systems.
The performance cost is limited in most situations, addressing a common concern for remote sites that monitor latency and resource utilization. According to the Stratum V2 specification, authenticated encryption protects both the confidentiality and integrity of channel messages, eliminating the easy opportunity for passive eavesdroppers that the satellite study uncovered.
Backhaul Choices Extend Beyond Header Encryption
When possible, operators should avoid using older GEO satellites. Switching to an encrypted LEO service or a terrestrial connection will lower the risk of interception, though these transport methods do not replace sound endpoint security practices.
If using GEO remains necessary, enforce encryption at every stage of communication, disable insecure management interfaces on satellite modems, and actively monitor for anomalies in share patterns and endpoint behavior that could indicate interference.
The research from UCSD and UMD demonstrates that intercepting downlink data is cheap and easily achievable using common hardware, challenging the assumption that radio links are secure due to physical distance from potential attackers.
Following the disclosure, providers, including T-Mobile, have addressed specific findings, demonstrating that remediation is feasible once the vulnerabilities are identified.
Can This Be Fixed?
The coming year will reveal how quickly mining pools and miners adopt encrypted transport. A “secure by default” approach, where pools only accept V1 connections over TLS and broadly promote V2 adoption, represents one solution. Translation proxies can facilitate the transition for older equipment, shrinking the window of opportunity for interception.
A slower approach would leave a long tail of unencrypted or partially encrypted sites, presenting ongoing opportunities for malicious actors with uplink interference capabilities.
A third approach might involve resisting change and relying on obscurity, a strategy that becomes increasingly difficult to defend as the tools and techniques from the study become more widely available in hobbyist communities and beyond.
None of these scenarios require developing new protocols; they simply require making deployment choices that align with established security principles.
Confusion around Blockstream Satellite should not distract from the actionable solutions. Pool credentials are not included in the broadcast of public block data, and its API supports encrypted payloads for user messages. This separates network resilience from the privacy of control-plane communications.
The service enhances the receive-side redundancy of the Bitcoin network in areas with poor connectivity and is not a replacement for secure transport on miner-to-pool connections.
The study makes one thing clear for operators working from remote locations with radio backhaul: plaintext control traffic is now easily observed, and encrypting Stratum is a simple, low-cost solution.
The recommended path forward is TLS for V1 today, followed by Stratum V2.
Noderunner Risk
Node operators, often called “noderunners,” face a different risk profile compared to miners because Bitcoin nodes primarily receive and relay public blockchain data instead of private credentials or payment instructions.
Running a full node typically does not require transmitting sensitive authentication information over a satellite link. The data exchanged – blocks and transactions – is inherently public.
However, if a node relies on GEO satellite backhaul for bidirectional internet access, the same vulnerabilities affecting any unencrypted TCP traffic apply. Peers, IP addresses, and message metadata could be observed or spoofed if transport encryption is absent.
Using Tor, VPNs, or encrypted overlay networks like I2P can minimize this risk.
Unlike miners using Stratum V1, node operators are not leaking value-bearing control traffic. However, they should still encrypt management interfaces and network tunnels to prevent deanonymization or routing interference.