This study presents the first identification of an undocumented covert substructure within the I2P anonymous network—termed the Exclusive Network—whose nodes can persistently provide services and evade conventional probing despite lacking entries in the distributed network database (NetDB). Through a controlled three-node testbed, the authors empirically validate the service reachability and stealth characteristics of this structure by analyzing NetDB queries, observing routing behaviors, and contrasting these against known malware such as I2PRAT. The research highlights architectural parallels between the Exclusive Network and state-sponsored ORB infrastructures, demonstrating the inadequacy of traditional network mapping techniques in detecting such hidden channels. The findings underscore the urgent need for formal security analyses of these covert communication pathways within I2P.

The Invisible Internet Project (I2P) is a peer-to-peer anonymous overlay network whose architecture includes a structurally distinct sublayer not characterized in existing security literature. We term this sublayer the Exclusive Network: nodes here host operational services and draw on I2P's routing resources, but publish no RouterInfo record to the network's distributed database (NetDB). In a controlled three-node testbed, we demonstrate that an Exclusive Network node survives sequential floodfill queries from a pool of routers with zero NetDB hits, while its hosted service remains continuously accessible to authorized peers. This property is exploitable by documented I2P-based malware, for example, I2PRAT (RATatouille), for persistent command-and-control operations against national assets or corporate networks. The structure is analogous to nation-state Operational Relay Box (ORB) infrastructure. The existence of this sublayer, together with the inability of top-down empirical mapping to characterize it, motivates a move toward formal analytical methods to understand the emergence and behavior of covert networks within I2P.