Blockchain RPC services, while enabling convenient public-chain access, introduce severe privacy risks: existing deanonymization techniques either incur transaction fees or require active network eavesdropping. This paper presents the first zero-cost, purely passive deanonymization attack. It establishes cross-domain temporal correlations by synchronizing TCP acknowledgment timestamps from users’ IP traffic with on-chain transaction broadcast/confirmation timestamps. Our method requires no traffic injection—only passive network monitoring and publicly available blockchain data—leveraging time-series alignment and empirical measurements to construct an end-to-end deanonymization framework. Evaluated on Ethereum, Bitcoin, and Solana, the attack achieves >95% success rate in linking users’ real-world IP addresses to their on-chain pseudonyms. This is the first empirical demonstration of high-precision, systematic linkage between RPC clients’ network identities and blockchain identities, exposing a fundamental privacy vulnerability inherent in current RPC architectures.

Remote Procedure Call (RPC) services have become a primary gateway for users to access public blockchains. While they offer significant convenience, RPC services also introduce critical privacy challenges that remain insufficiently examined. Existing deanonymization attacks either do not apply to blockchain RPC users or incur costs like transaction fees assuming an active network eavesdropper. In this paper, we propose a novel deanonymization attack that can link an IP address of a RPC user to this user's blockchain pseudonym. Our analysis reveals a temporal correlation between the timestamps of transaction confirmations recorded on the public ledger and those of TCP packets sent by the victim when querying transaction status. We assume a strong passive adversary with access to network infrastructure, capable of monitoring traffic at network border routers or Internet exchange points. By monitoring network traffic and analyzing public ledgers, the attacker can link the IP address of the TCP packet to the pseudonym of the transaction initiator by exploiting the temporal correlation. This deanonymization attack incurs zero transaction fee. We mathematically model and analyze the attack method, perform large-scale measurements of blockchain ledgers, and conduct real-world attacks to validate the attack. Our attack achieves a high success rate of over 95% against normal RPC users on various blockchain networks, including Ethereum, Bitcoin and Solana.