The 2015 Spam Attacks: How $10,000 Impacted the Bitcoin Network?

In the Bitcoin Core software repository, a recent proposal suggested removing the policy limit on OP_Return output size. We have already shared our views on this matter. The proposal sparked controversy and reignited debates about what constitutes spam on the Bitcoin blockchain and how to handle it. Here, we revisit the spam attacks that targeted the Bitcoin network a decade ago, in the summer of 2015. Our goal is to compare past events with the present and reflect on the lessons learned.

The 2015 spam attacks were an early skirmish in the block size debate. The attackers were "big-block proponents" who sought to increase the block size limit. At the time, a key argument from this camp was that the 1MB limit was too small, making it easy and relatively inexpensive to fill blocks with spam transactions. This scenario, where blocks became saturated, was framed by big-block advocates as a catastrophic outcome—a victory for spammers. They argued that full blocks would render Bitcoin payments unreliable. Their proposed solution was to raise the block size limit, thereby increasing the cost for spammers to fill blocks. The logic was simple: at a fixed fee rate, filling an 8MB block would cost more than filling a 1MB block.

"Small-block proponents" countered this argument by asserting that the big-block approach was backward. If spam existed, allowing it to flood the chain quickly and cheaply would not deter spammers but instead hand them a victory. Moreover, increasing the block size limit would reduce fees, making spam even cheaper. For big-block advocates, however, the critical metric was the cost to fill a block. They believed this figure was too low for Bitcoin’s security and that raising the block size limit would help increase it, making the network more resilient.

The Spam Attacks

Round 1
On June 20, 2015, a little-known self-proclaimed London-based Bitcoin wallet provider and exchange, CoinWallet.eu, announced on BitcoinTalk and Reddit that it was conducting a "Bitcoin stress test." We found scant information about this entity, such as its management team or shareholders. No meaningful WHOIS records or corporate filings were available, and its listed London address (78 York Street) appeared to be virtual.

78 York Street in London (Google Street View)

The attacker, CoinWallet.EU, made their motive clear: to demonstrate the need for a larger block size limit.

"Bitcoin is on the brink of collapse, yet Core developers are bogged down in trivial debates, failing to make necessary changes for long-term sustainability. Without action, Bitcoin will remain nothing more than an expensive scientific experiment. By stress-testing the system, we aim to provide a clear case for increasing the block size by showing how easily the network can be overwhelmed with spam transactions."

The attacker stated they would "generate 1MB of transaction data every 5 minutes," with the attack scheduled for June 22, 2015. The plan was to create a backlog of "approximately 241 blocks, or 1.67 days"—over 241MB of unconfirmed transactions.

At the time, Luke-Jr responded on Reddit:
"Bitcoin has miners and a block size limit precisely to mitigate such attacks."
Source: https://www.reddit.com/r/Bitcoin/comments/3agk61/comment/cscgipz/

On June 24, the attacker admitted the attack had failed as intended because their servers crashed after about two hours when the mempool reached ~12MB. They noted, "Bitcoind isn’t well-suited to handle this volume of transactions," and revealed they had spent ~2 BTC (€434) in fees for the failed attempt.

Round 2
Later that same day (June 24), CoinWallet.EU announced a second spam attack for June 29, 2015, again aiming to clog the mempool with 241MB of backlog.

As the chart above shows, this attack was more effective, with some users echoing big-block proponents’ claims that it rendered Bitcoin unusable.

"Can someone explain what’s going on? I bought 0.05 BTC via a local exchange, and they sent it to my wallet with a 0.0001 fee (226 bytes). After 7 hours without confirmation, it was dropped by blockchain.info. The exchange resent it with a 0.0002 fee, marked 'very fast' (high priority), but it’s now been 6 hours! What have you done to BTC? Is this normal? BTC can’t function like this for everyday payments. Is 0.0002 too low for a 226-byte tx?"
Source: https://bitcointalk.org/index.php?topic=1098263.msg11847265#msg11847265

Luke-Jr’s mining pool, Eligius, appeared to successfully filter out spam transactions during the attack. Eligius produced smaller blocks (~250KB) compared to other pools (often 1MB or 750KB), regardless of the limit in place.

Luke’s earlier prediction proved correct: the block size limit and miners helped mitigate the attack’s impact—though only his pool acted. In our view, the block size limit played a stronger role in preventing spam from entering the chain. Luke’s filtering policy was controversial, with critics arguing it harmed Bitcoin’s fungibility and prolonged the attack by keeping the mempool inflated. For example, the operator of Kano Pool argued on BitcoinTalk:

"The simple fact is, these are valid transactions with fees."

Another forum member, wizkid057 (Luke’s colleague at Eligius, now working with him at Ocean Pool), defended the filtering:

"The only reason the attack persisted was that other miners/pools refused to filter the spam. They prioritized earning an extra 0.1 BTC in fees over protecting Bitcoin… or maybe they were just lazy. With a few major pools cooperating, the attack’s harm could have been entirely neutralized."
Source: https://bitcointalk.org/index.php?topic=1098263.msg11760038#msg11760038

User "spartacusrex" sided with Kano:
"Valid transactions are valid. Period. No politics. Allowing ‘editing’ of which transactions get through sets a dangerous precedent."

Round 3
On July 7, 2015, a third attack occurred. Though CoinWallet.EU didn’t formally announce it, they remained the prime suspect due to their prior actions. Over the following days, users reported mempools clogged with 27,000 to 80,000 transactions. This was the most severe and multifaceted attack yet, causing significant network disruption.

Motherboard reported that this round cost over $8,000 (30 BTC) in fees—far exceeding the previous €434. The attackers employed diverse tactics, including dust transactions sent to public wallets (e.g., WikiLeaks and Voat) and addresses with publicly known private keys (e.g., brainwallets like "cat" or "dog"). This allowed others to create additional spam by attempting to claim the funds, reducing the attacker’s workload. For instance:

• The "cat" address (uncompressed key) saw over 41,000 transactions in July 2015, receiving thousands of 0.00001 BTC outputs.

• The "password" address had 45,000 transactions.

• The "dog" address had over 43,000 transactions.

The spammers demonstrated remarkable ingenuity.

During the attack’s peak, big-block advocate Mike Hearn argued:
"The best defense is to raise the block size limit, making spam as costly as possible. This is what I’m working toward."
Source: https://www.reddit.com/r/Bitcoin/comments/3ck5z9/comment/cswda6x/

Mining pool F2Pool helped clean up the mess by consolidating spam outputs into a single 1MB transaction with over 5,000 inputs. Due to Bitcoin’s then-quadratic sighash scaling, nodes took up to 20 seconds to verify it. Later, developer Gregory Maxwell reportedly assisted F2Pool by using identical signatures for all inputs (except one), simplifying verification. Another 1MB transaction with 7,000+ inputs followed. Gregory’s optimization used SIGHASH_SINGLE (blue key on mempool.space) instead of SIGHASH_ALL (green key), a distinction now clearly displayed on the site.

Round 4
CoinWallet launched a fourth and final "stress test" in September 2015.

"Opinions are divided about tomorrow’s announced test. Some call it an attack, but we see it as no different from buying all train tickets to have a private ride. Legal counsel confirms this violates no EU laws."

A "James Wilson," claiming to be CoinWallet’s COO/CCO, emailed media:
"Our goal is to force the community to fix Bitcoin. It’s broken. A small wallet startup shouldn’t be able to cripple the network."

This time, CoinWallet distributed 200 BTC by posting private keys on BitcoinTalk. The initial post contained five keys (0.53918 BTC each), followed by thousands more. This generated 90,000+ transactions, many conflicting and discarded under the "First Seen Safe" rule, making Round 4 less disruptive than Round 3.

After this attempt, CoinWallet declared their "stress test campaign over," and many Bitcoiners claimed victory.

Who Was Behind CoinWallet.EU?
The mastermind remains a mystery. Theories include:

1. Gerald Cotten (QuadrigaCX CEO): Payments to CoinWallet listed "1009926 B.C. LTD," matching Quadriga’s corporate name. However, this may simply indicate Quadriga was their payment processor.

2. "James Wilson": Possibly Jamie Wilson (a Craig Wright associate) or Phil James Wilson (aka Scronty, a fake Satoshi who said his family called him "James").
   We find these theories too speculative to draw conclusions.

Academic Analysis
A published study analyzed the 2015 attacks. Data showed two mempool spikes (~175,000 transactions each), aligning with Rounds 3 and 4.

The paper concluded:
"During 10 peak days of spam, 385,256 of 1,645,667 transactions (23.41%) were spam. The attack raised average fees by 51% (45 to 68 sat/vB) and processing delays by 7x (0.33 to 2.67 hours). This shows adversaries willing to spend modest sums (e.g., $49,000) can launch effective DoS attacks."

Conclusion
The 2015 spam attacks significantly impacted Bitcoin, influencing technical relay policies and shaping perceptions of spam. Key outcomes included:

1. Miners raised policy block size limits from 250KB/750KB to 1MB (matching consensus rules).

2. Bitcoin Core’s minimum relay fee increased 5x to 5,000 satoshis (October 2015).

3. Default mempool limits (e.g., 300MB) were introduced, likely in response.

4. The attacks intensified block size debate polarization. Big-blockers cited degraded UX as proof limits needed raising, while small-blockers held firm.

Ultimately, small-blockers won. Full blocks are now the norm, and increasing limits to accommodate spam is widely seen as a bad idea. Yet, debates over defining and handling spam persist. For those who didn’t experience 2015, this article’s key takeaway is that spam attacks aren’t new. If anything, the 2015 attackers’ motives were clearer (if not more legitimate) than today’s JPEG-peddlers. Another striking contrast is cost: ~$10,000 caused notable disruption in 2015, whereas post-2023, hundreds of millions have been spent on "spam" fees.

The 2015 Spam Attacks: How $10,000 Impacted the Bitcoin Network?

In the Bitcoin Core software repository, a recent proposal suggested removing the policy limit on OP_Return output size. We have already shared our views on this matter. The proposal sparked controversy and reignited debates about what constitutes spam on the Bitcoin blockchain and how to handle it. Here, we revisit the spam attacks that targeted the Bitcoin network a decade ago, in the summer of 2015. Our goal is to compare past events with the present and reflect on the lessons learned.

The 2015 spam attacks were an early skirmish in the block size debate. The attackers were "big-block proponents" who sought to increase the block size limit. At the time, a key argument from this camp was that the 1MB limit was too small, making it easy and relatively inexpensive to fill blocks with spam transactions. This scenario, where blocks became saturated, was framed by big-block advocates as a catastrophic outcome—a victory for spammers. They argued that full blocks would render Bitcoin payments unreliable. Their proposed solution was to raise the block size limit, thereby increasing the cost for spammers to fill blocks. The logic was simple: at a fixed fee rate, filling an 8MB block would cost more than filling a 1MB block.

"Small-block proponents" countered this argument by asserting that the big-block approach was backward. If spam existed, allowing it to flood the chain quickly and cheaply would not deter spammers but instead hand them a victory. Moreover, increasing the block size limit would reduce fees, making spam even cheaper. For big-block advocates, however, the critical metric was the cost to fill a block. They believed this figure was too low for Bitcoin’s security and that raising the block size limit would help increase it, making the network more resilient.

The Spam Attacks

Round 1
On June 20, 2015, a little-known self-proclaimed London-based Bitcoin wallet provider and exchange, CoinWallet.eu, announced on BitcoinTalk and Reddit that it was conducting a "Bitcoin stress test." We found scant information about this entity, such as its management team or shareholders. No meaningful WHOIS records or corporate filings were available, and its listed London address (78 York Street) appeared to be virtual.

78 York Street in London (Google Street View)

The attacker, CoinWallet.EU, made their motive clear: to demonstrate the need for a larger block size limit.

"Bitcoin is on the brink of collapse, yet Core developers are bogged down in trivial debates, failing to make necessary changes for long-term sustainability. Without action, Bitcoin will remain nothing more than an expensive scientific experiment. By stress-testing the system, we aim to provide a clear case for increasing the block size by showing how easily the network can be overwhelmed with spam transactions."

The attacker stated they would "generate 1MB of transaction data every 5 minutes," with the attack scheduled for June 22, 2015. The plan was to create a backlog of "approximately 241 blocks, or 1.67 days"—over 241MB of unconfirmed transactions.

At the time, Luke-Jr responded on Reddit:
"Bitcoin has miners and a block size limit precisely to mitigate such attacks."
Source: https://www.reddit.com/r/Bitcoin/comments/3agk61/comment/cscgipz/

On June 24, the attacker admitted the attack had failed as intended because their servers crashed after about two hours when the mempool reached ~12MB. They noted, "Bitcoind isn’t well-suited to handle this volume of transactions," and revealed they had spent ~2 BTC (€434) in fees for the failed attempt.

Round 2
Later that same day (June 24), CoinWallet.EU announced a second spam attack for June 29, 2015, again aiming to clog the mempool with 241MB of backlog.

As the chart above shows, this attack was more effective, with some users echoing big-block proponents’ claims that it rendered Bitcoin unusable.

"Can someone explain what’s going on? I bought 0.05 BTC via a local exchange, and they sent it to my wallet with a 0.0001 fee (226 bytes). After 7 hours without confirmation, it was dropped by blockchain.info. The exchange resent it with a 0.0002 fee, marked 'very fast' (high priority), but it’s now been 6 hours! What have you done to BTC? Is this normal? BTC can’t function like this for everyday payments. Is 0.0002 too low for a 226-byte tx?"
Source: https://bitcointalk.org/index.php?topic=1098263.msg11847265#msg11847265

Luke-Jr’s mining pool, Eligius, appeared to successfully filter out spam transactions during the attack. Eligius produced smaller blocks (~250KB) compared to other pools (often 1MB or 750KB), regardless of the limit in place.

Luke’s earlier prediction proved correct: the block size limit and miners helped mitigate the attack’s impact—though only his pool acted. In our view, the block size limit played a stronger role in preventing spam from entering the chain. Luke’s filtering policy was controversial, with critics arguing it harmed Bitcoin’s fungibility and prolonged the attack by keeping the mempool inflated. For example, the operator of Kano Pool argued on BitcoinTalk:

"The simple fact is, these are valid transactions with fees."

Another forum member, wizkid057 (Luke’s colleague at Eligius, now working with him at Ocean Pool), defended the filtering:

"The only reason the attack persisted was that other miners/pools refused to filter the spam. They prioritized earning an extra 0.1 BTC in fees over protecting Bitcoin… or maybe they were just lazy. With a few major pools cooperating, the attack’s harm could have been entirely neutralized."
Source: https://bitcointalk.org/index.php?topic=1098263.msg11760038#msg11760038

User "spartacusrex" sided with Kano:
"Valid transactions are valid. Period. No politics. Allowing ‘editing’ of which transactions get through sets a dangerous precedent."

Round 3
On July 7, 2015, a third attack occurred. Though CoinWallet.EU didn’t formally announce it, they remained the prime suspect due to their prior actions. Over the following days, users reported mempools clogged with 27,000 to 80,000 transactions. This was the most severe and multifaceted attack yet, causing significant network disruption.

Motherboard reported that this round cost over $8,000 (30 BTC) in fees—far exceeding the previous €434. The attackers employed diverse tactics, including dust transactions sent to public wallets (e.g., WikiLeaks and Voat) and addresses with publicly known private keys (e.g., brainwallets like "cat" or "dog"). This allowed others to create additional spam by attempting to claim the funds, reducing the attacker’s workload. For instance:

• The "cat" address (uncompressed key) saw over 41,000 transactions in July 2015, receiving thousands of 0.00001 BTC outputs.

• The "password" address had 45,000 transactions.

• The "dog" address had over 43,000 transactions.

The spammers demonstrated remarkable ingenuity.

During the attack’s peak, big-block advocate Mike Hearn argued:
"The best defense is to raise the block size limit, making spam as costly as possible. This is what I’m working toward."
Source: https://www.reddit.com/r/Bitcoin/comments/3ck5z9/comment/cswda6x/

Mining pool F2Pool helped clean up the mess by consolidating spam outputs into a single 1MB transaction with over 5,000 inputs. Due to Bitcoin’s then-quadratic sighash scaling, nodes took up to 20 seconds to verify it. Later, developer Gregory Maxwell reportedly assisted F2Pool by using identical signatures for all inputs (except one), simplifying verification. Another 1MB transaction with 7,000+ inputs followed. Gregory’s optimization used SIGHASH_SINGLE (blue key on mempool.space) instead of SIGHASH_ALL (green key), a distinction now clearly displayed on the site.

Round 4
CoinWallet launched a fourth and final "stress test" in September 2015.

"Opinions are divided about tomorrow’s announced test. Some call it an attack, but we see it as no different from buying all train tickets to have a private ride. Legal counsel confirms this violates no EU laws."

A "James Wilson," claiming to be CoinWallet’s COO/CCO, emailed media:
"Our goal is to force the community to fix Bitcoin. It’s broken. A small wallet startup shouldn’t be able to cripple the network."

This time, CoinWallet distributed 200 BTC by posting private keys on BitcoinTalk. The initial post contained five keys (0.53918 BTC each), followed by thousands more. This generated 90,000+ transactions, many conflicting and discarded under the "First Seen Safe" rule, making Round 4 less disruptive than Round 3.

After this attempt, CoinWallet declared their "stress test campaign over," and many Bitcoiners claimed victory.

Who Was Behind CoinWallet.EU?
The mastermind remains a mystery. Theories include:

1. Gerald Cotten (QuadrigaCX CEO): Payments to CoinWallet listed "1009926 B.C. LTD," matching Quadriga’s corporate name. However, this may simply indicate Quadriga was their payment processor.

2. "James Wilson": Possibly Jamie Wilson (a Craig Wright associate) or Phil James Wilson (aka Scronty, a fake Satoshi who said his family called him "James").
   We find these theories too speculative to draw conclusions.

Academic Analysis
A published study analyzed the 2015 attacks. Data showed two mempool spikes (~175,000 transactions each), aligning with Rounds 3 and 4.

The paper concluded:
"During 10 peak days of spam, 385,256 of 1,645,667 transactions (23.41%) were spam. The attack raised average fees by 51% (45 to 68 sat/vB) and processing delays by 7x (0.33 to 2.67 hours). This shows adversaries willing to spend modest sums (e.g., $49,000) can launch effective DoS attacks."

Conclusion
The 2015 spam attacks significantly impacted Bitcoin, influencing technical relay policies and shaping perceptions of spam. Key outcomes included:

1. Miners raised policy block size limits from 250KB/750KB to 1MB (matching consensus rules).

2. Bitcoin Core’s minimum relay fee increased 5x to 5,000 satoshis (October 2015).

3. Default mempool limits (e.g., 300MB) were introduced, likely in response.

4. The attacks intensified block size debate polarization. Big-blockers cited degraded UX as proof limits needed raising, while small-blockers held firm.

Ultimately, small-blockers won. Full blocks are now the norm, and increasing limits to accommodate spam is widely seen as a bad idea. Yet, debates over defining and handling spam persist. For those who didn’t experience 2015, this article’s key takeaway is that spam attacks aren’t new. If anything, the 2015 attackers’ motives were clearer (if not more legitimate) than today’s JPEG-peddlers. Another striking contrast is cost: ~$10,000 caused notable disruption in 2015, whereas post-2023, hundreds of millions have been spent on "spam" fees.