External wallet connections on my node

Today I noticed two wallet connections on my node with external IPs, one of the looks like this in chia show -s -c:

WALLET    41.X.X.X                            29314/8449  9d6aef56... May 08 19:55:15     28.3|0.0

I find this very concerning. I definitely only forwarded 8444 to the node, the wallet port is NOT reachable, not even in my local network.

Is this to be expected? I found one post and one Github discussion about this, both with no answers:


I’m glad other people are raising this too as I didn’t get an answer in my thread.

I have 2 theories: 1 innocuous and 1 evil.

Innocuous theory: I migrated my full node to another machine the other day. I copied the SQLite DB for blockchain to speed up the sync. Even though it synced very quickly and started farming the wallet also had to sync separately. So while my wallet was syncing maybe I was connected to some another node as “wallet”. Not sure why separate sync for wallet is needed when the blockchain is already there but I hope it’s the reason we see wallets.

Evil theory: Somebody discovered a bug such as if a block is won it’s sent to all the connected wallets, or one at random or something like that. So by connecting other people’s full nodes they are trying to siphon their XCH as they are won.

Like I said these are just theories. If somebody has knowledge about it I’d highly appreciate if they could clarify.


Had the same issue pop up with IP address
ip search yielded:

Continent: asia
Country: china
Country Code: cn
Region: unknown
State: guangdong
State Code:
City: xinhengzhen
Postal Code: 515548
Timezone: GMT 8:00
Area Code:
Latitude: 23.624
Longitude: 116.289
Carrier: chinanet
Organization: chinanet guangdong province network