The behavior described most closely matches an Eclipse attack. In an eclipse attack, an adversary isolates a victim node by controlling its peer connections so that the node communicates only with attacker-controlled (or attacker-influenced) peers. Once isolated, the attacker can feed the victim a manipulated view of the blockchain—such as withholding blocks, delaying transactions, or presenting an alternative chain history. This can enable downstream impacts like double-spending against merchants who rely on that node’s view for confirmation.
The scenario’s strongest indicators are:
The node “received blocks only from a small, fixed set of peers for several hours,” suggesting abnormal peer diversity and potential isolation.
The attacker “controlled which peers that node communicated with,” which is essentially the definition of eclipsing a node.
The node “accepted a conflicting history” and the attacker supplied “a private chain until they were ready to reveal it,” consistent with feeding the victim a tailored chain view and then releasing/realigning it to profit from reversed payments.
Why the other options are less fitting:
A Finney attack (A) involves a miner pre-mining a block containing a spend, making a payment to a merchant, and then releasing the pre-mined block to invalidate the merchant’s transaction—this doesn’t require isolating a specific node’s peers for hours.
A DeFi sandwich attack (B) is a mempool/MEV tactic on decentralized exchanges involving front-running and back-running, unrelated to isolating node peer connections or feeding a private chain.
A 51% attack (C) involves controlling a majority of network hash power/stake to rewrite history at network scale. The scenario emphasizes isolation of a particular merchant-related node via peer control rather than majority network control.
Therefore, the attack is best identified as D. Eclipse Attack.
