Monero's cryptographic privacy is well-established but its P2P layer is a different story.

Using Nebula, ProbeLab's open-source network crawler, we conducted the first large-scale topological crawl of the Monero network, discovering over 29,000 nodes and successfully handshaking with more than 16,000.

The findings are stark: over 81% of reachable nodes exhibit the peer ID mismatch pattern the Monero Research Lab associates with surveillance infrastructure while every flagged node tracing back to a single provider: Spruce Creek Networks LLC. Force-directed graph analysis reveals a bifurcated overlay: a dense spy node core surrounding unprotected peers, and a self-segregated cluster of ban-list-enforcing nodes.

We present the methodology, the topology, ban list adoption rates, and outline next steps: measuring how this surveillance density impacts Dandelion++ propagation and transaction origin anonymity in practice.