This article is more than nine months old

‘Sybil attackers’ raid airdrops for millions with bogus wallet addresses and cunning

  • ‘Sybil hunters’ ramp up to defend protocols from new breed of crypto pirates.
  • One attacker marshalled 1,000 wallet addresses to pillage Arbitrum airdrop in March.
  • ‘I’m here to play and win zero sum games and make money’ says Sybil attacker.

For many, crypto airdrops are life changing.

Designed to reward early users of DeFi applications, airdrops shower recipients with instant five-figure paydays. Windfalls from Ethereum Name Service, dYdX, and more recently Arbitrum have been juicy jackpots in the otherwise volatile crypto market.

But there’s an ever-present threat to one of the most popular practices in crypto: Sybil attackers.

These buccaneering DeFi players create multiple wallet addresses to spoof airdrops by pretending to execute legitimate activity. Also known as airdrop farming, this legerdemain sets them up to rake in millions in free tokens, as long as they are not caught.

Farming airdrops

“I am here to play and win zero sum games and make money,” CapitalGrug, who claims to have made over $10 million through Sybil attacks, told DL News in an interview.

Grug, who often works with a team of Sybil attackers, said he started farming airdrops after Uniswap released its UNI governance token to early users in September 2020. At its peak value, recipients could have sold the UNI airdrop for over $17,000.

“I’d estimate Sybil farms have taken in hundreds of millions of dollars at this point,” Hop Protocol co-founder Christopher Whinfrey told DL News.

‘I’d estimate Sybil farms have taken in hundreds of millions of dollars at this point.’

—  Christopher Whinfrey

Hop Protocol, a crypto bridge which lets users send tokens between different blockchains, is fighting back against Sybil attackers. During its airdrop last year, the project deployed what it called “Sybil hunters” to detect and filter out attackers.

Join the community to get our latest stories and updates

Other crypto projects like Arbitrum and Safe have followed Hop Protocol’s lead in fending off Sybil attackers from their airdrop distributions.

Despite some progress, crypto projects are no closer to eliminating the practice. Arbitrum’s $1 billion March airdrop still suffered from thousands of Sybil attackers bypassing preventative measures and pocketing millions. This type of cyberattack takes its name from a 1973 book called Sybil that chronicled a woman’s multiple personality disorder.

NOW READ: Swarm Markets bets on tokenised Apple and Tesla shares — but will investors bite?

For Sybil attackers, the allure of lucrative earnings from airdrops means they are ready to dedicate hundreds of hours and deploy complex strategies to mask their airdrop farming activities and hit gold.

According to LlamaRisk, one attacker used a wallet to fund over 1,000 accounts, many of which were eligible to receive more than 428,000 airdropped Aribtrum tokens. The windfall was worth a cool $531,000 on Friday.

PR shitstorm

Meanwhile, crypto project defenders and Sybil attackers struggle to gain the advantage as they tussle in the airdrop space.

“Airdrop farming and Sybil protection is an iterative game,” Whinfrey said. “Every time an airdrop is ‘Sybilled’ or ‘Sybils’ are filtered out, it escalates.”

According to Grug, it’s becoming increasingly difficult for protocols to effectively exclude attackers.

“Arbitrum took measures to try and exclude Sybil attackers but the data shows they were not very effective,” he said. “They don’t want to risk excluding actual users like ParaSwap and generating a PR shitstorm.”

‘Arbitrum took measures to try and exclude Sybil attackers but the data shows they were not very effective.’

—  GrugCapital

After its November 2021 airdrop, ParaSwap was criticised for excluding 98.5% of its active users when distributing its tokens. Although this helped filter out almost all Sybil attackers, many real users also missed out on the airdrop.

“Protocols walk a fine line between excluding Sybil attackers and legitimate users,” Grug said. “If you do things correctly, you look just like a legitimate user.”

But, Grug said, it has also gotten more difficult for Sybil attackers due to protocols looking for connected wallets with similar transaction activity and balances and excluding them from airdrops.

“At one point this didn’t happen at all, you could just fund wallets all at once from the same centralised exchange with identical deposit amounts,” Grug said.

Why airdrop?

Many projects feel the rewards of airdrops are worth the risks. Hinting at or telling users they will receive valuable tokens for using a DeFi protocol is an effective way to attract users and liquidity. In May, for instance, DeFi users poured more than $35 million into Swell, the newly launched Ether liquid staking protocol. The venture, which quickly leapfrogged many of its competitors, promised to reward early users with a token airdrop later in the year.

Another reason DeFi protocols may want to airdrop tokens to users is to help them decentralise their governance. Popular DeFi protocols, such as Ethereum Name Service and Uniswap airdropped tokens to bestow voting rights to early users.

NOW READ: UK lawmaker rules out crypto tax breaks amid fears of race to the bottom: ‘We want to attract good actors’

One reason why Sybil attacks are still commonplace is because of the difficulties in ensuring DeFi users remain anonymous yet only receive an airdrop once.

Anonymity plays a crucial role in the crypto industry. The decentralised nature of blockchain technology allows many DeFi users and developers to conceal their identities. They often do so to protect their financial privacy, and to avoid disclosing their race, sex, or nationality, which may influence how people perceive them.

‘I think it’s a losing battle and Sybil farms are likely beyond detection.’

—  Christopher Whinfrey

As a result, crypto projects have refrained from implementing know-your-customer procedures to help filter out Sybil attackers because doing so would force users to reveal their identities.

David Schwed, chief operating officer of blockchain security firm Halborn, told DL News that unless protocols put in measures to enforce a “one-to-one” between wallets and individuals, Sybil attackers will continue to exploit airdrops.

“Unfortunately, I think it’s a losing battle and Sybil farms are likely beyond detection,” Whinfrey said. “DAOs don’t have a clear way to achieve a broad distribution without doing something antithetical like KYC.”

‘I’m not a thief’

There are some DeFi folk who identify with the cunning of Sybil attackers. In the freewheeling world of crypto, spoofing airdrops is seen by some as fair game.

Dybsy, a pseudonymous Hop DAO delegate, told DL News that he doesn’t think what Sybil attackers do is “bad,” but that their actions are “clearly contrary to the intent and spirit of engagement and adoption.”

NOW READ: DeFi users pile into Ethereum zero-knowledge chains in hope of airdrop riches

But the moral implications of Sybil attacking aren’t just on the minds of those trying to prevent the practice.

“I don’t think it is about being good or bad actors,” said Nico, a self-proclaimed airdrop farmer.

Nico argued that Sybil attackers are different from hackers or exploiters, who steal user funds from DeFi protocols. “I’m not a thief,” Nico said. “I simply use my time and money to transact on these networks and if there is a reward, then I should receive it too.”

Grug made no bones about the purity of his motives. “I think [Sybil attacking] is fine, but I also think sandwich attacks are fine,” he said. “I don’t buy into decentralisation myths or fantasies about solving global coordination problems with blockchains. Ultimately, in my view, crypto is the greatest casino ever built.”

Have a tip or comment about airdrops? Contact the authors at and