Sybil Millionaires: How Airdrop Hunters Trick Projects and Snatch Fortunes

They maintain multiple accounts for the same project, stay undetectable and maximize profits from airdrops like those of Arbitrum, Aptos, Sui and others.

AccessTimeIconApr 10, 2023 at 4:23 p.m. UTC
Updated Apr 10, 2023 at 6:35 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

“In one evening, you could make up to 10 quality accounts. It’s not rocket science, it’s just everyday work. That’s why so many people are FOMOing over it,” said Ilya, a 33-year old Ukrainian whose main source of income comes from airdrops.

Ilya (he asked CoinDesk to change his name) is also trading crypto for profit, but airdrops have taken up most of his time the past couple of months, he told me over Zoom, speaking from a “Southern European country.”

Ilya is one of the many crypto traders who make money from Sybil attacks on token airdrops. In other words, they spin up multiple accounts on a blockchain project that is expected to airdrop its token, then they snap as many tokens as they can. (A “Sybil” attack gets its name from a 1973 book about a woman with dissociative identity disorder.)

The attacks exploit the projects’ weak ability to identify and weed out fake accounts and pull tens and hundreds of thousands of dollars out of each airdrop. After they get tokens, they immediately sell.

Free money race

Decentralized finance (DeFi) projects use airdrops – a giveaway of free tokens to the wallets of active members of its blockchain community – to attract more users and encourage activity on the project’s blockchain, such as providing liquidity to decentralized exchanges, interacting with smart contracts and other transactions.

With airdrops, projects try to identify and reward active users without dropping tokens to people who have created accounts at the last minute before the airdrop to snatch tokens without actually engaging with the project. After they get the tokens, these people sell immediately, which drags down the price of the token.

Sybil attackers keep trying to fool the system, imitating healthy blockchain activity from multiple accounts belonging to one person or team. Thus, organizing an airdrop becomes an endless whack-a-mole game for projects – and they are far from winning.

For example, during the recent airdrop for the Ethereum scaling protocol Arbitrum, users and entities controlling multiple addresses received almost 48% of all tokens distributed, according to researchers.

Sybil millionaires

Ilya is 33, and crypto speculation has been his primary job for the last six years. “I got into it in late 2016, before the ICO hype,” he said. He used to be a small business owner, trading grain in Ukraine, before going into online marketing. When he learned about crypto, everything changed. He invested in several initial coin offers and his returns were tenfold.

After the ICO hype cooled down, initial exchange offerings (IEO) came along, then the 2020 DeFi craze, then the non-fungible token (NFT) obsession. If you get ahead of a trend, Ilya said, it’s just a free-money giveaway, with airdrops being just the latest hot opportunity.

SingleQuoteLightGreenSingleQuoteLightGreen
One person I know got 200,000 tokens from several thousand accounts
SingleQuoteLightGreenSingleQuoteLightGreen

“Airdrops are a legally safer way to distribute a project’s tokens than ICOs,” said Igor Pertsiya, founder of the Hypra venture fund. He said especially deft Sybil attackers can get away with up to several million dollars in crypto from a single airdrop, targeting projects such as Ethereum Name Service (ENS), Sui, Aptos and others.

“I know people who made $1 million to $2 million only from Arbitrum,” Pertsiya told CoinDesk. “Unlike in ICOs, many of which worked more like Ponzis [schemes], participants in airdrops don’t talk about them much because the more people want to join, the less each one will get.”

The evidence is not just anecdotal. Blockchain researchers have spotted crypto wallets that accumulated more than $1 million worth of the Arbitrum ARB tokens from various other wallets, suggesting they belong to the same person. In some cases, those wallets turned out to belong to phishing scammers, who just sucked the funds out of multiple victims’ wallets, it was later found.

Some multi-account users accumulated more modest token totals. Researchers found at least 198 addresses that gathered funds together from multiple other addresses after the snapshot of balances was taken and the list of eligible wallets was confirmed.

‘Not rocket science’

Ilya was not one of those Arbitrum millionaires, he said. Several of his accounts were detected as part of a Sybil attack and excluded from the airdrop. But five of the accounts he set up did manage to receive 20,000 ARB tokens – almost twice the maximum amount one account could get during the airdrop (10,250 tokens).

Ilya did not hesitate to sell the tokens for $1.40 each, for a profit far exceeding his expenses: to maintain one quality account that won’t get slashed, he would need to pay around $50 in gas fees for transactions on the network, he said.

“One person I know got 200,000 tokens from several thousand accounts. He had a team of people each running 500 accounts,” Ilya said.

Ilya has only one employee helping him manage accounts, who is paid with a regular paycheck and a share of profits from airdrops. Ilya said technical expertise is not necessary to recognize a profitable airdrop. If you can analyze social dynamics and sense what the next trend will be, that’s enough.

SingleQuoteLightGreenSingleQuoteLightGreen
In one evening, you could make up to 10 quality accounts. It’s not rocket science, it’s just everyday work
SingleQuoteLightGreenSingleQuoteLightGreen

Keeping those accounts alive is “not rocket science,” and even high school kids can maintain a bunch of viable blockchain wallets to make money off airdrops. “I know some guys who aren’t even 18 yet, running 150 accounts each, and one of them recently made $500,000 on airdrops,” he said.

“20-year olds missed the ICO boom, and now it’s a new wave of the young and hungry,” Pertsiya said.

Risking it

You never know what project will drop tokens one day, so airdrop hunters are monitoring multiple projects that seem promising. Criteria?

“It should be well known, with a lot of funds raised, a lot of developers and reputable investors, a lot of hype around it and relevant to what’s happening in crypto at the moment,” Ilya said. Projects satisfying these criteria right now include zksynk, StarkNet and LayerZero, and everything related to scaling Ethereum, he believes.

While waiting for an airdrop, such hunters risk losing their money if the project gets hacked and all the liquidity drained out of it. DeFi protocols have become hackers’ favorite target and lost $2 billion in 2022 alone, according to the blockchain analytics firm Chainalysis. Cross-chain bridges in particular appeared to be one of the most attractive targets for attacks.

“People would pour in liquidity hoping for an airdrop [in the future], and then that bridge gets hacked and some hacker gets away with your $5,000,” Ilya said. He does not recall losing a lot in such attacks, Ilya said, but people he knows had up to $10,000 worth of tokens in the recently exploited Euler lending protocol. At least the attacker volunteered to return the funds.

Hunting the hunters

Alex Momot, CEO of a crypto startup Peanut Trade, said his team has been monitoring the Sybil attacks on airdrops closely. One of the services Peanut provides is helping DeFi projects avoid such abuses. Usually, the tactics of airdrop hunters are pretty simple, he said: Do a bare minimum of transactions with minimal amounts of tokens just to pass the threshold of eligibility.

Hunters often fund their wallets by withdrawing money from a centralized exchange. Because all such withdrawals are processed from an exchange’s hot wallet, which aggregates coins of many users in one place, it’s impossible to see who exactly withdrew tokens. This makes it harder to identify wallets that received funding from the same wallet and thus, apparently, belong to the same owner.

However, there are still ways to exclude the airdrop hunters with multiple accounts from the distribution. For example, projects may slash all wallets that barely pass the threshold.

“On one hand, it’s not bad projects get some traction, even this way, but they are interested in creating real communities and having real traction,” Momot said. “The worst thing is, projects lose millions in market capitalization at the moment of exchange listing [because] such users immediately sell.”

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Anna Baydakova

Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.


Read more about