Crypto traders exploit Airdrops with Sybil attacks for massive profits
“In one evening you can create up to 10 quality accounts. It’s not rocket science, it’s just everyday work. That’s why so many people FOMO about it,” said Ilya, a 33-year-old Ukrainian whose main source of income comes from airdrops.
Ilya (he asked CoinDesk to change his name) also trades crypto for profit, but airdrops have taken up most of his time in the last couple of months, he told me over Zoom, speaking from a “southern European country.”
Ilya is one of the many crypto traders who make money from Sybil attacks on token airdrops. In other words, they spin up multiple accounts on a blockchain project that is expected to release their token, then they grab as many tokens as they can. (A “Sybil” attack takes its name from a 1973 book about a woman with dissociative identity disorder.)
The attacks take advantage of the projects’ weak ability to identify and weed out fake accounts and extract tens and hundreds of thousands of dollars from each airdrop. After they get the tokens, they sell immediately.
Decentralized finance (DeFi) projects use airdrops – a distribution of free tokens to the wallets of active members of the blockchain community – to attract more users and encourage activity on the project’s blockchain, such as providing liquidity to decentralized exchanges, interacting with smart contracts and other transactions .
With airdrops, projects try to identify and reward active users without releasing tokens to people who created accounts at the last minute before the airdrop to grab tokens without actually committing to the project. After they get the tokens, these people immediately sell, which depresses the price of the token.
Sybil attackers constantly try to trick the system, impersonating healthy blockchain activity from multiple accounts belonging to one person or team. Thus, organizing an airdrop becomes an endless back-and-forth for projects – and they are far from winning.
For example, during the recent airdrop for the Ethereum scaling protocol Arbitrum, users and entities controlling multiple addresses received nearly 48% of all tokens distributed, according to researchers.
Ilya is 33, and crypto speculation has been his primary job for the past six years. “I got into it in late 2016, before the ICO hype,” he said. He used to be a small business owner, trading grain in Ukraine, before he got into online marketing. When he learned about crypto, everything changed. He invested in several initial coin offerings and the return was tenfold.
After the ICO hype cooled, initial exchange offerings (IEOs) came, then the 2020 DeFi craze, then the non-fungible token (NFT) obsession. If you get ahead of a trend, Ilya said, it’s just a free-money giveaway, with airdrops just the latest hot option.
“Airdrops are a legally safer way to distribute a project’s tokens than ICOs,” said Igor Pertsia, founder of the Hypra venture fund. He said that particularly skilled Sybil attackers can get away with up to several million dollars in crypto from a single airdrop, targeting projects such as Ethereum Name Service (ENS), Sui, Aptos and others.
“I know people who made $1 million to $2 million just from Arbitrum,” Pertsia told CoinDesk. “Unlike ICOs, many of which functioned more like Ponzis [schemes]participants in airdrops don’t talk about them much because the more people who want to participate, the less each person will get.”
The evidence is not just anecdotal. Blockchain researchers have spotted crypto wallets that accumulated more than $1 million of Arbitrum ARB tokens from various other wallets, suggesting that they belong to the same person. In some cases, these wallets turned out to belong to phishing scammers, who simply siphoned the money out of multiple victims’ wallets, it was later found.
Some multi-account users accumulated more modest token totals. Researchers found at least 198 addresses that collected money from multiple other addresses after the snapshot of the balances was taken and the list of eligible wallets was verified.
Ilya was not one of those Arbitrum millionaires, he said. Several of his accounts were discovered as part of a Sybil attack and excluded from airdrop. But five of the accounts he created managed to receive 20,000 ARB tokens – almost double the maximum amount an account could receive during the airdrop (10,250 tokens).
Ilya did not hesitate to sell the tokens for $1.40 each, for a profit that far exceeded his expenses: to maintain a quality account that will not be cut, he had to pay about $50 in gas fees for transactions on the network, he said.
“One person I know got 200,000 tokens from several thousand accounts. He had a team of people who each ran 500 accounts,” Ilya said.
Ilya has only one employee who helps him manage accounts, who is paid with a regular paycheck and a share of the profits from airdrops. Ilya said that technical expertise is not necessary to recognize a profitable airdrop. If you can analyze social dynamics and sense what the next trend will be, that’s enough.
Keeping these accounts alive is “not rocket science” and even high school kids can maintain a bunch of viable blockchain wallets to monetize airdrops. “I know some guys who aren’t even 18 yet who have 150 accounts each, and one of them recently made $500,000 from airdrops,” he said.
“20-year-olds missed the ICO boom, and now there’s a new wave of young and hungry,” Pertsia said.
You never know which project will drop tokens one day, so airdrop hunters monitor several projects that seem promising. Criteria?
“It should be well known, with a lot of funds raised, a lot of developers and reputable investors, a lot of hype around it and relevant to what’s happening in crypto at the moment,” Ilya said. Projects that meet these criteria right now include zksynk, StarkNet and LayerZero, and anything related to scaling Ethereum, he believes.
While waiting for an airdrop, such hunters risk losing their money if the project is hacked and all liquidity drained from it. DeFi protocols have become hackers’ favorite targets, losing $2 billion in 2022 alone, according to blockchain analytics firm Chainalysis. Cross chain bridges in particular appeared to be one of the most attractive targets for attack.
“People would pour in liquidity hoping for an airfall [in the future], and then that bridge gets hacked and a hacker gets away with $5,000,” Ilya said. He doesn’t recall losing much in such attacks, Ilya said, but people he knows had tokens worth up to $10,000 in the recently exploited Euler lending protocol. At least the attacker volunteered to return the funds.
Alex Momot, CEO of a crypto startup Peanut Trade, said his team has been closely monitoring the Sybil attacks on airdrops. One of the services Peanut provides is helping DeFi projects avoid such abuses. Usually, the tactics of airdrop hunters are pretty simple, he said: Make a minimum of transactions with minimal amounts of tokens just to pass the threshold for eligibility.
Hunters often fund their wallets by withdrawing money from a centralized exchange. Because all such withdrawals are processed from the exchange’s hot wallet, which collects coins from many users in one place, it is impossible to see who exactly withdrew tokens. This makes it more difficult to identify wallets that received funding from the same wallet and thus apparently belong to the same owner.
However, there are still ways to exclude airdrop hunters with multiple accounts from the distribution. For example, projects can cut all wallets that barely pass the threshold.
“On the one hand, it’s not bad for projects to get some traction, even in this way, but they’re interested in creating real community and having real traction,” Momot said. “The worst thing is that projects lose millions in market value when listed on the stock exchange [because] such users sell immediately.”
