Since the birth of BTC, hacking incidents and theft cases in the crypto industry have never really stopped. From 2012 to 2024, there have been 1,740 publicly known security incidents across the blockchain ecosystem, resulting in approximately 33.744 billion USD in losses. If we narrow the timeframe down to recent years, we can see that the amount involved in crypto security incidents has shown an upward trend: the loss from crypto security incidents totaled 1.8 billion USD in 2023, and by 2024 this number had risen to 2.308 billion USD.
In other words, hackers have not slowed down at all; instead, they are constantly probing the industry’s defenses. At the end of the day, while the decentralization and anonymity of crypto assets bring tremendous convenience, they also make these assets an extremely tempting “prize” in the eyes of hackers. Every single attack is like a warning bell on the path of healthy industry development, reminding us that security is something we can never afford to relax on.
Therefore, crypto participants must strengthen their security awareness in order to effectively protect their funds. In the next few educational articles, we will launch a “Security Awareness Educational Series.” The topic of the first lesson is: Sybil Attack.
What Is a Sybil Attack? Why Is It Called “Sybil”?
If we had to use a few phrases to describe Sybil attacks, I think they would be:
The weapon air-drop hunters are best at using;
The biggest source of vulnerabilities in governance voting;
The cheapest means of manipulating on-chain data;
The root cause behind many project failures, data inflation, ecosystem collapse, and liquidity pools being drained.
More realistically: even if you feel very far removed from this concept right now, your assets, the DApps you have used, and the airdrop programs you have participated in may already have been “quietly affected” by Sybil attacks.
Back to the topic itself: a Sybil attack refers to an attacker creating a large number of fake identities (fake wallet addresses, fake nodes, fake accounts) in order to influence how power, resources, or incentives are allocated in a system.
The word “Sybil” comes from a case study of dissociative identity disorder titled Sybil, which tells the story of a person with 16 independent personalities. Doesn’t that look very similar to how Sybil attacks behave? So, in the blockchain context, this word is used to describe: one real-world controller disguising themselves as many independent participants.
In the centralized world, this type of attack is relatively easy to detect: the same IP, the same device, multi-account operations—these are all things that systems can track. But in Web3, attackers are naturally given a perfect camouflage:
Addresses can be generated infinitely;
No phone number is required;
No ID documents are required;
No real-world identity binding is required;
Wallets are costless to create;
Nodes can be faked;
Behavior can be scripted.
This makes the cost of launching a Sybil attack extremely low and identification extremely difficult.
Therefore: among all Web3 security threats, Sybil attacks are the most widespread and the most hidden.
Why Are Sybil Attacks a Form of “Structural Damage” to Blockchain Systems?
The danger of Sybil attacks does not come from how “strong” the attacker is, but from this fact: blockchain systems are inherently based on the assumption of “a majority of honest participants.”
Once attackers, through massive identity forgery, become the “majority,” the system loses its balance.
1. Damage to Consensus Mechanisms (Especially PoA, DAG, DPoS)
In some consensus mechanisms, the number of identities influences the level of trust the system assigns to nodes.
Creating a large number of nodes = having majority voting power = controlling system decisions.
Although PoW and PoS are not easily broken directly by Sybil attacks (because there is a real cost), light-client networks, DAGs, sidechains, and certain L2 schemes have all faced such risks.
2. Damage to Governance Systems (DAOs, Voting, Proposals)
In governance frameworks, the most common issues include:
Using a large number of identities to farm voting power;
Masquerading as community members to influence proposals;
Using multiple identities to create a “fake appearance of community consensus”;
Once the governance system is manipulated, a DAO can easily become an empty shell.
3. Shock to Airdrop Models
Airdrops are originally meant to reward real early users, but once a large number of Sybil users appear:
One person can pretend to be 1,000 people with 1,000 addresses;
They can batch-interact, batch-complete tasks, and ultimately take away 30–60% of the airdrop allocation.
This is one of the reasons many projects fail → because the airdrop ended up going mostly to script farms, leaving real users without incentives.
4. Pollution of Data Metrics (On-Chain Data No Longer Reliable)
When projects look at TVL, address count, and transaction volume, Sybil attacks can severely distort the data:
A single person running scripts can create thousands of active addresses;
TVL can be faked through recursive collateral loops;
Interaction volume can be endlessly “farmed” via scripts.
This creates a major industry dilemma: more data does not necessarily mean more truth; it might just mean more “fake prosperity.”
5. Threats to Fund Security
In some DeFi protocols, attackers use a large number of identities to:
Apply for loans;
Exploit incentive loopholes;
Manipulate reward pools;
and even drain protocol liquidity pools. I believe you’ve seen such cases in the industry.
How Are Sybil Attacks Carried Out? (Attack Path Analysis)
Although each project is different, the generic steps of a Sybil attack are very clear.
Step 1: Mass Creation of Wallet Addresses
For example:
1,000 addresses;
5,000 addresses;
Professional script farms can even go beyond 20,000;
Cost of creating addresses = 0.
This is one of the greatest risk sources in Web3.
Step 2: Disguising as Real Users (Constructing Behavioral Footprints)
Attackers will:
Batch-interact;
Batch-mint;
Batch-swap;
Hop across multiple chains;
Disperse gas across multiple accounts;
Use behavior paths with different “styles”;
to mimic “real usage behavior.”
The effect is stronger than you might imagine: one Sybil farmer can pose as 2,000 “real users.”
Step 3: Evading Anti-Sybil Detection
Right now, projects usually detect Sybil behavior using:
IP addresses;
Shared interaction patterns across addresses;
Similar time patterns;
Identical device fingerprints;
Similar gas usage patterns;
Frequent transfers between addresses.
But script farms will evade these through:
Bulk VPN switching;
Mixers;
Proxy pools;
Randomized delays;
Batched intent-based transactions;
Multi-region nodes;
Randomized breakpoint logging;
to avoid being identified.
This makes defense extremely difficult.
Step 4: Launching the Attack at the Critical Moment
Sybil attacks typically involve long-term preparation, with attackers continuously forging a large number of behavioral footprints just to strike at the key moment—for example:
Right before a major airdrop distribution;
Before governance voting;
When incentive distribution starts;
During node elections;
During DEX liquidity incentive periods;
During NFT whitelist minting phases.
Attackers will unleash the fake identities all at once to participate in decisions or grab resources.
The Most Common Sybil Attack Scenarios in Crypto (You’ve Definitely Seen These)
1. Airdrop Sybils (Most Common, Most Widespread, Biggest Impact)
Typical cases:
2,000 interactions;
3,000 wallets doing the same quests;
6 months of sustained behavior to pose as “long-term users”;
The project believes it has 100,000 users,
but in reality: maybe 80,000 are script farms.
2. DAO Governance Attacks
Attackers use multiple identities to influence:
On-chain rules;
Treasury usage;
The project’s future roadmap;
Critical votes.
Some DAOs end up being completely controlled.
3. DEX Liquidity Incentive Wash-Farming
Attackers use multiple identities to:
Rotate LP positions;
Wash-trade volume;
Farm transaction volume;
Farm fee rewards;
Loop-arbitrage.
In the end, they take most of the incentives, while real users get little or nothing.
4. NFT Whitelist Sybils
Some popular projects see their whitelist spots snatched entirely by bots and scripts, with hundreds of WL spots ending up in the hands of a single real operator.
This leads to:
The project failing to build a real community;
The floor price being unsustainable;
Misaligned interests between minters and the project;
A rapidly decaying ecosystem.
5. Node Forgery Attacks (Extremely Dangerous to Chain Security)
In some light-client networks, DAG-based structures, etc., attackers can create a large number of nodes and pretend to be the network majority.
This is the most dangerous type of Sybil attack.
Six Mainstream Anti-Sybil Mechanisms
Even though the industry has developed a complete Anti-Sybil toolkit, none of the methods are perfect.
1. Behavior Analysis
This is the most common method, for example:
Are interaction windows the same?
Are time intervals too regular?
Do multiple addresses share identical usage patterns?
The downside is obvious: once scripts add random parameters, they become nearly undetectable.
2. Graph Analysis
Graph analysis is mainly used to analyze:
Transfer network graphs;
Address interconnections;
Similarity between on-chain paths.
The weakness is again obvious: attackers only need to “cross-mix” paths to evade detection.
3. Device Fingerprints + IP Identification
This is the most intuitive method, but VPNs, multiple devices, scripts, and proxy pools can bypass it completely.
4. Economic Cost Models (On-chain Actions Have a Cost)
For example:Airdrops requiring high gas, high frequency, and heavy interactions.
Script farms can still do it—it’s just slightly more expensive.
5. KYC (Most Effective but Least Decentralized)
It is indeed effective, but it damages:
Privacy;
Permissionless access;
The trustless, permissionless nature of DeFi.
Therefore, most projects cannot adopt it extensively.
6. Trusted Execution Environments (TEE)
Such as SGX and privacy-preserving proofs, but these are still immature for large-scale use.
Three Fundamental Web3 Properties That Make Sybil Attacks Eternal
Address creation is costless: you can never stop someone from creating 100,000 addresses.
User identities are inherently anonymous: blockchains are designed not to require real-world identity.
On-chain behavior can be disguised:
Scripts = infinite users;
Paths = can be mimicked;
Interactions = can be copied;
“Smell” = can be hidden.
Incentive mechanisms will always attract script farms: wherever there is money, there will be Sybil attacks.
Future Anti-Sybil Trends in Web3
ZK-based identity (ZK-ID): ensuring users are real humans without knowing who they are.
Soulbound Identity systems: enhancing “non-transferability of accounts.”
DPR: Dynamic Participation Rating: giving higher weight to truly engaged participants.
Cross-Chain Identity: evaluating real users based on combined behavior across multiple chains.
High-frequency behavioral graphing (with AI): AI will play a central role in future Anti-Sybil systems.
Conclusion: Sybil Attacks Will Never Disappear, but They Can Be Managed
Sybil attacks will always exist — this is a structural feature of Web3. But we must:
Understand them;
Identify them;
Manage them;
Build Sybil-resistant systems;
Design incentive models robust enough to withstand them.
This is not only the responsibility of project teams, but also the key to the industry’s sustainable and healthy development.
When you understand Sybil attacks, you understand Web3’s “real world.”
When you understand how to defend against them, you understand the future direction of Web3.
