Sybil Defense for Multi-Wallet Airdrop Farming (2026)
LayerZero filtered 803,000 wallets. zkSync Era dropped 60 percent of eligible addresses. Starknet cut 27,000 before distribution. This is how Trusta Labs, Nansen, Bubblemaps, and Chaos Labs actually find Sybils, and how serious farmers build opsec that survives the filter.
Major Sybil Filters of 2024
Four airdrops that publicly filtered hundreds of thousands of Sybil wallets, and what the numbers actually mean for farmers building opsec today.
LayerZero ZRO (June 2024)
The landmark Sybil filter of the cycle
The numbers
- Initial eligible snapshot: ~2.1M wallets
- Full Sybils excluded: 803,093 wallets (~38 percent)
- Self-reported Sybils: ~1.3M wallets accepted at 15 percent allocation
- Final qualified non-Sybil wallets: ~1.28M
Detection stack
- Trusta Labs: primary ML clustering vendor
- Nansen: wallet labeling, smart money exclusion
- Chaos Labs: behavioral simulation
- Internal LayerZero heuristics on bridge patterns
Key lesson: LayerZero published its criteria openly. Sybil cluster indicators included wallets funded from the same source within 30 days, wallets transacting through the same bridges with similar amounts, and wallets with overlapping transaction timing windows. Every one of these is a defeatable signal with proper opsec.
zkSync Era ZK (June 2024)
The most aggressive Sybil filter to date
The numbers
- Initial interaction snapshot: ~6.9M wallets
- Roughly 60 percent excluded as low-effort or Sybil
- Final eligible: ~695K wallets received tokens
- Community pushback was immediate and loud
Detection stack
- Trusta Labs MEDIA algorithm
- Activity duration thresholds (30+ days)
- Minimum USD volume requirements
- Unique dApp interactions (10+ protocols)
Key lesson: zkSync did not publish full per-wallet Sybil scores. Instead they combined explicit Sybil detection with quality thresholds: a wallet could be excluded for being a Sybil OR for being a genuine low-effort farmer. This dual filter is now standard.
Starknet STRK (February 2024)
Pre-distribution Sybil cut and retroactive adjustment
The numbers
- Initial eligible wallets: ~1.3M
- Pre-distribution Sybil cut: 27,000 wallets
- Average allocation per eligible: ~1,800 STRK
Detection stack
- Trusta Labs clustering
- GitHub developer weighting
- Bridge volume thresholds
Blast BLAST (June 2024)
Point-based airdrop with Sybil-weighted distribution
Blast took a different approach: instead of binary exclusion, they reduced allocations for wallets flagged as suspicious. Users with clear Sybil indicators received 50 percent or less of their point-accrued share, while obvious farmers (batch-created wallets, identical funding patterns) were zeroed out entirely.
Key lesson: The trend in 2025-2026 is toward graduated penalties rather than binary cuts. A wallet can be partially flagged and receive a reduced allocation, which makes appeals harder and maximizes retained value for the project.
How Detection Actually Works
Five core techniques that modern Sybil detection firms combine. Understanding each one is the prerequisite to designing opsec that defeats them.
IP Correlation
Projects correlate wallet addresses with IPs logged by dApp frontends, centralized bridges, and RPC providers. If 200 wallets connected from the same IP or the same /24 subnet, they cluster as one operator.
Wallet Graph Analysis
Trace funds backward 3-5 hops from airdrop wallets to identify common funding sources. If 40 wallets all trace back to the same Binance withdrawal within 72 hours, they are a cluster.
Timing Correlation
Flag wallets that repeatedly transact within the same narrow time window. A 5-minute correlation across 20 actions is a near-zero probability event for independent users.
Gas Fingerprinting
Wallet software personalizes gas prices and limits based on user history. Scripts often override with identical values, creating a gas fingerprint that links wallets.
Bridging Pattern Analysis
Projects map bridge flows: which source chain, which destination chain, which amounts, which bridge providers. Wallets that all bridge the exact same amount from the exact same chain using the exact same bridge in the same week are obvious clusters.
Tools Projects Actually Use
Five firms dominate Sybil detection services in 2026. Knowing their methodology is essential to defending against it.
Trusta Labs
The dominant airdrop Sybil detection firm. Served LayerZero, zkSync Era, Starknet, Blast, and dozens more. Their MEDIA algorithm combines ML clustering with on-chain identity signals (TrustScore). Proprietary methodology but published whitepapers confirm funding graph analysis, timing correlation, gas fingerprinting, and behavioral clustering are all components.
Nansen
The wallet analytics standard. Nansen labels 300M+ addresses (CEX hot wallets, whales, smart money, MEV bots, smart contracts, exploited contracts). Projects feed their airdrop candidate list to Nansen and receive cluster reports based on transaction patterns, counterparty overlap, and funding flows. Nansen does not sell Sybil scores per se, but its cluster exports are a core input to many project-side filters.
Bubblemaps
Bubblemaps renders wallet relationships as literal bubble graphs. Each wallet is a bubble sized by balance, and fund flows between wallets draw connecting lines. Clusters that look like a star with 50 satellites orbiting a single hub are instant Sybil flags. Projects use Bubblemaps both for automated filtering and for manual review of edge cases.
Chaos Labs
Chaos Labs focuses on smart contract and airdrop simulation. They simulate how an airdrop distribution would play out under different Sybil thresholds, showing projects what percentage of TVL retention they can expect at each filter strength. Used by LayerZero and others for pre-launch distribution modeling.
ScopeScan
ScopeScan provides forensic-grade wallet tracing used increasingly in 2025-2026 for airdrop Sybil review and post-launch dump analysis. Specialty is tracing mixer-obscured flows and identifying clusters that evade simpler graph analysis by using Tornado Cash or cross-chain bridges as intermediaries.
IP Correlation: The Biggest Sybil Signal
Every detection vendor starts with IP clustering. Understanding how they get the data and how CGNAT mobile IPs defeat it is the single most important opsec concept for farmers.
How projects get your IP
Every dApp (Uniswap, Stargate, Arbitrum Bridge) logs IP + connected wallet address in its analytics pipeline.
Stargate, Hop, Across, deBridge log source IP of every bridge request for fraud prevention and regulatory compliance.
Infura, Alchemy, Ankr, QuickNode log API key + IP + every wallet address signed. Some sell anonymized logs.
Starknet, zkSync, Scroll all run their own RPC endpoints as default. If you used the default endpoint, they have your IP.
MetaMask telemetry (on by default) sends IP + wallet data to Consensys infrastructure.
Why mobile CGNAT defeats it
A single AT&T mobile IP is shared by 500-5,000 real subscribers via Carrier-Grade NAT. Any flag would hit thousands of genuine users.
Detection vendors whitelist AS7018 (AT&T), AS21928 (T-Mobile), AS22394 (Verizon Wireless) because blocking them blocks millions of real users.
Mobile proxies rotate IPs on airplane mode cycles. Each wallet can have a fresh IP when it matters (bridge activity, LP, etc.).
Mobile traffic dominantly is genuine humans browsing. Your farming activity is buried in the background noise.
Different mobile proxies in different cities (NYC, LA, Miami, Chicago) create geographic spread that mirrors a genuine global user base.
The one-IP-per-wallet rule
The non-negotiable foundation of airdrop opsec: every wallet gets its own dedicated mobile proxy with its own carrier ASN and its own rotation cycle. No exceptions. No sharing. No using the same proxy for wallet A one day and wallet B the next.
At scale this means you are running 20, 50, or 200 dedicated mobile proxies. The cost is real, but the math works: even a single successful airdrop (LayerZero at $3.77 per token launch, zkSync at $0.20, Starknet at $2+) covers years of proxy infrastructure for a well-run farm.
Wallet Graph Analysis: Funding Source Tracing
Every wallet that exists was funded from somewhere. Detection firms trace that funding back 3-5 hops looking for common sources.
The naive pattern (gets flagged)
โ Single withdrawal 5 ETH
โ Farmer master wallet
โ 0.05 ETH to wallet 1
โ 0.05 ETH to wallet 2
โ 0.05 ETH to wallet 3
โ ... (100 identical sends)
Every wallet traces back to one master in one hop, with identical amounts and near-simultaneous timestamps. Bubblemaps draws a star. Trusta Labs flags the cluster in 10 minutes.
The safe pattern (survives graph analysis)
Coinbase w/ KYC2 โ wallet B
OKX w/ KYC3 โ wallet C
Kraken w/ KYC4 โ wallet D
P2P Bisq/LocalCoinSwap โ wallet E
DEX swap from pre-existing โ wallet F
(different amounts, different weeks,
intermediate dApp activity before farming)
Each wallet traces to a distinct funding source. Amounts vary. Time gaps between funding and farming are weeks not minutes. No master wallet exists to cluster on.
Funding diversity checklist
- Use 4+ different exchanges for funding. Binance, Coinbase, Kraken, OKX, Bybit, Bitstamp, Gemini each have different hot wallet infrastructure.
- Mix funding methods: some wallets from CEX withdrawals, some from P2P trades (Bisq, LocalCoinSwap, HodlHodl), some from DEX swaps from pre-existing on-chain balances.
- Randomize funding amounts: instead of 100 wallets each with 0.05 ETH, use 100 wallets with amounts from 0.02 to 0.15 ETH spread naturally.
- Insert time gaps: fund a wallet, let it sit 2-4 weeks, do some unrelated activity (a swap, a mint), then begin airdrop farming.
- Never fund through a master wallet: the single most toxic pattern. If you must consolidate, use mixers (where legal) or CEX round-trips to break the graph.
- Use chain-native funding where possible: buy USDC on Coinbase, send directly to Base. Buy on OKX, withdraw directly to zkSync. This avoids bridge-based funding graphs.
Timing and Gas Fingerprints
The two signals that catch scripted farming operations regardless of IP and funding opsec. Randomization is non-optional.
Timing randomization
A 5-minute window correlation across 20 actions makes your cluster statistically obvious. Defeat it with layered randomization.
Gas fingerprint defenses
Clusters where 300 wallets all used 25 gwei priority fees have been flagged in published reports. Variation is required.
Bridging Pattern Defense
For bridge-dependent airdrops (LayerZero, Hop, Across), bridge pattern diversity is critical. This is a separate signal from wallet graph and timing.
What projects map
Bridge diversification template
A defensible bridge history for a single wallet across a farming season might look like:
- Stargate: 3 bridges, varied amounts, varied chains (Arb, Optimism, Base)
- Hop: 2 bridges, small amounts, Arbitrum only
- Across: 4 bridges across Ethereum, Optimism, Polygon
- Native L2 bridge (zkSync portal, Starknet bridge): 2 bridges each
- deBridge or Connext: 1-2 exotic bridges for variety
- Total over 6+ months, not 6 weeks
The Complete Defense Stack
Five layers. Missing any one is a correlation vector that survives everything else. This is what a 2026-grade farm actually runs.
Layer 1: Network Isolation
One dedicated mobile 4G/5G proxy per wallet. Unique ASN (mix AT&T, T-Mobile, Verizon). Unique carrier. Rotation on demand for IP refresh. Never reuse an IP across wallets. Prefer US mobile carriers for US-facing projects, EU mobile for EU projects.
Layer 2: Browser Identity
Antidetect browser with unique fingerprint per wallet profile. Options: Multilogin ($99/month), GoLogin ($24/month entry), AdsPower (free tier available), Dolphin Anty ($89/month). Each profile ships a unique Canvas, WebGL, audio, and font fingerprint and ties it to the profile's proxy.
Layer 3: Funding Diversity
Fund each wallet from a different source. 4+ CEXs in rotation. Mix of P2P trades (Bisq, LocalCoinSwap), DEX swaps from pre-existing balances, and occasional intermediate wallet trips to break graphs. Time gaps of 2-4 weeks between funding and first airdrop-targeted activity.
Layer 4: Behavioral Randomization
Randomized timing at micro, meso, and macro scales. Varied gas prices (mix of market, slow, aggressive). Different wallet clients (MetaMask, Rabby, Frame). Different bridging patterns (Stargate + Hop + Across + native). Different amounts. Different dApps visited beyond just airdrop farming.
Layer 5: Long-Tail Activity
Wallets that only interact with airdrop-eligible protocols look like farmers. Defensive wallets have genuine-looking holding periods, occasional losses, NFT mints, governance votes, Lens/Farcaster activity, random Uniswap trades. Multi-chain presence (Ethereum, Solana, Cosmos) strengthens legitimacy.
The compounding rule
A single correlation vector exposes the whole farm. If your 50 wallets pass IP, pass funding graph, pass timing, pass gas, but all bridge through Stargate on the same day with the same amount, that single signal kills everything. Every layer must hold.
The Self-Reporting Option
LayerZero pioneered it: self-report as a Sybil for a guaranteed 15 percent allocation instead of gambling on 100 percent or 0 percent. The math is non-trivial.
The LayerZero program (May 2024)
Farmers who self-identified as Sybils before the snapshot received 15 percent of their initial allocation. The remaining 85 percent was redistributed to non-Sybil users. Approximately 1.3 million wallets self-reported and were accepted at reduced allocation. An additional 803K were flagged post-snapshot by detection and zeroed.
Stay silent if:
- Each wallet has unique dedicated mobile proxy
- Funding graph has no common parent within 5 hops
- Antidetect browser profiles are unique per wallet
- Timing and gas are randomized
- Bridging patterns are diversified
- Wallets have long-tail legitimate activity
Expected value of staying silent: 85 percent pass rate ร 100 percent = 85 percent. Versus self-report at 15 percent. Silent wins ~6ร.
Self-report if:
- Wallets share a single residential or datacenter IP
- Funded from single CEX withdrawal to master wallet
- Copy-paste transaction patterns across wallets
- Batch-created wallets with identical timestamps
- Same gas price used across all wallets
- Zero long-tail activity (airdrop protocols only)
Expected value of staying silent: 10 percent pass rate ร 100 percent = 10 percent. Versus self-report at 15 percent. Self-report wins.
Why projects include self-report
Self-report is economically rational for projects. It pulls farmers off the 0 percent boundary at 15 percent cost, but in exchange the project gets a clean training set for its detection models. Every self-reported wallet is a labeled positive example that improves Sybil detection for the next airdrop.
This is why self-report is increasingly common in 2025-2026. Expect LayerZero-style programs to become standard. Decide your threshold in advance.
// Premium Mobile Proxy Pricing
Configure & Buy Mobile Proxies
Select from 10+ countries with real mobile carrier IPs and flexible billing options
// billing-period
Select the billing cycle that works best for you
Available regions:
selected config
ONLINE๐บ๐ธUSA Configuration
AT&T โข Florida โข Monthly Plan
Your price:
No commitment โข Cancel anytime โข Purchase guide
Popular Proxy Locations
Secure payment methods accepted: Credit Card, PayPal, Bitcoin, and more. 2 free modem replacements per 24h.
One Wallet. One Mobile IP. Zero Correlation.
Dedicated 4G/5G mobile proxies across AT&T, T-Mobile, and Verizon. Unique carrier ASN per proxy. CGNAT shielding that defeats IP correlation. Built specifically for the opsec requirements of modern airdrop farming.
- Q01What is a Sybil attack in airdrop farming and why do projects care?
- A Sybil attack is when a single operator controls dozens, hundreds, or thousands of wallets to inflate their share of an airdrop at the expense of genuine users. Projects care because Sybils destroy tokenomics: a single farmer capturing 5 percent of a $1B airdrop extracts $50M that was supposed to bootstrap a real community. Post-launch, Sybils dump their allocation immediately, crashing the price for everyone who received tokens legitimately. LayerZero, zkSync, Starknet, and Blast all ran aggressive Sybil filters in 2024 precisely because every previous airdrop had been gutted by farmers. In June 2024, LayerZero publicly excluded 803K wallets (~38 percent of its initial snapshot) and zkSync Era excluded roughly 60 percent of eligible addresses, showing how central Sybil defense has become to airdrop design.
- Q02Who are Trusta Labs, Nansen, and Bubblemaps and what do they actually do?
- These are the three most important firms in Sybil detection as of 2026. Trusta Labs provides machine-learning Sybil clustering and on-chain identity scoring; they served LayerZero, zkSync Era, Starknet, and Blast directly. Nansen is wallet analytics that labels addresses (CEX, whale, smart money, smart contract) and identifies clusters by transaction patterns, timing, and funding flows. Bubblemaps is visualization software that renders wallet relationships as literal bubble graphs based on fund flows; if 50 wallets all trace back to the same Binance withdrawal two hops deep, Bubblemaps shows a single giant bubble with 50 satellites, which is an instant Sybil flag. Projects combine outputs from all three plus internal heuristics before finalizing allocations.
- Q03How does IP correlation actually expose Sybil wallets?
- Projects do not see your IP directly from on-chain data, but they see it through the frontends and RPC endpoints you use. dApp frontends log IP plus connected wallet address, centralized bridges record the IP of every bridge request, and many RPC providers (Infura, Alchemy, Ankr) log wallet address plus IP per request. When a project purchases detection services, those vendors can be given access to frontend analytics or can correlate RPC logs they sell themselves. If 200 wallets all connected from the same residential IP or the same datacenter range, or all used the same RPC API key, that is a smoking gun. Mobile CGNAT IPs defeat this because a single mobile IP is naturally shared by thousands of real users, so a handful of wallets behind one CGNAT endpoint looks normal.
- Q04What is wallet graph analysis and how many hops do projects trace?
- Wallet graph analysis (also called funding graph analysis) traces the flow of funds backward from airdrop-eligible wallets to identify common sources. If wallets A through Z were all funded by wallet X in the last 90 days, either directly or through 2-3 intermediary hops, they likely belong to the same operator. Projects typically trace 3-5 hops backward, weighting recent transfers heavier and ignoring flows through known CEX hot wallets since those mix funds across millions of users. The Trusta Labs methodology published in their 2024 LayerZero report traced up to 5 hops with time-decay weighting. Farmers defeat this by funding wallets from diverse sources (different CEXs, different P2P trades, different DEX swaps) and by introducing genuine time gaps and intermediate activity between funding and farming.
- Q05Why are mobile 4G/5G proxies preferred over residential proxies for airdrop farming?
- Three reasons. First, trust score: mobile IPs score 0.90-0.95 on typical fingerprinting services while residential IPs score 0.70-0.80, because residential pools have been saturated by scraping and have accumulated bot flags. Second, CGNAT shielding: mobile carriers share IPs across thousands of subscribers via Carrier-Grade NAT, so your farming activity is hidden among genuine traffic from real users on the same IP, whereas residential IPs are 1:1 to a home and any flag sticks. Third, ASN reputation: mobile carrier ASNs (AT&T Mobility, T-Mobile USA, Verizon Wireless) are whitelisted by most anti-bot vendors because blocking them would block millions of real users. For airdrop farming where each wallet needs a unique identity and where vendors like Trusta Labs actively look for IP clustering, mobile proxies offer the best cover.
- Q06What is the LayerZero self-report program and should farmers use it?
- In May 2024 LayerZero announced a self-report program: farmers who identified themselves as Sybils before the snapshot would receive 15 percent of their initial allocation instead of 0 percent from a full Sybil flag, and the remaining 85 percent was redistributed to non-Sybil users. Approximately 803K wallets were ultimately flagged. The self-report calculus is genuinely difficult: if your operation has strong opsec (unique mobile IPs, randomized timing, diverse funding, unique browser fingerprints) you are probably better off staying silent and hoping to pass the filter at 100 percent. If your opsec is weak (shared residential IP, batch-funded from one CEX, copy-paste transaction patterns) you are better off self-reporting for guaranteed 15 percent than getting zero after detection. Most sophisticated farmers chose to stay silent; those who self-reported were typically smaller operators hedging their bets.
- Q07How do timing and gas fingerprints expose multi-wallet operations?
- Detection firms look for suspicious correlations in transaction timing and gas usage. Timing correlation flags wallets that broadcast transactions within tight windows (commonly 5 minutes or less) repeatedly across many actions; a genuine user is unlikely to mirror another user 20 times in a row, but 50 farmed wallets running a script will. Gas fingerprinting flags wallets that consistently use identical gas prices, identical gas limits, or identical priority fees across unrelated transactions, because wallet software personalizes these values slightly based on user history and local mempool data. Farmers defend by introducing randomized delays (anywhere from 10 minutes to 48 hours between wallets), using different wallet clients (MetaMask, Rabby, Frame, Keplr) with different default gas strategies, and occasionally overriding gas manually with varied values. The goal is statistical noise that breaks the correlation.
- Q08What does a complete Sybil defense stack look like for 2026 airdrop farming?
- A production-grade stack has five layers. Layer 1 network: one dedicated mobile 4G/5G proxy per wallet with a unique ASN, unique carrier, and rotating IP on request. Layer 2 browser identity: antidetect browser (Multilogin, GoLogin, AdsPower, or Dolphin Anty) with a unique Canvas, WebGL, audio, and font fingerprint per profile. Layer 3 funding diversity: fund each wallet from a different source (CEX1, CEX2, P2P, DEX swap, over-the-counter) with time gaps and intermediate activity between funding and farming. Layer 4 behavioral randomization: randomized timing (no scripted batches), varied gas prices, different bridging routes, different amounts, different dApps visited. Layer 5 long-tail activity: genuine-looking holding periods, occasional losses, participation in governance or NFT mints, activity on multiple chains. Skipping any layer creates a correlation vector that modern detection will find.
Related
Launch Playbook
/blog/start-mobile-proxy-reseller-business-2026
Bulk Pricing Math
/blog/mobile-proxy-bulk-pricing-volume-tiers
MobileProxy.space
/blog/mobileproxy-space-alternative
Localtonet
/blog/localtonet-alternative
LuxSocks (closed)
/blog/luxsocks-alternative
Pingproxies
/blog/pingproxies-alternative