Airdrop Hunter Reportedly Fakes On-Chain Activity with Over 21,000 Sybil Wallets

An unidentified individual has been discovered to have generated an entire eco, including 21,877 Sybil wallets, its own token, and even a decentralized exchange (DEX), to falsify on-chain activity.

DeFi Analyst Exposes Fake On-Chain Activity Scheme

According to DeFi analyst @lingland09, the individual funded each of his wallets with small amounts of ether (ETH), then deployed a smart contract for a non-open sourced token referred to as gemstone (GEM).

🚨Warning: 21877 sybil wallets by one person #zkSync

Let’s disclosure this individuals sybil tactics, he funded all of his wallets with very small amounts of ether, then he deployed Gemstone ( $GEM ) token that wasn’t open source. (

++ pic.twitter.com/firJbfcdfL

— Lingland 09. ∎ (@lingland09) September 10, 2023

After the token was launched, the schemer developed a personal DEX, slowly carrying out transactions between his wallets to create the illusion of actual activity. The transactions were cleverly spread out over different months, weeks, and days to mimic the behavior of other L2 projects.

Once operational, the DEX was used to add liquidity to the GEM tokens with a fund of 80 ETH, artificially inflating the token’s value.

“Then he swapped $gem tokens that he claimed from 21877 wallets at gem/eth pair and gained 0.6- 0.7 eth value of profit.” @lingland09 revealed.

This person also used the same liquidity repeatedly, avoiding any negative effects from price slippage. As a result, they managed to ute transactions on the zkSync Era network with minimal expenses.

The individual also created a trading bot to automate the process, generating ten transactions with a total volume of $10,000 on the zkSync Era network. Notably, the analyst could only trace some of the fake wallets.

“Zkscan Explorer only supports 1k pages of history for each contract. Thus, I’ve only been able to trace 10k wallets tied to this individual’s operation,” @lingland09 stated.

However, @the_matter_labs was able to identify all 21,877 fake Sybil wallets linked to the $gem token contract.

Suspicious Activity Linked to Alleged Fake Airdrop

The motive behind the actions remains unclear. However, the analyst speculates that the individual is a “professional airdrop hunter,” possibly preparing for a fake airdrop by creating activity on the zkSync Era network.

Airdrops, a common marketing tactic in the cryptocurrency world, are exploited by Sybil attackers to defraud users. Airdrops involve distributing free tokens or coins to create interest. In a Sybil attack, the attacker creates multiple fake accounts posing as real users with the aim of taking advantage of other users.

A recent such example is the March ARB governance token airdrop by Arbitrum, which encountered issues due to an increase in Sybil activity caused by ineffective detection rules. According to crypto security researcher X-explore, over 279,328 same-person and 148,595 Sybil addresses exploited these flaws.