Sybil attack in blockchain and airdrops: mechanisms, examples, and protection

Distributed blockchain networks do not have a single central node managing the system. This means that a decentralized network of nodes maintains control over the blockchain through a consensus algorithm. However, this approach introduces new threats, including the Sybil attack.

What is a Sybil attack and what are its consequences?

A Sybil attack is a type of cybersecurity threat in which attackers create multiple fake nodes or accounts to manipulate a blockchain network. Attackers themselves are often called "Sybils" by the crypto community.

The term "Sybil attack" was first introduced in 2002 by Microsoft Research scientist John R. Douceur in his foundational paper "The Sybil Attack." Douceur described a threat where a single attacker creates and controls many fake identities (nodes) in a peer-to-peer (P2P) network to gain unfair advantages and destabilize the system.

The name originates from the popular 1973 book "Sybil", which dealt with dissociative identity disorder (then called multiple personality disorder). The metaphor fit perfectly into the concept of Sybil attacks and was later adopted to describe blockchain-related threats.

A Sybil attack is not merely a threat — it's a fundamental challenge to the very concept of decentralized systems. The primary goal of such attacks is to gain control over a decentralized network, enabling a 51% attack that allows double-spending*.

* Double-spending — the act of spending the same digital asset twice, a result of a successful hacking attack.

Sybil attack in airdrops

Although the term "Sybil attack" was initially used in the crypto industry to describe cyber threats within blockchain systems, it was later adopted by airdrop* hunters or drophunters.

* Airdrop — a free distribution of cryptocurrency to active users of a project in exchange for their contribution to the ecosystem.

In the context of airdrops and their variations (retro-drops, bounties, etc.), "Sybils" are users who create multiple accounts or wallets to receive additional rewards during token distributions. Advanced drophunters run entire bot farms with hundreds, or even thousands, of fake accounts that simulate real user behavior.

The Sybil attack leads to an unequal and unfair distribution of tokens during airdrops, affecting major projects such as Starknet, zkSync, and LayerZero. To mitigate or prevent such attacks, project teams deploy various anti-Sybil filtering mechanisms.

For example, LayerZero partnered with the analytics platform Nansen to detect clusters of fraudulent wallets. In 2024, the LayerZero team identified over 800,000 addresses potentially linked to Sybils.

Despite the efforts of Web3 projects, some users still manage to bypass filters and claim extra rewards. According to Dragonfly's 2025 estimates, billions of dollars in airdrops either end up in the hands of Sybils or remain undistributed due to inefficient Sybil prevention mechanisms.

Types of Sybil attacks

Sybil attacks are generally divided into two types: direct and indirect.

Direct Sybil attack

In a direct Sybil attack, attackers interact directly with honest nodes in a blockchain network to gain control over a decentralized protocol.

If successful, they can gain control over network traffic, allowing them to:

• Reject or modify participants' transactions;
• Isolate honest nodes, controlling their inbound and outbound data;
• Distort voting results in Proof-of-Stake (PoS) blockchains and DAO systems.

Most recorded Sybil attacks are direct, as they are easier and cheaper to execute.

Indirect Sybil attack

In an indirect Sybil attack, attackers do not directly contact network nodes. Instead, they exploit hidden resources and indirect methods to influence network governance.

This approach allows them to remain undetected. For instance, they may:

• Spread false information through intermediary nodes;
• Create fake connections between participants, affecting their reputation and decision-making.

Although indirect attacks are rarer, they are more dangerous because they are harder to detect and prevent.

Examples of Sybil attacks

Sybil attacks have targeted well-known networks such as Monero and Ethereum Classic.

In 2020, an attacker attempted a Sybil attack on the Monero network for 10 days by mapping node IP addresses to transactions — but it failed and did not affect network security.

Ethereum Classic has been attacked multiple times. In 2020, attackers gained control of the blockchain three times, successfully executing double-spending attacks that resulted in losses of over $7 million.

In 2018, attackers launched a direct Sybil attack on the Verge network, creating many fake nodes and gaining control over timestamps*. They manipulated blockchain time and mined blocks at extremely low difficulty, stealing about $1.6 million worth of XVG tokens — another example of a 51% attack.

* Timestamp — a time marker recording the exact moment an event occurred. In blockchain, timestamps help order transactions and prevent tampering with data.

How real are the Sybil attack threats to blockchains?

While drophunters can still exploit Web3 airdrop systems, Sybil attacks do not pose an economic threat to established blockchain ecosystems themselves.

In Proof-of-Work (PoW) or Proof-of-Stake (PoS) blockchains like Bitcoin, Ethereum, BNB Chain, Dogecoin, and Cardano, executing a successful Sybil attack would require millions or even billions of dollars in either computing power or staked tokens.

Moreover, attackers have no guarantee of success. For example, in PoS networks, malicious actors' assets may be slashed (partially or fully confiscated) as a penalty.

Modern blockchains also employ advanced Sybil defense mechanisms, such as Zero-Knowledge (ZK) proofs, which verify node legitimacy without revealing identity, and social graphs, which visually map network relationships.

A well-known example is Worldcoin, which uses ZK technology to prove the "humanness" of nodes. Its consensus mechanism, Proof-of-Humanity (PoH), verifies users and validators through biometric data without revealing identities, storing the proof immutably in a smart contract.

Additional defenses include reputation systems and node-scoring models, in which node credibility is tied to its contributions to its ecosystem.

Blockchain protocols can also combine multiple layers of protection. For example, social graphs can highlight malicious nodes — "honest" nodes tend to have diverse connections, while Sybil clusters are isolated and interconnected mainly among themselves.

Alternative consensus models, such as Proof-of-Social-Capital (PoSC), assess node reputation based on social and ecosystem activity.

KYC (Know Your Customer) verification can also help prevent Sybil attacks, though it contradicts blockchain's principles of anonymity. Still, it can enhance network trust.

Another alternative is token gating, where governance access is granted only to holders of specific tokens or NFTs — forming an additional barrier against Sybil attacks.