Sybil Defense for Multi-Wallet Airdrop Farming (2026)
LayerZero filtered 803,000 wallets. zkSync Era dropped 60 percent of eligible addresses. Starknet cut 27,000 before distribution. This is how Trusta Labs, Nansen, Bubblemaps, and Chaos Labs actually find Sybils, and how serious farmers build opsec that survives the filter.
Major Sybil Filters of 2024
Four airdrops that publicly filtered hundreds of thousands of Sybil wallets, and what the numbers actually mean for farmers building opsec today.
LayerZero ZRO (June 2024)
The landmark Sybil filter of the cycle
The numbers
- Initial eligible snapshot: ~2.1M wallets
- Full Sybils excluded: 803,093 wallets (~38 percent)
- Self-reported Sybils: ~1.3M wallets accepted at 15 percent allocation
- Final qualified non-Sybil wallets: ~1.28M
Detection stack
- Trusta Labs: primary ML clustering vendor
- Nansen: wallet labeling, smart money exclusion
- Chaos Labs: behavioral simulation
- Internal LayerZero heuristics on bridge patterns
Key lesson: LayerZero published its criteria openly. Sybil cluster indicators included wallets funded from the same source within 30 days, wallets transacting through the same bridges with similar amounts, and wallets with overlapping transaction timing windows. Every one of these is a defeatable signal with proper opsec.
zkSync Era ZK (June 2024)
The most aggressive Sybil filter to date
The numbers
- Initial interaction snapshot: ~6.9M wallets
- Roughly 60 percent excluded as low-effort or Sybil
- Final eligible: ~695K wallets received tokens
- Community pushback was immediate and loud
Detection stack
- Trusta Labs MEDIA algorithm
- Activity duration thresholds (30+ days)
- Minimum USD volume requirements
- Unique dApp interactions (10+ protocols)
Key lesson: zkSync did not publish full per-wallet Sybil scores. Instead they combined explicit Sybil detection with quality thresholds: a wallet could be excluded for being a Sybil OR for being a genuine low-effort farmer. This dual filter is now standard.
Starknet STRK (February 2024)
Pre-distribution Sybil cut and retroactive adjustment
The numbers
- Initial eligible wallets: ~1.3M
- Pre-distribution Sybil cut: 27,000 wallets
- Average allocation per eligible: ~1,800 STRK
Detection stack
- Trusta Labs clustering
- GitHub developer weighting
- Bridge volume thresholds
Blast BLAST (June 2024)
Point-based airdrop with Sybil-weighted distribution
Blast took a different approach: instead of binary exclusion, they reduced allocations for wallets flagged as suspicious. Users with clear Sybil indicators received 50 percent or less of their point-accrued share, while obvious farmers (batch-created wallets, identical funding patterns) were zeroed out entirely.
Key lesson: The trend in 2025-2026 is toward graduated penalties rather than binary cuts. A wallet can be partially flagged and receive a reduced allocation, which makes appeals harder and maximizes retained value for the project.
How Detection Actually Works
Five core techniques that modern Sybil detection firms combine. Understanding each one is the prerequisite to designing opsec that defeats them.
IP Correlation
Projects correlate wallet addresses with IPs logged by dApp frontends, centralized bridges, and RPC providers. If 200 wallets connected from the same IP or the same /24 subnet, they cluster as one operator.
Wallet Graph Analysis
Trace funds backward 3-5 hops from airdrop wallets to identify common funding sources. If 40 wallets all trace back to the same Binance withdrawal within 72 hours, they are a cluster.
Timing Correlation
Flag wallets that repeatedly transact within the same narrow time window. A 5-minute correlation across 20 actions is a near-zero probability event for independent users.
Gas Fingerprinting
Wallet software personalizes gas prices and limits based on user history. Scripts often override with identical values, creating a gas fingerprint that links wallets.
Bridging Pattern Analysis
Projects map bridge flows: which source chain, which destination chain, which amounts, which bridge providers. Wallets that all bridge the exact same amount from the exact same chain using the exact same bridge in the same week are obvious clusters.
Tools Projects Actually Use
Five firms dominate Sybil detection services in 2026. Knowing their methodology is essential to defending against it.
Trusta Labs
The dominant airdrop Sybil detection firm. Served LayerZero, zkSync Era, Starknet, Blast, and dozens more. Their MEDIA algorithm combines ML clustering with on-chain identity signals (TrustScore). Proprietary methodology but published whitepapers confirm funding graph analysis, timing correlation, gas fingerprinting, and behavioral clustering are all components.
Nansen
The wallet analytics standard. Nansen labels 300M+ addresses (CEX hot wallets, whales, smart money, MEV bots, smart contracts, exploited contracts). Projects feed their airdrop candidate list to Nansen and receive cluster reports based on transaction patterns, counterparty overlap, and funding flows. Nansen does not sell Sybil scores per se, but its cluster exports are a core input to many project-side filters.
Bubblemaps
Bubblemaps renders wallet relationships as literal bubble graphs. Each wallet is a bubble sized by balance, and fund flows between wallets draw connecting lines. Clusters that look like a star with 50 satellites orbiting a single hub are instant Sybil flags. Projects use Bubblemaps both for automated filtering and for manual review of edge cases.
Chaos Labs
Chaos Labs focuses on smart contract and airdrop simulation. They simulate how an airdrop distribution would play out under different Sybil thresholds, showing projects what percentage of TVL retention they can expect at each filter strength. Used by LayerZero and others for pre-launch distribution modeling.
ScopeScan
ScopeScan provides forensic-grade wallet tracing used increasingly in 2025-2026 for airdrop Sybil review and post-launch dump analysis. Specialty is tracing mixer-obscured flows and identifying clusters that evade simpler graph analysis by using Tornado Cash or cross-chain bridges as intermediaries.
IP Correlation: The Biggest Sybil Signal
Every detection vendor starts with IP clustering. Understanding how they get the data and how CGNAT mobile IPs defeat it is the single most important opsec concept for farmers.
How projects get your IP
Every dApp (Uniswap, Stargate, Arbitrum Bridge) logs IP + connected wallet address in its analytics pipeline.
Stargate, Hop, Across, deBridge log source IP of every bridge request for fraud prevention and regulatory compliance.
Infura, Alchemy, Ankr, QuickNode log API key + IP + every wallet address signed. Some sell anonymized logs.
Starknet, zkSync, Scroll all run their own RPC endpoints as default. If you used the default endpoint, they have your IP.
MetaMask telemetry (on by default) sends IP + wallet data to Consensys infrastructure.
Why mobile CGNAT defeats it
A single AT&T mobile IP is shared by 500-5,000 real subscribers via Carrier-Grade NAT. Any flag would hit thousands of genuine users.
Detection vendors whitelist AS7018 (AT&T), AS21928 (T-Mobile), AS22394 (Verizon Wireless) because blocking them blocks millions of real users.
Mobile proxies rotate IPs on airplane mode cycles. Each wallet can have a fresh IP when it matters (bridge activity, LP, etc.).
Mobile traffic dominantly is genuine humans browsing. Your farming activity is buried in the background noise.
Different mobile proxies in different cities (NYC, LA, Miami, Chicago) create geographic spread that mirrors a genuine global user base.
The one-IP-per-wallet rule
The non-negotiable foundation of airdrop opsec: every wallet gets its own dedicated mobile proxy with its own carrier ASN and its own rotation cycle. No exceptions. No sharing. No using the same proxy for wallet A one day and wallet B the next.
At scale this means you are running 20, 50, or 200 dedicated mobile proxies. The cost is real, but the math works: even a single successful airdrop (LayerZero at $3.77 per token launch, zkSync at $0.20, Starknet at $2+) covers years of proxy infrastructure for a well-run farm.
Wallet Graph Analysis: Funding Source Tracing
Every wallet that exists was funded from somewhere. Detection firms trace that funding back 3-5 hops looking for common sources.
The naive pattern (gets flagged)
ย ย โ Single withdrawal 5 ETH
ย ย ย ย โ Farmer master wallet
ย ย ย ย ย ย โ 0.05 ETH to wallet 1
ย ย ย ย ย ย โ 0.05 ETH to wallet 2
ย ย ย ย ย ย โ 0.05 ETH to wallet 3
ย ย ย ย ย ย โ ... (100 identical sends)
Every wallet traces back to one master in one hop, with identical amounts and near-simultaneous timestamps. Bubblemaps draws a star. Trusta Labs flags the cluster in 10 minutes.
The safe pattern (survives graph analysis)
Coinbase w/ KYC2 โ wallet B
OKX w/ KYC3 โ wallet C
Kraken w/ KYC4 โ wallet D
P2P Bisq/LocalCoinSwap โ wallet E
DEX swap from pre-existing โ wallet F
(different amounts, different weeks,
ย intermediate dApp activity before farming)
Each wallet traces to a distinct funding source. Amounts vary. Time gaps between funding and farming are weeks not minutes. No master wallet exists to cluster on.
Funding diversity checklist
- Use 4+ different exchanges for funding. Binance, Coinbase, Kraken, OKX, Bybit, Bitstamp, Gemini each have different hot wallet infrastructure.
- Mix funding methods: some wallets from CEX withdrawals, some from P2P trades (Bisq, LocalCoinSwap, HodlHodl), some from DEX swaps from pre-existing on-chain balances.
- Randomize funding amounts: instead of 100 wallets each with 0.05 ETH, use 100 wallets with amounts from 0.02 to 0.15 ETH spread naturally.
- Insert time gaps: fund a wallet, let it sit 2-4 weeks, do some unrelated activity (a swap, a mint), then begin airdrop farming.
- Never fund through a master wallet: the single most toxic pattern. If you must consolidate, use mixers (where legal) or CEX round-trips to break the graph.
- Use chain-native funding where possible: buy USDC on Coinbase, send directly to Base. Buy on OKX, withdraw directly to zkSync. This avoids bridge-based funding graphs.
Timing and Gas Fingerprints
The two signals that catch scripted farming operations regardless of IP and funding opsec. Randomization is non-optional.
Timing randomization
A 5-minute window correlation across 20 actions makes your cluster statistically obvious. Defeat it with layered randomization.
Gas fingerprint defenses
Clusters where 300 wallets all used 25 gwei priority fees have been flagged in published reports. Variation is required.
Bridging Pattern Defense
For bridge-dependent airdrops (LayerZero, Hop, Across), bridge pattern diversity is critical. This is a separate signal from wallet graph and timing.
What projects map
Bridge diversification template
A defensible bridge history for a single wallet across a farming season might look like:
- Stargate: 3 bridges, varied amounts, varied chains (Arb, Optimism, Base)
- Hop: 2 bridges, small amounts, Arbitrum only
- Across: 4 bridges across Ethereum, Optimism, Polygon
- Native L2 bridge (zkSync portal, Starknet bridge): 2 bridges each
- deBridge or Connext: 1-2 exotic bridges for variety
- Total over 6+ months, not 6 weeks
The Complete Defense Stack
Five layers. Missing any one is a correlation vector that survives everything else. This is what a 2026-grade farm actually runs.
Layer 1: Network Isolation
One dedicated mobile 4G/5G proxy per wallet. Unique ASN (mix AT&T, T-Mobile, Verizon). Unique carrier. Rotation on demand for IP refresh. Never reuse an IP across wallets. Prefer US mobile carriers for US-facing projects, EU mobile for EU projects.
Layer 2: Browser Identity
Antidetect browser with unique fingerprint per wallet profile. Options: Multilogin ($99/month), GoLogin ($24/month entry), AdsPower (free tier available), Dolphin Anty ($89/month). Each profile ships a unique Canvas, WebGL, audio, and font fingerprint and ties it to the profile's proxy.
Layer 3: Funding Diversity
Fund each wallet from a different source. 4+ CEXs in rotation. Mix of P2P trades (Bisq, LocalCoinSwap), DEX swaps from pre-existing balances, and occasional intermediate wallet trips to break graphs. Time gaps of 2-4 weeks between funding and first airdrop-targeted activity.
Layer 4: Behavioral Randomization
Randomized timing at micro, meso, and macro scales. Varied gas prices (mix of market, slow, aggressive). Different wallet clients (MetaMask, Rabby, Frame). Different bridging patterns (Stargate + Hop + Across + native). Different amounts. Different dApps visited beyond just airdrop farming.
Layer 5: Long-Tail Activity
Wallets that only interact with airdrop-eligible protocols look like farmers. Defensive wallets have genuine-looking holding periods, occasional losses, NFT mints, governance votes, Lens/Farcaster activity, random Uniswap trades. Multi-chain presence (Ethereum, Solana, Cosmos) strengthens legitimacy.
The compounding rule
A single correlation vector exposes the whole farm. If your 50 wallets pass IP, pass funding graph, pass timing, pass gas, but all bridge through Stargate on the same day with the same amount, that single signal kills everything. Every layer must hold.
The Self-Reporting Option
LayerZero pioneered it: self-report as a Sybil for a guaranteed 15 percent allocation instead of gambling on 100 percent or 0 percent. The math is non-trivial.
The LayerZero program (May 2024)
Farmers who self-identified as Sybils before the snapshot received 15 percent of their initial allocation. The remaining 85 percent was redistributed to non-Sybil users. Approximately 1.3 million wallets self-reported and were accepted at reduced allocation. An additional 803K were flagged post-snapshot by detection and zeroed.
Stay silent if:
- Each wallet has unique dedicated mobile proxy
- Funding graph has no common parent within 5 hops
- Antidetect browser profiles are unique per wallet
- Timing and gas are randomized
- Bridging patterns are diversified
- Wallets have long-tail legitimate activity
Expected value of staying silent: 85 percent pass rate ร 100 percent = 85 percent. Versus self-report at 15 percent. Silent wins ~6ร.
Self-report if:
- Wallets share a single residential or datacenter IP
- Funded from single CEX withdrawal to master wallet
- Copy-paste transaction patterns across wallets
- Batch-created wallets with identical timestamps
- Same gas price used across all wallets
- Zero long-tail activity (airdrop protocols only)
Expected value of staying silent: 10 percent pass rate ร 100 percent = 10 percent. Versus self-report at 15 percent. Self-report wins.
Why projects include self-report
Self-report is economically rational for projects. It pulls farmers off the 0 percent boundary at 15 percent cost, but in exchange the project gets a clean training set for its detection models. Every self-reported wallet is a labeled positive example that improves Sybil detection for the next airdrop.
This is why self-report is increasingly common in 2025-2026. Expect LayerZero-style programs to become standard. Decide your threshold in advance.
Configure & Buy Mobile Proxies
Select from 10+ countries with real mobile carrier IPs and flexible billing options
Choose Billing Period
Select the billing cycle that works best for you
SELECT LOCATION
when you order 5+ proxy ports
Carrier & Region
Available regions:
Included Features
๐บ๐ธUSA Configuration
AT&T โข Florida โข Monthly Plan
Your price:
$129
/month
Unlimited Bandwidth
No commitment โข Cancel anytime โข Purchase guide
Perfect For
Popular Proxy Locations
Secure payment methods accepted: Credit Card, PayPal, Bitcoin, and more. 2 free modem replacements per 24h.
Frequently Asked Questions
Straight answers on Sybil detection, opsec economics, and 2026 best practices.
One Wallet. One Mobile IP. Zero Correlation.
Dedicated 4G/5G mobile proxies across AT&T, T-Mobile, and Verizon. Unique carrier ASN per proxy. CGNAT shielding that defeats IP correlation. Built specifically for the opsec requirements of modern airdrop farming.