How CoinList Fights Sybil Attacks

Since CoinList’s inception, our team has removed approximately 2.4 million bots and fraudulent accounts from our platform. For any business, removing accounts of this nature would have negative impacts on revenue, as sybils are great for pumping numbers and boosting profits.

But this is not the type of business we aim to run. Our goal is to be here for the long run and onboard real, high-quality users to interact with the builders we support.

Below, we’ll explain what is a sybil attack, our process of offboarding sybils, sybil case studies, and what we achieved by offboarding these 2.4 million accounts.

What is a Sybil Attack?

A sybil attack is a security threat in which a single malicious actor creates multiple fake identities to try to gain disproportionate influence in a network. The actor often achieves this by creating numerous accounts or wallets that appear to belong to different individuals or by purchasing real people’s identities.

In the context of token launches via airdrops and fixed priced sales, sybils can distort the allocation of resources and rewards, and manipulate token voting. Sybils take up valuable spots in token launches, preventing legitimate users from engaging and contributing.

Our Process of Offboarding Sybils

At CoinList, we prioritize comprehensive sybil prevention to ensure the integrity and fairness of our platform. While many on-chain platforms and airdrops rely solely on on-chain data to mitigate sybil attacks, our approach is more robust.

We verify the legitimacy of devices and browsers, analyze IP addresses, screen for bot-like and unusual activities, assess email addresses for legitimacy, and ensure each participant is a unique and verified individual.

The below image is an example of someone who tried to use a fake ID to bypass identity verification protocols.


Sybils are often able to exploit on-chain airdrops by faking transaction activities and ceasing connection with other wallets they controlled. CoinList users must pass additional verification steps to ensure account security, and even a single suspicious action may result in the loss of their account.

All accounts flagged for review are asked to re-verify their identities with a simple selfie and ID process. Re-verifications may also be requested for regulatory reasons.

Sybil Case Studies

Example 1: Account farming

In one instance, we identified a sybil who controlled 1,373 accounts, which they acquired through social engineering. Our FIU and Trust & Safety teams then initiated an investigation, leading to the discovery of all the connected accounts, illustrated in the graph below. Following the investigation, we requested that these accounts prove their identities — but none of the 1,373 accounts succeeded.

While identity verification is one line of defense, a holistic approach is essential to prevent such extensive account manipulation from the outset.

Example 2: Combining on-chain and off-chain data

Experienced sybils may attempt to obfuscate their on-chain tracks by using exchange addresses. In the below example, we used off-chain data that included IP, device, and behavioral intelligence models to fill the gaps that on-chain data alone did not reveal. By combining both data sources, we were able to trace activity to “safe” wallets and uncover more farming accounts.

Example 3: Industrial level airdrop farmers

Airdrop farming has become an activity which many protocols are either not actively combatting or lack the data and tools necessary to combat them. These environments unfortunately lead to thousands of sybils temporarily joining communities leading up to airdrops. After airdrops take place, these organized sybils disappear, causing token selling pressure and leaving behind only a few active users who often receive significantly less airdrop allocations.

The below cluster, detected by our friends at Nansen, shows 60,995 wallet addresses confirmed as sybils.

What We Achieved by Offboarding 2.4M Accounts

How Builders Benefit

Stronger Communities:

  • No one wants a ghost community. Eliminating sybil and fraudulent actors creates a community of real users and provides longer-term stability for the project.
  • Malicious actors are more likely to quickly dump tokens, whereas legitimate users who are early contributors, who bought their tokens at a fair price, or who are forced into vesting are more likely to hold tokens for the long-term.

Accurate Metrics and Analytics:

  • With fewer fraudulent accounts skewing data, projects can gather more accurate information about user behavior and engagement.
  • No one wants to include 100 accounts of Ruslan.eth within their metrics if there is an important decision to be made with this data.

Improved Security:

  • When everything is on-chain, it is impossible to ascertain who is receiving airdrops and whether they are located in specific regions.
  • Removing potential malicious actors helps boost project security.

How Adopters Benefit

More Opportunities to Participate:

  • When sybils are offboarded, legitimate participants have more opportunities to engage and contribute, as the removal of fraudulent entities frees up valuable spots.

Greater Trust in Communities:

  • Early adopters can interact with token communities with confidence, without wondering whether other participants are genuine users or bots.

Legal Notice

This blog post is being distributed by CoinList Global Services Ltd., dba “CoinList,” or one of its subsidiaries.  CoinList does not provide—and this post shall not be construed as—investment, legal or tax advice. This blog post and use of the CoinList website is subject to certain disclosures, restrictions and risks, available here.