Solana’s WET Presale Returns Following Bot Farm Supply Attacks

A Solana presale event faced distribution problems after a bot farm allegedly utilized over 1,000 wallets to snipe nearly the entire Wet (WET) token sale within seconds.

Conducted via the decentralized exchange aggregator Jupiter, the presale sold out almost immediately. However, authentic buyers had virtually no opportunity to participate due to a single actor’s dominance, as reported by the organizers.

The Solana automated market maker (AMM) HumidiFi, which managed the presale, confirmed the breach and canceled the launch entirely. The team announced plans to create a new token and conduct an airdrop for legitimate participants while specifically excluding the sniper.

“We are creating a new token. All Wetlist and JUP staker buyers will receive a pro-rata airdrop. The sniper is not getting anything,” HumidiFi stated. “We will hold a new public sale on Monday.”

Bubblemaps identifies alleged sniper after tracing over 1,000 wallets

On Friday, blockchain analytics platform Bubblemaps declared that it had identified the entity responsible for the presale attack, after noticing unusual wallet clustering during the token sale.

In an X thread, the company reported that at least 1,100 of the 1,530 participating wallets exhibited identical funding and activity patterns, indicating a single actor’s control.

Bubblemaps CEO Nick Vaiman informed Cointelegraph that their team scrutinized presale participants using their platform, observing patterns including new wallets with no previous on-chain activity, all funded by a limited number of wallets.

These also received funding within a narrow time frame with similar Solana (SOL) token amounts.

“Although some of the clusters were not interconnected on-chain, the behavioral similarities in size, timing, and funding all point to a unified entity,” Vaiman told Cointelegraph.

Bubblemaps reported that the sniper financed thousands of new wallets from exchanges, each having received 1,000 USDC (USDC) prior to the sale.

The analytics firm added that one of the clusters “slipped,” allowing them to connect the attack to a Twitter handle, “Ramarxyz,” who subsequently went on X to request a refund.

Related: Pepe memecoin website exploited, redirecting users to malware: Blockaid

Sybil attacks must be viewed as a “critical” security threat

This attack follows other Sybil attack incidents in November, where clusters controlled by individual entities sniped token supplies.

On Nov. 18, a single entity acquired 60% of aPriori’s APR token airdrop. On Nov. 26, Edel Finance-associated wallets reportedly sniped 30% of their own EDEL tokens. The team’s co-founder denied involvement in sniping and claimed they had allocated the tokens to a vesting contract.

Vaiman mentioned to Cointelegraph that Sybil attacks are increasingly frequent in token presales and airdrops. However, he noted that the patterns differ each time. He advocated that, for safety, teams should implement Know Your Customer (KYC) measures or utilize algorithms to detect Sybils.

He added that they could also manually review presale or airdrop participants prior to token allocation.

“Sybil activity should be regarded as a critical security threat to token launches,” Vaiman advised Cointelegraph. “Projects ought to have dedicated teams or outsource Sybil detection to professionals for assistance.”