Solana’s WET Presale Returns Following Bot Farm Supply Attacks

A Solana presale event faced significant distribution problems after a bot farm allegedly utilized over 1,000 wallets to snatch up nearly the entire Wet (WET) token sale within seconds.

Conducted through the decentralized exchange aggregator Jupiter, the presale sold out almost immediately. However, genuine buyers effectively had no opportunity to participate, as one actor dominated the presale, according to the organizers.

Solana automated market maker (AMM) HumidiFi, the team managing the presale, confirmed the attack and canceled the launch entirely. The team stated they would create a new token and conduct an airdrop for legitimate participants, explicitly excluding the sniper.

“We are creating a new token. All Wetlist and JUP staker buyers will receive a pro-rata airdrop. The sniper is not getting anything,” HumidiFi wrote. “We will organize a new public sale on Monday.”

Bubblemaps identifies alleged sniper after tracing over 1,000 wallets

On Friday, the blockchain analytics platform Bubblemaps announced that it had pinpointed the entity responsible for the presale attack, having observed unusual wallet clustering during the token sale.

In a thread on X, the company reported that at least 1,100 out of the 1,530 participating wallets showed identical funding and activity patterns, indicating control by a single actor.

Bubblemaps CEO Nick Vaiman told Cointelegraph that their team analyzed presale participants via their platform and observed patterns, including new wallets with no prior onchain activity, all funded by a limited number of wallets.

These also received funding within a narrow time frame with similar Solana (SOL) token amounts.

“Despite some clusters not being interconnected onchain, the behavioral similarities in size, timing, and funding clearly indicate a single entity,” Vaiman explained to Cointelegraph.

Bubblemaps stated that the sniper funded thousands of new wallets from exchanges, which received 1,000 USDC (USDC) prior to the sale.

The analytics firm noted that one of the clusters “slipped,” enabling them to link the attack to a Twitter handle, “Ramarxyz,” who subsequently went on X to request a refund.

Related: Pepe memecoin website exploited, redirecting users to malware: Blockaid

Sybil attacks must be treated as a “critical” security threat

This attack follows other Sybil attack incidents in November, where clusters controlled by single entities seized token supplies.

On Nov. 18, a single entity acquired 60% of aPriori’s APR token airdrop. On Nov. 26, wallets linked to Edel Finance allegedly obtained 30% of their own EDEL tokens. The team’s co-founder denied involvement in the sniping, claiming the tokens were allocated to a vesting contract.

Vaiman told Cointelegraph that Sybil attacks are increasingly prevalent in token presales and airdrops, though he noted that each instance presents “different patterns.” He advised that for enhanced security, teams should implement Know Your Customer (KYC) protocols or employ algorithms to detect Sybils.

He also suggested that they could manually review presale or airdrop participants before assigning tokens.

“Sybil activity should be treated as a critical security threat to token launches,” Vaiman stated. “Projects ought to have dedicated teams or consider outsourcing Sybil detection to professionals for assistance.”