A Solana presale event faced significant distribution challenges after a bot farm allegedly exploited over 1,000 wallets to rapidly acquire almost the entire Wet (WET) token sale within seconds.
Conducted via the decentralized exchange aggregator Jupiter, the presale sold out in the blink of an eye. However, genuine buyers found themselves effectively locked out as a single entity monopolized the sale, according to the event organizers.
Solana automated market maker (AMM) HumidiFi, the team behind the presale, confirmed the attack and decided to cancel the launch entirely. The team announced plans to create a new token and execute an airdrop for legitimate participants while explicitly excluding the sniper.
“We are in the process of creating a new token. All Wetlist and JUP stakers will receive a pro-rata airdrop. The sniper will not benefit,” HumidiFi stated. “We plan to hold a new public sale on Monday.”
Bubblemaps identifies alleged sniper after tracing over 1,000 wallets
On Friday, blockchain analytics platform Bubblemaps announced that it had pinpointed the entity responsible for the presale attack after observing unusual wallet clustering during the token sale.
In a thread on X, the company reported that at least 1,100 out of the 1,530 participating wallets exhibited similar funding and activity patterns, indicating that a single actor was behind them.
Bubblemaps CEO Nick Vaiman told Cointelegraph that their team analyzed the presale participants through their platform and identified patterns, such as new wallets devoid of previous onchain activity, all financed by a select few wallets.
These wallets were also funded within a narrow time frame with matching amounts of Solana (SOL) tokens.
“Although some of the clusters were not interconnected onchain, the behavioral similarities in size, timing, and funding strongly indicate a singular entity,” Vaiman explained to Cointelegraph.
Bubblemaps stated that the sniper financed thousands of new wallets from exchanges, which had received 1,000 USDC (USDC) prior to the sale.
The analytics company discovered that one of the clusters “slipped,” enabling them to connect the attack to a Twitter handle, “Ramarxyz,” who subsequently went on X to request a refund.
Related: Pepe memecoin website exploited, redirecting users to malware: Blockaid
Sybil attacks must be treated as a “critical” security threat
This attack adds to a list of Sybil attack incidents reported in November, where clusters under single control sniped token distributions.
On Nov. 18, a single actor captured 60% of aPriori’s APR token airdrop, while on Nov. 26, wallets linked to Edel Finance allegedly sniped 30% of their own EDEL tokens. The co-founder of Edel Finance denied accusations of sniping their supply, asserting they had placed the tokens in a vesting contract.
Vaiman shared with Cointelegraph that Sybil attacks are increasingly common during token presales and airdrops, yet each incident demonstrates different patterns. He recommended that to enhance security, project teams should implement Know Your Customer (KYC) protocols or utilize algorithms to detect Sybil activities.
Additionally, he advised they manually review presale or airdrop participants prior to token distribution.
“Sybil activity should be regarded as a critical security threat to token launches,” Vaiman emphasized to Cointelegraph. “Projects need dedicated teams or should outsource Sybil detection to experts who can provide assistance.”
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
