A Solana presale event encountered distribution issues after a bot farm reportedly used over 1,000 wallets to snipe nearly the entire Wet (WET) token sale in seconds.
Hosted through the decentralized exchange aggregator Jupiter, the presale sold out almost instantly. But genuine buyers effectively had no chance to participate because a single actor dominated the presale, according to organizers.
Solana automated market maker (AMM) HumidiFi, the team behind the presale, confirmed the attack and scrapped the launch entirely. The team said it would create a new token and hold an airdrop to legitimate participants while explicitly excluding the sniper.
“We are creating a new token. All Wetlist and JUP staker buyers will receive a pro-rata airdrop. The sniper is not getting shit,” HumidiFi wrote. “We will do a new public sale on Monday.”
Bubblemaps identifies alleged sniper after tracing over 1,000 wallets
On Friday, the blockchain analytics platform Bubblemaps announced that it had identified the entity behind the presale attack, having observed unusual wallet clustering during the token sale.
In an X thread, the company reported that at least 1,100 out of the 1,530 participating wallets displayed identical funding and activity patterns, suggesting that a single actor controlled them.
Bubblemaps CEO Nick Vaiman told Cointelegraph that their team analyzed presale participants using their platform and saw patterns, including new wallets with no prior onchain activity, all being funded by a handful of wallets.
These also received funding in a tight time window with similar Solana (SOL) token amounts.
“Despite some of the clusters not connected together onchain, the behavioral similarities in size, time, and funding all point to a single entity,” Vaiman told Cointelegraph.
Bubblemaps said that the sniper funded thousands of new wallets from exchanges, which had received 1,000 USDC (USDC) before the sale.
The analytics company said one of the clusters “slipped,” allowing them to link the attack to a Twitter handle, “Ramarxyz,” who also went on X to ask for a refund.
Related: Pepe memecoin website exploited, redirecting users to malware: Blockaid
Sybil attacks must be treated as a “critical” security threat
The attack follows other Sybil attack incidents in November, where clusters controlled by single entities sniped token supplies.
On Nov. 18, a single entity claimed 60% of aPriori’s APR token airdrop. On Nov. 26, Edel Finance-linked wallets allegedly sniped 30% of their own EDEL tokens. The team’s co-founder denied that they had sniped the supply and claimed they had put the tokens in a vesting contract.
Vaiman told Cointelegraph that Sybil attacks are becoming more common in token presales and airdrops. Still, he said the patterns are “different every time.” He said that for safety, teams should implement Know Your Customer (KYC) measures or use algorithms to detect sybils.
He said they could also manually review presale or airdrop participants before allocating tokens.
“Sybil activity needs to be treated as a critical security threat to token launches,” Vaiman told Cointelegraph. “Projects should have dedicated teams or outsource Sybil detection to professionals who can assist.”
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
