Sybil Defender: Tackling Identity Challenges via Forta’s Latest Premium API Feed

Article by Forta Network Jan. 18, 2024

Forta is the largest network of security intel in web3. The decentralized Forta Network leverages machine learning and a community of security researchers to detect exploits, scams and other threats.    

"An important and general problem seems to be that of tagging a negative behavior source for future recognition." - Nick Szabo, 1996.

Sybil attacks represent a persistent and all too often overlooked threat in the crypto ecosystem. These attacks are generally characterized by a single attacker attempting to gain an outsized and illegitimate influence over a peer to peer network by creating multiple fake identities. Crypto protocols and projects are often aware that their ecosystems are under threat of sybil attacks, but there is usually a dilemma about how to address them. To combat this threat, Frwd Labs has recently launched Sybil Defender, the latest Forta Premium API Feed. 

Privacy and censorship resistance are core values in crypto, and solutions that require users to link their real-world identities to their on-chain activities are generally considered to be at odds with those core values. Tools like the Sybil Defender, however, focus on labeling sybil attacks as negative behavior to enable the community to make informed decisions about whether or not to interact with the flagged addresses. 

Leaving the issue of sybil attacks unaddressed arguably presents one of the most significant obstacles to the long-term sustainability and credibility of crypto. Most on-chain sybil attacks fall into four distinct categories:

1. Airdrop farming distorts actual adoption metrics of a project and deprives legitimate users of funding meant to incentivize adoption and build network effects. This often leads to another attack vector.
2. Governance manipulation occurs when a single user, controlling multiple wallets, gains disproportionate influence over voting and decision-making processes. Such attacks significantly threaten the principle of decentralization.
3. Market manipulation and wash trading involve a sybil attacker trading an asset between multiple wallets under their control to artificially inflate the price, which distorts the real value of on-chain assets and misleads investors about the market value and demand of an asset.
4. Money laundering and the obfuscation of funds obtained from exploits, including major hacks and security incidents, also represent a serious concern.

Sybil attacks on networks can be massive, and their impact on the integrity of an ecosystem is significant. Below is a graphical representation of historical analysis using Sybil Defender, showing a sampling of wallet clusters acting as sybils on Arbitrum during a 12 hour window. Each cluster represents airdrop farming, wash trading, and/or governance manipulation. 

Sybil attacks are a huge problem in web3, and everyone knows it. The often criticized and unpopular solution is to link real world identities to on chain addresses to prevent this behavior. A more amicable option is now available via the Sybil Defender, to use the transparency of the blockchain to actually label behavior. By labeling, not the identity, but the activity of users, other users and protocols can make informed decisions about whether or not to interact with the potentially malicious addresses. For example, a project planning an airdrop could use data from Sybil Defender to omit potentially malicious addresses from their whitelist to better balance their airdrop distribution. An investor considering the value of a token or an NFT can use Sybil Defender’s data to make a decision about whether or not that asset has been wash-traded (by a sybil attacker trading between their own wallets to inflate the price) before purchasing the asset.

The Sybil Defender is a tool built and maintained by frwd labs within the decentralized ecosystem of the Forta network. It uses advanced heuristics and clustering algorithms to identify addresses that are under the control of sybil attackers and flag them in real time. These addresses are labeled and added to a database that can be readily queried to allow projects, protocols, and investors to make more informed decisions about who they are interacting with. For more information, refer to the Sybil Defender documentation here, or reach out to frwd labs at