A Sybil attack is one of the key risks inherent to decentralized networks. It is based on an attacker creating numerous fake network nodes or accounts, allowing them to influence blockchain operation, reward distribution in airdrops*, and voting outcomes in DAOs*.
*Airdrop — a free distribution of tokens to users for their activity, participation in a crypto project, or completing tasks aimed at ecosystem development.
*DAO (Decentralized Autonomous Organization) — a decentralized autonomous organization in which the crypto project is governed not by a central team but by the crypto community through smart-contract–based voting.
Why a Sybil attack is possible in blockchains
A blockchain is a network of nodes with no centralized governing body. Control over the blockchain is distributed among all participants and maintained by a consensus algorithm*. It is decentralization — the very feature that ensures the resilience and independence of blockchain networks — that also creates conditions for new threats, including Sybil attacks.
*Consensus algorithm — a mechanism that enables independent nodes of a decentralized network to agree on a shared state of data and determine which transactions are valid. It ensures information reliability, synchronized operation of all nodes, and protection against tampering. Although different blockchains use different consensus mechanisms — such as Proof-of-Work or Proof-of-Stake — their common goal is to maintain honest and stable blockchain operation without a central authority.
What is a Sybil attack
A Sybil attack is a type of cyber threat in which a single attacker artificially creates a large number of fake identities — for example, network nodes or user accounts. These fake entities appear to be independent blockchain participants but are actually controlled by one person. By leveraging this disguise, the attacker can influence the decentralized system: distort voting results, intercept network traffic, interfere with resource or reward distribution, and disrupt consensus mechanisms. The more fake identities the attacker can create and embed, the stronger their influence on the network becomes.
The term "Sybil attack" first appeared in a 2002 study by John R. Douceur from Microsoft Research. He described a scenario in which an attacker creates numerous false identities in a peer-to-peer network, gaining an advantage and undermining system stability.
The name "Sybil" comes from the 1973 book Sybil, about a patient with multiple personality disorder—a fitting metaphor for the multiplicity of fake "personalities" within a network.
The goal of a Sybil attack is to seize control over the blockchain, which can lead to a 51% attack* and, consequently, double-spending*.
*51% attack — a scenario where one attacker or group gains control over most critical blockchain resources — computational power in PoW or staked tokens in PoS. With such dominance, attackers can dictate the rules: select which blocks are valid, modify or reverse recent transactions, and effectively control the network.
*Double spending — a type of fraud in which the same crypto assets are spent twice. An attacker sends a transaction, receives goods or services, and then uses their control over the network to reverse or alter history, returning the funds while effectively "spending" them again.
Sybil attacks in airdrops
Over time, the term Sybil attack expanded into the realm of Web3 rewards, particularly airdrops. Drop hunters* call "Sybils" the users who create many accounts or wallets to receive more tokens during distributions.
*Drop hunters — members of the crypto community who systematically seek to maximize airdrop and token-distribution profits.
Advanced Sybils create entire bot farms that imitate the activity of real users. This undermines fairness in token allocation. Projects such as Starknet, zkSync, LayerZero, and others have already been affected by these attacks.
According to Dragonfly (2025), billions of dollars are lost or misallocated each year during airdrops due to Sybil attacks.
Main types of Sybil attacks
Direct Sybil attack
In this scenario, attackers interact directly with honest nodes, trying to subdue the network. Once they gain control over traffic, they can:
- reject or replace transactions,
- isolate specific nodes and control their data,
- distort voting in PoS networks and DAOs.
Direct attacks are the most common — they are simpler and require fewer resources.
Indirect Sybil attack
In indirect Sybil attacks, the attacker operates covertly using indirect methods of influence:
- spreading false information through intermediary nodes,
- forming fake connections between participants.
These attacks are more complex to detect and prevent, making them more dangerous.
Real examples of Sybil attacks
Monero (2020)
An attacker attempted to correlate node IP addresses with transactions over a 10-day period. The attempt did not affect network security.
Ethereum Classic (2020)
The project faced several Sybil attacks accompanied by double-spending incidents. More than $7 million was stolen.
Verge (2018)
Attackers created many fake nodes and gained control over timestamps*. This allowed them to mine blocks at minimal difficulty and steal around $1.6 million in XVG tokens. This incident is also an example of a 51% attack.
*Timestamp — a precise time record of an event. In blockchains, timestamps determine transaction order and prevent tampering or backdating.
How dangerous are Sybil attacks for blockchains
Despite active Sybil activity, modern blockchains such as Bitcoin, Ethereum, Cardano, BNB Chain, and others have significantly higher protection levels. Executing a successful Sybil attack in PoW or PoS networks requires enormous financial and technical resources.
In PoW networks, an attacker would need to invest substantial funds in specialized mining hardware, such as ASICs. These devices are expensive, energy-intensive, and require cooling, maintenance, and stable infrastructure. Gaining control over most of the network's hashrate would require tens of thousands of such machines, making the attack nearly impossible.
In PoS networks, the challenge shifts to acquiring a considerable number of staking tokens. To gain control, an attacker would need to own most of the staked supply, which would require hundreds of millions or even billions of dollars. Even if they managed to buy such an amount, they would risk losing their assets: many PoS protocols employ slashing*, which can destroy part or all of a malicious validator's stake.
*Slashing — a punishment mechanism in PoS blockchains where a validator loses part or all of their staked tokens for violating network rules, such as creating conflicting blocks, participating in attacks, prolonged inactivity, or other harmful behavior.
Thus, economic and technical infeasibility make Sybil attacks on large blockchain networks complicated and unlikely.
Modern methods of protection against Sybil attacks
Zero-Knowledge (ZK) verification
This technology allows verifying the authenticity or uniqueness of a user without revealing personal data. With ZK proofs, a participant can prove their identity and uniqueness without sharing identifiers, documents, or confidential information. This keeps verification private and secure while protecting against Sybil attacks.
Social graphs
Social graphs visualize connections between network participants. Real users have diverse links — with different projects, people, and activities. Sybil nodes, by contrast, usually form isolated clusters with most interactions occurring only between fake addresses. Analyzing graph structure helps algorithms distinguish between real and suspicious accounts.
Proof-of-Humanity and biometrics
Proof-of-Humanity (PoH) methods verify that a network participant is a real human, not a bot. An example is Worldcoin, which uses biometric data and Zero-Knowledge proofs: users undergo biometric verification, but the data remains encrypted and private. This ensures user uniqueness while preserving anonymity.
Reputation systems
Reputation mechanisms evaluate nodes or users based on behavior, activity, and history. Models like Proof-of-Social-Capital (PoSC) account for a participant's contribution to the network — the more meaningful actions, the higher the reputation. Sybil's accounts generally cannot reproduce consistent long-term behavioral patterns.
KYC
Know Your Customer (KYC) requires identity verification — often via ID documents, selfies, and other methods. This almost eliminates the creation of massive fake accounts and provides strong Sybil protection. However, KYC contradicts the principles of decentralization and anonymity central to Web3, so many projects avoid it.
Token gating
This method grants access to governance or core protocol functions only to users holding specific tokens or NFTs. Since a Sybil attack would require buying a large number of such assets, the cost of attacking increases dramatically.