Initial Report For The 10.6K Botnet

In conjunction with Allium labs, we have done a preliminary analysis on the 10.6K botnet that claimed nearly 2M JUP.

  1. This is the distribution of swaps by the largest sybil attacker, claiming for 10,613 wallets
  2. The first swap dates of these wallets on jupiter were scatter across time, beginning as early as May 2023
  3. The inital timestamps of the swap were varied, scattered throughout the day
  4. These wallets also had unpredicted swap patterns, with varying swap counts and token pairs they swap to

The swaps were extremely tiny, making < 1cent in volume.

In essence, due to the randomness in their transaction patterns, this looks like an sophisticated farming attempt by a professional that predicted a likely Jupiter airdrop earlier in the year.

We will be collaborating with Allium Labs to have a full report on this to benefit future attempts and any other teams doing large scale airdrops.

In addition, for future airdrops, we will publish all available data and work closely with the community and data experts to to prevent this from happening again.


  • TIL: There are institutional airdrop farmers:
  • We included all 955K wallets in an attempt to be as egalitarian as possible, but it looks like this would include too many botnets
  • We decided the criteria only in nov 23 after the breakpoint announcement and in conjunction with the community.
  • We erroneously hypothesized about the botnet being done a few days before the announcement based on speculation before doing a deeper dive on the data. We apologize for this and will do better in the future

Is there a way to identify this pattern during farming, where individuals farm specifically for an airdrop? Alternatively, should there be a cap or set limit on these airdrops?


For future distributions, it is relevant to work with analytics companies such as Nansen, Dune, the Footprint network etc in order to connect the dots and index clusters. There is a significant difference between “workers” who has few accounts and provide productive work for the product with their manual testing and feedback for dapps/protocols and large clusters that made mostly by the software and few beneficiaries and ofc they have larger negative impact for fair distribution.