A Sybil attack is a type of threat that poses potential dangers to any peer-to-peer networks, including blockchain systems. This attack involves creating a large number of fake identities or accounts to gain control over a protocol. Such an approach allows attackers to manipulate voting systems, consensus mechanisms, or other governance-related processes.
The tools for this attack can include blockchain nodes, social media accounts, wallet addresses, and any other entities that allow impersonating multiple participants. In the cryptocurrency industry, a Sybil attack aims to take control of a significant number of network nodes. If an attacker is successful, they can alter data in the distributed ledger, violating the principle of transaction irreversibility. This jeopardizes the reliability of information in the blockchain.
Such attacks also enable the interception of user data, such as IP addresses, which threatens their privacy and security.
The term was first proposed in 2002 by Brian Zydeco from Microsoft Research. The name is borrowed from the bestseller “Sybil” by Flora Rheta Schreiber about a woman with dissociative identity disorder. The term 'Sybil' symbolizes the creation of multiple identities by malicious actors, drawing a parallel to the psychological condition known as multiple personality disorder. In the Russian translation of the book, the variant “Sybil” is used, although “Sibyl” is also encountered.
A Sybil attack is a type of security threat that occurs when a single entity creates multiple fake identities to manipulate a peer-to-peer network. In the context of blockchain networks, this can be particularly challenging as the attacker can use these multiple fake identities to gain control over the network and compromise its integrity. By presenting multiple identities, the attacker can influence voting systems, consensus mechanisms, and other governance processes. The consequences of such attacks can be severe, including the loss of funds, breaches of privacy, and corruption of transaction data. Sybil attacks undermine the trust and reliability that are foundational to peer-to-peer networks and blockchain systems.
The concept of Sybil attacks was first introduced by John R. Douceur in the context of peer-to-peer networks. The term “Sybil” is derived from a 1973 book detailing the treatment of a woman with dissociative identity disorder, symbolizing the creation of multiple identities by the attacker. Since its introduction, the concept has evolved and become a significant concern in various types of networks, including blockchain networks. The ability of a Sybil attacker to create multiple identities and manipulate network processes has made it a critical issue in the design and security of decentralized systems.
A Sybil attack typically involves a malicious actor creating multiple fake identities to trick the network into treating these fraudulent accounts as legitimate. If the attacker successfully infiltrates the network with enough malicious nodes, they can use that influence against honest nodes for their advantage. For instance, in a blockchain network where miners vote on proposals, attackers can use multiple identities to outvote legitimate nodes. Additionally, attackers can intercept and analyze sensitive user data like IP addresses, compromising users’ privacy and security. By leveraging these multiple identities, a Sybil attacker can disrupt the normal functioning of the network, leading to significant security threats.
There are two main types of Sybil attacks:
Direct: Attackers seek to influence the network by directly interacting with honest nodes. Their goal is to gain control over decision-making processes, voting procedures, or consensus mechanisms. Attackers often create multiple false nodes to deceive the network into recognizing these fraudulent accounts as legitimate.
Indirect: In this case, attackers do not contact honest nodes directly but instead use resources to covertly enhance the reputation of specific participants, change the network’s topology, or isolate certain parts of it.
Sybil attacks can affect any peer-to-peer network, including blockchain networks. However, some systems are more vulnerable to Sybil attacks than others. For example, blockchain networks that use a proof-of-work consensus mechanism are generally more resistant to Sybil attacks compared to those that use a proof-of-stake mechanism. This is because proof-of-work requires substantial computational power, making it difficult for attackers to create multiple fraudulent nodes. Additionally, networks with a large number of nodes and a high level of decentralization are more challenging to manipulate through Sybil attacks. The more distributed and robust the network, the harder it is for an attacker to gain control and execute a successful Sybil attack.
Often, the ultimate goal of “Sybil” attacks is to execute a 51% attack. This occurs when an attacker gains control over more than half of the network’s power, whether through computational resources or staking. A malicious node can raise serious threats to the integrity of both peer-to-peer networks and blockchain technology by gathering sensitive information and potentially dominating the decision-making processes of honest nodes.
In such situations, the attacker can modify parts of the blockchain: rearranging transactions, blocking their confirmation, stopping payments to validators, and conducting double-spending.
Possessing such influence allows an attacker to make significant changes that violate the fundamental principle of decentralization underlying blockchain systems.
Monero
The privacy-oriented cryptocurrency Monero experienced a 10-day Sybil attack in the fall of 2020. Sybil attackers can corrupt systems by creating multiple fake accounts, as seen in these examples. The attacker attempted to correlate IP addresses with transaction nodes. However, this attack did not disrupt privacy mechanisms. In April of that year, Monero developers added a “dusting” feature as part of the Dandelion++ package that significantly complicated linking transactions to node IP addresses.
Ethereum Classic
Originally part of Ethereum, this network faced multiple 51% attacks since its controversial hard fork in 2016 after The DAO hack resulted in over $60 million in ETH being stolen. The new chain continued under the name Ethereum while opponents remained on the old network (Ethereum Classic) with its own coin version—ETC. Since then, Ethereum Classic has been subjected to several 51% attacks. For instance, in August 2020, attackers managed to gain control over most of the network’s hash rate three times, allowing them to execute double-spending attacks and steal over $7 million in ETC.
Verge
In February 2021, Verge’s cryptocurrency network (XVG), which had payment support from popular adult site Pornhub, underwent a massive block reorganization that erased transaction and balance data dated July 2020. CoinMetrics analyst Lucas Nuzzi described Verge’s reorganization as the deepest ever seen in top-100 cryptocurrency blockchains. In April 2018, Verge experienced a 51% attack due to a code bug; this issue recurred a month later affecting all pools and miners.
In blockchain ecosystems, consensus mechanisms serve as primary defenses against Sybil attacks. These mechanisms help mitigate Sybil attacks by increasing the cost associated with creating identities in a P2P network. While different methods offer varying levels of protection, they significantly hinder attackers from creating multiple accounts for successful execution. Blockchain networks implement various consensus mechanisms, such as proof-of-work and proof-of-stake, to prevent Sybil attacks. Sybil attack prevention strategies include both direct and indirect authentication methods for validating nodes in the network.
In PoW systems, an attacker cannot simply use one node to create numerous false identities; substantial computational power is needed to control block generation, which is extremely challenging and costly. Attackers often present multiple identities to influence group decisions and undermine the effectiveness of network protocols and fault-tolerance mechanisms. The large number of Bitcoin miners and high costs for hardware and electricity complicate potential attackers’ efforts to acquire significant computational resources from the network.
In PoSblockchains like Ethereum, creating blocks can also be economically unfeasible for attackers. For example, Ethereum requires users to stake 32 ETH to participate as validators; fraudulent actions carry serious financial consequences (slashing). Similar to Bitcoin, a large number of participants with significant staking resources makes it difficult for attackers to gain control over enough nodes to impact the second-largest cryptocurrency network.
Some blockchains like EOS and Tron use DPoS where ”delegates,” a small group of trusted nodes elected by the community, protect against Sybil attacks. Network participants have incentives to act honestly; otherwise, they risk losing their status and rewards that require substantial time and financial investment.
This method allows for confirming a network participant's uniqueness through techniques like QR code scanning or CAPTCHA solutions. The Worldcoin project notably uses iris scanning as PoP authentication. Another form involves KYC (Know Your Customer), where users verify their identity using documents such as driver's licenses or passports.
While these methods effectively identify unique users, they partially compromise privacy; KYC may deter those prioritizing confidentiality.
In addition to these methods, other approaches can be employed for protecting against Sybil attacks such as node ranking based on reputation (Proof-of-Authority) and using social trust algorithms or graphs to detect anomalous behavior among nodes.
In airdrop farming, “Sybil” actors aim to gain additional rewards without directly manipulating the blockchain. Sybil attackers can corrupt systems by creating multiple fake accounts, as seen in these examples. Many projects utilize multi-tiered reward systems; for instance, one account with 100 transactions may receive fewer tokens than ten wallets with ten transactions each. This structure aims for more equitable distribution among users rather than favoring the most active participants.
However, this encourages drop hunters to create numerous wallets to obtain more tokens than using a single address. Such tactics artificially inflate participant numbers undermining the integrity of airdrops and reducing token distribution effectiveness.
To counteract this issue, many projects implement “Sybil” filtering mechanisms to identify and exclude dishonest participants before reward distribution. A notable example is LayerZero’s partnership with analytics firm Nansen for detecting linked wallets. Additionally, they launched a controversial “bounty hunting” program encouraging community members to identify and report “Sybil” actors.
The ongoing struggle between drop hunters and projects employing filtering mechanisms resembles a game of “cat and mouse.” As market participants develop new ways to bypass algorithms, projects refine detection methods striving to maintain fairness and transparency in reward distribution.