Sybil attacker will take 3026125 token ARB if the team do nothing!

[stanlagermin]

Hello, I found something interesting about this wallet address: 0x59d4087f3ff91da6a492b596cbde7140c34afb19

He made 2,417 transactions within 6 hours, that includes sending small ETH to 1656 different wallets :

Details: https://arbiscan.io/txs?a=0x59d4087f3ff91da6a492b596cbde7140c34afb19

And each recipient wallets, he made 2 interactions with ARB token contract: For example,

1. 0x3E5A2B1020c454079f5A7702fa204752C584d6A0 Tx: https://arbiscan.io/address/0x3e5a2b1020c454079f5a7702fa204752c584d6a0

2. 0x3aBeC2bbEc31c978a4a7e5b0cD2090cB759A0c01 Tx: https://arbiscan.io/address/0x3abec2bbec31c978a4a7e5b0cd2090cb759a0c01

I check all 1656 recipient wallets above:https://github.com/stanlagermin/sybil-wallet-list/blob/main/sybil_wallets.csv with: https://cointool.app/airdrop/arb

IT MAKES ME SHOCK!!!!!! 2800875 ARB TOKEN

I also recognize that every recipient wallet has at least one transaction relate to this wallet: 0xcc577C130c019529FF1e721F9BEeA24a7DC1402D

For example:

1. 0x3E5A2B1020c454079f5A7702fa204752C584d6A0 Tx: https://arbiscan.io/tx/0x9556ae9962c8034eb98f3f817eb5ecbb6d3e588fb71c70b84dcc5247dfcda998

2. 0x3aBeC2bbEc31c978a4a7e5b0cD2090cB759A0c01 Tx: https://arbiscan.io/tx/0x73e7f173ced28ab9aecf019d050609f2a85367917fce3bef56aa9b37f23d8fe7

From my point of view, that guy did all actions above is an airdrop farmer or a hacker because some people say that their wallet got hacked and being in a Sweeper-bot. Anyway, the team should do something to prevent getting at least 2800875 ARB Token from bad person.

[stanlagermin]

Update:

I take a look about this wallet: 0xcc577C130c019529FF1e721F9BEeA24a7DC1402D which is Sweeper-bot recipient wallet. There are 2225 different wallets which sent ETH/Tokens to it, and 1791/2225 wallets is eligible for airdrop with total amount: 3026125 ARB

Here is the list of 1791 wallets which relates with Sweeper-bot address: https://github.com/stanlagermin/sybil-wallet-list/blob/main/Sybil_wallets_update.csv

[RecodersNodes]

It's a waste of time to investigate. Team will not respond

[liangfenxiaodao]

The transactions above seem to be poisoning:

They happened 6 hours ago, long after the snapshot and announcement. And the transaction amount are all super tiny, even cannot be used to pay gas.

[liangfenxiaodao]

To arbi team:

Please ignore such stupid things. There have been poisoning everywhere since Hop announced the anti-sybil rules. A tiny amount of transferring shouldn't be taken as sybil attack.

[bitcoinzhang1]

I randomly checked several accounts and found that their behavior patterns lacked similarity; Small transfers occur after the announcement of an air drop, which is more like poisoning

[stanlagermin]

Can you help me to explain this? every recipient wallet has at least one transaction relate to this wallet: 0xcc577C130c019529FF1e721F9BEeA24a7DC1402D

So all the wallet in the list get poisoning by send money to this address 0xcc577C130c019529FF1e721F9BEeA24a7DC1402D

Also, every recipient wallets made 2 interactions with ARB token contract at the same time. :) I think he prepare for claiming and send all ARB right before real owner try to claim the ARB.

The transactions above seem to be poisoning:

They happened 6 hours ago, long after the snapshot and announcement. And the transaction amount are all super tiny, even cannot be used to pay gas.

[ausername123-byte]

So all the wallet in the list get poisoning by send money to this address 0xcc577C130c019529FF1e721F9BEeA24a7DC1402D

[0xpeche]

It is not a sybil attacker, those are all compromised wallets: https://twitter.com/0xPeche/status/1637639563743985665

Check the behavior on the addresses he funds, all of them had sweeping bots on them.

I can also confirm that by the fact that one of the victims contacted me for help.

[WillyamPangestu]

THAT'S NOT SYBIL'S ADDRESS! BUT FB19 IS A HACKER ADDRESS THAT HAS COMPROMISED MANY PEOPLE'S WALLETS!

YOU CAN CHECK THE FLASHBOTS DISCORD, MANY PEOPLE ARE VICTIMS OF COMPROMISED WALLETS AND THE FB19 WALLET TX APPROVE ARB ON THE VICTIM'S WALLET.

AND THE BASTARD HACKER INTENDS TO STEAL THE ARB TOKEN WHEN THE CLAIM PROCESS IS OPENED.

PLEASE BLACKLIST THE BASTARD HACKER'S FB19 ADDRESS.

THE OTHER 1656 ADDRESSES ARE "VICTIMS" NOT SYBIL!

THANK YOU.

[achmadback]

nggeh

[misterkuye]

It's a hacker, he uses a sweeper bot on wallets. My wallet is among the victims of this.

0x81069f658da5fac80bbeee0023a21f0531d144dc

[PRATHAM181199]

They are not Sybil attacker Bro, my wallet also in this list because our wallets got hacked and hacker set sweeper bot to withdraw funds instantly u can check there no funds on any wallet , also try to send some small amount fund it will automatically transfer within seconds to the hacker address

[Tommychris2004]

To arbi team:

Please ignore such stupid things. There have been poisoning everywhere since Hop announced the anti-sybil rules. A tiny amount of transferring shouldn't be taken as sybil attack.

You are probably a part of this, or maybe you are the sybilor. 💀

[stanlagermin]

its look like wallet compromised, coz the wallet on address list not similar to sybil by identified transaction count and activity, so the arbitrum dev can't doing anything for this. seed data already write on TokenDistribution Contract

What do you think about create new token distribution contract? and move token to new one? I think the team could do something, that why they give us 7 days before open for claimming.

[Tommychris2004]

its look like wallet compromised, coz the wallet on address list not similar to sybil by identified transaction count and activity, so the arbitrum dev can't doing anything for this. seed data already write on TokenDistribution Contract

What do you think about create new token distribution contract? and move token to new one?

All they have to do is copy the addresses and blacklist them all.

[badbihrock]

that's not sybil attack. it's a hacker (0xcc577C130c) who has a rage number of compromised wallets he sweeps funds from and has active front running/gas sweeping bots active one, across multiple chains.

only way for victims to get their tokens is to use bots as well and try to beat him.

i'm going to be helping out two friends, for a 20% reward of their ARB tokens.

[Arbsybil]

The team doesn't care, any request for support is ignored.

[tranhoaison]

The team doesn't care, any request for support is ignored.

I think they are investigating and will respond soon.

[sdafaasdsas]

These addresses are definitely belong to the same person.

[icesteam]

hi i confirm this my wallet is also under this

[0u8120u812]

No, no, no that’s not what an Arbitrum Sybil attacker looks like.

THIS is what an Arbitrum Sybil attacker looks like - 0x00000009f3911d5810d993039826cbd383d41dcd used Disperse app to send ETH to following 99 addresses 3 times. With this simple trick we all could have defeated the Arbitrum Sybil Hunting methodology to score 63500 ARB.

0x00000001D6b56C4a8277d1d6C759c5F92Abd4333 0x000000062a69Ac55866D278C48Ee46fe14ab11c1 0x000000086209251E17BBBde93C7950DF11C47A73 0x00000005e8e6E0EA58B7fFfEdB11ee24d79440D2 0x0000000D462298cdD5B08eB6a58a711ee4eFe98B 0x000000079F2C60efF95FA0a14A1A1D275fcFe458 0x0000000afd4238E25d150f2Dd6f79B52664530F4 0x00000005D1E97B4f7F9604Cf660115fa3E3ADCF3 0x00000004f7cbFF2052e49Bde55AC850251885e3F 0x0000000b516DB6872EDE8a5146dD8b6580c392E0 0x0000000Df231BAc4A4bbf5926891F7f00eC6109f 0x000000017A8768ad04d3333C7a881E6f6c2c0029 0x0000000b4F7428C81dd5E7d05aab386E306aDde6 0x000000030d28e418104826087030C7ae4c36D5C1 0x0000000CEb7bBAA90ec2a6076A91d1B1BfDBD074 0x000000069d41a5a4AF936463a40d09a1014Bf5FC 0x0000000c2A420DF17FC483beFF0Efd885C13d15e 0x000000096EE2d0BAA54EdeA517B22966561175E5 0x00000009DA8eBee41DB2c2c9f137f60876670F3C 0x0000000b9f05A55874Ab3E5FAf003041951ca198 0x0000000C3fE4A56D6DB2d2E5052005f10E6aB20B 0x000000040f0B763f82100e33f309619a7825719c 0x00000000C5497FE7F0eEc2D62ff5eE2D7BCA105e 0x00000008798709F41bA35060D1fB060e254D43D0 0x000000064Bc33C95dbc70E304F809971B8E597a3 0x0000000D57d643A2Cca118D099d15ad878735d1C 0x0000000Ad70b5481DB487C8dc6185AC470769B5a 0x000000063591717dfA4492a80edD0684F007a000 0x0000000C16b15c0389861fd73AFb4662ea7f193C 0x0000000d766D0989425ad99aff773266732D34d9 0x0000000009572a244A6c2d06ffE7Be30e3bd2AEc 0x00000001c0E41A4c8BB438B0176b351736aBC248 0x00000008049cb14d8d1fE1BBdE80bb05C285A727 0x00000009e7A966B44F5764145a4e17Be8CbE2668 0x00000008fa463b57F934E5a503BacD23D500cA3f 0x000000067921fa393649D33F70d02fCF21479118 0x0000000c71D8F7DBD785EFE4ae996cd7c81b40E9 0x00000001946c6f63bbf5E35549332ae919CF9764 0x0000000cB0eC442085D9e5CE415de0aC0b4E5c49 0x0000000f5Dd8D0F43D8764310922202558B41326 0x00000007d0d1bF867f8AdE0f4960fe510652Bffd 0x00000006de77cEC6e610894dC8dF98f5798cE77d 0x000000027867411320085Cb8d23a34Cb5649Ab62 0x0000000Db7A9eB9BF5C708e8EBae7Bd3D39CE202 0x00000004fc51e99d6c38C2ddFAe6012f3E9814c8 0x0000000e8cA7079b82a33cC1a1C50aAc13812aBE 0x0000000f4d84FfB8478DBc9D3feb0b30BBbbf0dd 0x0000000E4F2F688e87D55681f278d8D29e92Dd62 0x00000009E2E8c76B080e44c06A7e7c6d16eE8511 0x0000000aAa12F7324D59b8f3EAe99C949cC96EB6 0x00000004EE5216CB247a7f62501C833c2D9947A3 0x0000000114f09A315f2D31D680e236f9B74714Ed 0x000000091070B561852dCaEa6E123407D269602b 0x0000000FfAd4AC672fD58eA413E5E39434d035fc 0x00000008700eC55af5BaFb788Af632329211436f 0x00000000D993FAbD49A3F6c23E3e85E1e0a1546d 0x00000002A0B5205ac65D53AB06cD1E92AEd63c75 0x0000000c3815D917AD63082ce5bfAeBb65907dF0 0x000000044c669D301fb040DD5000FF3aFf087D07 0x000000064Ed44B3b51Cb887f19837139535f5682 0x0000000f099BC97A746F5d330273f9bc9216B2D5 0x0000000621c1E7fE2b2e992684F21Ec20D15769f 0x0000000F1b4D449bA21D1cAC81cf3c9a9aC30024 0x00000001b52502A5A68530c22a7D2776F14939ea 0x0000000c34D66F0fA04337a980FB13Ea38F8B8a3 0x00000005d2b6E1aD037FAA902BeE3Bef2c33fCD6 0x0000000d9Aff8A38Af5212770d3615902d2DE6E6 0x0000000ea449D2B2672Bb0c8a770b66B20CF9B09 0x0000000B62A6713069c5F4CB98dEC755aF5974BF 0x000000051B1e8Db61344FcB0E701ad301cf9fb5e 0x0000000F2DD3534936C74D7aA9753A14e18cb362 0x000000020abd7B63132cB72f446cED126b074fb7 0x00000003557C479C209216fAa4DD2a857E0DCE52 0x0000000E225f501ABF0bD4AcDD8B9B48b52bf0bB 0x00000003215137a8FeCAb5bb40eB7CE75090Fe97 0x00000007449189174966dafA376f91864a0769Ab 0x00000003737eE4e7Fb855aB42420d1055A991036 0x00000004C201D2e9b631533C05ba32055b8e6Dbd 0x00000003ff874A29f0019dD0C26a325Ef45A9b54 0x00000007f1Bb081e7cCa93d8C7501Ec50d773310 0x00000003D11615293C0CB3187Ae19423dF0f0fCC 0x0000000023cfAc6aEDEA3927E43b5b7189A9dEC4 0x00000006cE92549a5bBa95019245804ad0C385a4 0x000000078b0CD89482148c4f0b29C99873aaB384 0x000000081b481d022EB7c344620DaEBA1001De5A 0x00000001824ADcA62d7Ca5F89Fa86f0ddcc3B2a9 0x000000072f6DCc1263CeE1F24D4b9630a8913187 0x00000009F7518ae9f0cfc9F774e11ecF0E5BFD14 0x0000000351BeAFE55c25deBa0Db07e974cFDF2BF 0x0000000211B820C8564d2b0020b0fDAf2dDA3632 0x000000092C8499977D21e5bfeB9f147572076c04 0x0000000E1031C6b67119A0EDD61a1e86a65Fe891 0x000000046dDC4019A28d4aDE47ebbEC78499041e 0x0000000BF4919e2e2ec677C3bBC717dB6bB296D9 0x0000000ea0dBDd9D18aeBb5d1a112F0A21bf94E4 0x0000000cAaa943CafA31cEd5B498FD042C211649 0x0000000811Ff0226Fb5cEBD69CF7833cce7b62Be 0x0000000409c43C8BE36547000514FD72774c17c6 0x0000000AdA9079a12B956a7d09C0b321e886fD43

[eaadeyemi]

It is not a sybil attacker. It's a sweeper bot wallet My wallet was also affected

[gbudapests]

Hacker, not a sybil attacker, my address is in this list and it's compromised by a sweeper bot sadly. The only way to stop this is to run a bot against him and hope for the best. I wish the team can come up with something to save us though. Would also save 3M+ tokens being transferred to a hacker.

[ARNO-0]

Does anyone have a solution to mine transaction before he sweeps eth?

[Snipsnoop]

Good read on how the whole process happens and can potentially be recovered. https://amanusk.medium.com/frontrunning-a-scammer-95f34dd33cf8

But I dont have any more details. Burner scripts ( Burn Any ETH he sends will stop him but no idea how to set that up sorry. )

Then its a case of the flashbots bundle = Again sorry have no idea how to setup.

(Might be a good idea to contact some people mentioned in any of these link)

The guys full story https://www.reddit.com/r/CryptoCurrency/comments/oip4mi/if_you_want_to_join_me_in_watching_metamask/

[Snipsnoop]

Best case. They stop the airdrop to all the wallets. And somehow figure out a way to validate those users as the real owners and send to other wallet ( Signing a msg is useless since he has your private key and can just do the same)

However that is a lot of work for arbitrum and do you really think they have the time to do that.

Medium case : they just send out anyway with you have burner scripts and flashbot bundles ready and pray.

Worst case 1 : they send out airdrop and its gone to scammer. Worst case 2 : they dont send out the airdrop and do nothing to help people.

[DikaCream]

That people who connect or do tx from arbitrum scam airdrop. The phising web owner have mnemonic access to all the wallet, that why you should more careful if you want to connect your wallet on any website. it's human error 🤷‍♂️ blocking hacker wallet isn't effective unless arbi Dev blocking/blacklist all of the address above

[zororaka00]

it is a hacker, not a Sybil attacker. I think Arbitrum Foundation & Nansen have done well based on the criteria that have been set.

We can't control hacker on Blockchain, I hope everyone will be more careful about fraud and so on to protect their own accounts.

[ARNO-0]

When someone sends a transaction to a compromised wallet hacker is able to mine transaction in next block or 2 blocks after that how is able to mine transaction that fast?

[WizkidFC]

This is not the Sybil attacker, end of story

[mawi13]

The users already lost the airdrop, sorry for them, why not exclude the addresses from the airdrop? At least the hacker does not profit from it then....

[eaadeyemi]

The users already lost the airdrop, sorry for them, why not exclude the addresses from the airdrop? At least the hacker does not profit from it then....

Users can still revoke access and try to frontrun using a bot

[Ministry888]

We can state unequivocally that the Arbitrum team approached this issue without due consideration. A lot of wallets belong to the Sibyls, that's a fact. And the fact that the team did not identify them speaks of incompetence in this direction or unwillingness to spend resources on this. To the detriment of real users. And that's unfortunate.

[relpmis]

Arbitrum team: We dont care.

[lilelrain]

Does anyone have a solution to mine transaction before he sweeps eth?

yeah, I have helped several people setting up the flashbots to submit several transactions into a bundle

Check out this: https://github.com/flashbots/web3-flashbots/blob/master/examples/simple.py or ask a friend who's familiar with the programming and web3

[stanlagermin]

Seem like the team will have no action at all. If someone are the victim, you can pm me: https://t.me/Spaghettii Perhaps my own code can help you save your ARB airdrop from hacker.

[ARNO-0]

Does anyone have a solution to mine transaction before he sweeps eth?

yeah, I have helped several people setting up the flashbots to submit several transactions into a bundle

Check out this: https://github.com/flashbots/web3-flashbots/blob/master/examples/simple.py or ask a friend who's familiar with the programming and web3

Web3 flashbots doesn't work on arbitrum

[Ministry888]

https://twitter.com/x_explore_eth/status/1638452183682416641?s=46&t=-E-uigJwcn06x1xbumUeoA https://mirror.xyz/x-explore.eth/AFroG11e24I6S1oDvTitNdQSDh8lN5bz9VZAink8lZ4 Check out the article, here the man offers help in locating Sibyls. And his arguments and evidence are very strong. Why doesn't the Arbitrum team respond to them?

[0u8120u812]

Ha! It just keeps getting better and better. No more sybil hunting for Nansen or anyone associated with Arbitrum sybil hunters.

Even a biden supporter could have recognized sybilooooors using the disperse app or the Binance Hot Wallet sybiloooooor with 2997 accounts!

“1/8 We found Arbitrum Sybil detection rules cause loopholes. Through our same-person/Sybil address recognition model, we identified more than 279,328 same-person and 148,595 Sybil airdrop addresses. @arbitrum is welcome to contact us.”

https://mobile.twitter.com/x_explore_eth/status/1638452183682416641

[bodytexture]

my question is: Can the arbitrum team share an easy to setup repository with a bundle of transactions that will be triggered (and retrying) starting from the block of the airdrop, with instructions for us to configure what address to point to? so that the bundle sends the transaction to https://revoke.cash at the last moment and then claims and sends to a new address to be customized by users in the Bundle code?than a youtube video on how to set it all up? Why Arbitrum foundation is being silent about this?

[bodytexture]

https://twitter.com/flashback_days/status/1638570685525098496

[timojohny]

https://t.co/ddWVmfWEwV Tried this but the hacker still have access to my wallet he had transferred most of my valuable tokens ![Uploading Screenshot_20230320-155757.png…]()

[Luxytop]

Seem like the team will have no action at all. If someone are the victim, you can pm me: https://t.me/Spaghettii Perhaps my own code can help you save your ARB airdrop from hacker.

Hello, I found something interesting about this wallet address: 0x59d4087f3ff91da6a492b596cbde7140c34afb19

He made 2,417 transactions within 6 hours, that includes sending small ETH to 1656 different wallets :

Details: https://arbiscan.io/txs?a=0x59d4087f3ff91da6a492b596cbde7140c34afb19

And each recipient wallets, he made 2 interactions with ARB token contract: For example,

1. 0x3E5A2B1020c454079f5A7702fa204752C584d6A0 Tx: https://arbiscan.io/address/0x3e5a2b1020c454079f5a7702fa204752c584d6a0
2. 0x3aBeC2bbEc31c978a4a7e5b0cD2090cB759A0c01 Tx: https://arbiscan.io/address/0x3abec2bbec31c978a4a7e5b0cd2090cb759a0c01

I check all 1656 recipient wallets above:https://github.com/stanlagermin/sybil-wallet-list/blob/main/sybil_wallets.csv with: https://cointool.app/airdrop/arb

IT MAKES ME SHOCK!!!!!! 2800875 ARB TOKEN

I also recognize that every recipient wallet has at least one transaction relate to this wallet: 0xcc577C130c019529FF1e721F9BEeA24a7DC1402D

For example:

1. 0x3E5A2B1020c454079f5A7702fa204752C584d6A0 Tx: https://arbiscan.io/tx/0x9556ae9962c8034eb98f3f817eb5ecbb6d3e588fb71c70b84dcc5247dfcda998
2. 0x3aBeC2bbEc31c978a4a7e5b0cD2090cB759A0c01 Tx: https://arbiscan.io/tx/0x73e7f173ced28ab9aecf019d050609f2a85367917fce3bef56aa9b37f23d8fe7

From my point of view, that guy did all actions above is an airdrop farmer or a hacker because some people say that their wallet got hacked and being in a Sweeper-bot. Anyway, the team should do something to prevent getting at least 2800875 ARB Token from bad person.

Please can you post your code here?

[degensean]

What happened? Is there an update?