A single entity appears to have exploited the aPriori airdrop, using thousands of coordinated wallets to claim a majority of the distributed tokens.
Summary
- Over 14,000 connected wallets collectively claimed more than 60% of the APR airdrop.
- Wallets were freshly funded via Binance, received identical 0.001 BNB for gas, created in tight time windows, and funneled tokens to new addresses, indicating a Sybil attack.
aPriori airdrop hit by sybil attack
One entity appears to have gamed aPriori airdrop, according to Bubblemaps, a blockchain analytics platform known for visualizing wallet connections. The airdrop claim opened on Oct. 23 on BNB Chain, giving users 3 weeks to choose between two options: claim a smaller portion of APR tokens immediately or wait until the Monad mainnet launch to unlock a larger share. The airdrop distributed 12% of total APR token supply, marking one of the largest drops ahead of a project’s mainnet debut.
Shortly after launch, Bubblemaps released findings suggesting that the airdrop may have been exploited by a single entity. According to Bubblemaps, over 14,000 connected wallets collectively claimed over 60% of the aPriori airdrop. The analysis revealed that these addresses were freshly funded through Binance, each receiving exactly 0.001 BNB for gas fees. They were created and funded in tight time windows, indicating automated coordination. The wallets were claimed APR tokens to new wallets, forming a secondary layer of linked addresses designed to obscure ownership.
The data visualization of the APR token distribution shows a dense network of interconnected wallets which suggests a sybil attack.
As of Nov. 11, Bubblemaps reported that the entity continued to fund new wallets to claim more tokens. The analytics firm stated it had reached out to the aPriori team but had not received any response.
Bubblemaps has since opened an investigative case on its Intel Desk, allowing the community to vote with BMT tokens to prioritize the issue for further analysis.
Sybil attacks continue to plague crypto airdrops
Sybil attacks, where a single entity controls numerous wallets to claim disproportionate amount of tokens, have become a recurring problem in token launches.
The most noteworthy recent example is the airdrop from MYX Finance. According to Bubblemaps’ analysis, about 100 freshly-funded wallets claimed about 9.8 million MYX tokens—worth about $170 million—through reportedly coordinated activity. These wallets were funded via OKX, had no prior history, and claimed tokens almost simultaneously on the event date. MYX Finance said the allocations were based on trading volume and liquidity provision and pointed to anti-Sybil protections in a campaign called “Cambrian”. However, Bubblemaps called the response vague and said the patterns strongly suggested coordinated manipulation.
Similarly, for Avantis airdrop, Bubblemaps reported that over 300 addresses were used by a single entity in a campaign to claim rewards, exhibiting several Sybil-attack features: wallets funded via Coinbase, USDC injections from very few senders, dormant prior to the event, claiming airdrop rewards, then pooling tokens and transferring to major exchanges. The estimated value of that exploit was estimated to be around $4 million.
