A presale for the WET token on Solana was abruptly halted after a single entity reportedly used a bot farm with over 1,000 wallets to acquire nearly the entire supply seconds after launch. The incident, which occurred on the Jupiter exchange aggregator, effectively shut out legitimate buyers and forced the project team to take immediate action.

Project Team Resets Launch

HumidiFi, the Solana-based automated market maker (AMM) behind the project, confirmed the attack and canceled the original sale. In response, the team announced it would create a new token and conduct an airdrop to compensate participants who were on the presale whitelist and staking on Jupiter. HumidiFi explicitly stated that the wallet address associated with the attack would be excluded from the new distribution and that a new public sale would be scheduled.

Analysts Uncover the Sybil Attack

Blockchain analytics platform Bubblemaps identified the entity responsible for the exploit after observing unusual wallet clustering during the sale. The firm reported that at least 1,100 of the 1,530 participating wallets showed identical funding and activity patterns, a clear sign of a coordinated Sybil attack where one actor uses multiple addresses to gain an unfair advantage.

According to Bubblemaps CEO Nick Vaiman, the attacker funded thousands of new wallets from exchanges, each receiving 1,000 USDC just before the sale. He noted that even though the wallets weren’t all directly linked on-chain, their behavioral similarities—including transaction size, timing, and funding sources—all pointed to a single operator. The analytics firm was able to link the attack to a specific Twitter handle after the operator reportedly made a mistake that exposed one of the wallet clusters.

A Growing Threat for Token Sales

This event highlights a rising trend of Sybil attacks targeting token presales and airdrops. In November, a single entity claimed 60% of aPriori’s APR token airdrop, while wallets linked to Edel Finance were accused of acquiring 30% of their own token supply. The Edel Finance co-founder later denied the accusation, claiming the tokens were placed in a vesting contract.

Vaiman warned that projects must treat Sybil activity as a critical security threat. He recommended that teams implement robust countermeasures, such as Know Your Customer (KYC) checks or advanced algorithms designed to detect coordinated wallet activity. As an alternative, he suggested that projects could manually review presale participants before finalizing token allocations to ensure a fair launch.