Lesson 37 min read

🔗 Wallet Clustering & Sybil Attack

400 wallets could actually be just one person. How do we detect fake holder inflation using blockchain graph analysis?

The Problem: Fake Holder Inflation

If a token shows '5,000 holders', it looks safe. But what if 4,000 of those belong to the same person? It's impossible to see each wallet as a separate identity on the blockchain — or so they thought.

Real World Example: PIPPINU

380+
Visible Holders
wallets
~3-5
Real People
estimated people
99%
Fake Ratio
fake holders

How Does Clustering Work?

Taranoid uses 4 different signals to detect wallets belonging to the same person:

1

Funding Graph — Who Funded Whom?

The first SOL transfer of every wallet is traced back 3 levels. Wallets funded from the same source = likely the same person.

Main Wallet → transfers 0.01 SOL to 50 sub-wallets → These 50 wallets buy the token
2

Timing Cluster — Born at the Same Time

10+ wallets created within the same 5 minutes are automatically flagged. A human cannot open 10 wallets in 5 minutes.

15:42:03 → Wallet 1 created
15:43:17 → Wallet 2 created
15:44:55 → Wallet 3 created ... → Script!
3

Behavioral Similarity — Identical Actions

Wallets making trades with similar amounts (±5% tolerance) and within similar timeframes are matched.

Wallet A: buys 1000 tokens → sells 5 mins later
Wallet B: buys 1000 tokens → sells 5 mins later → Bot!
4

Connected Components — Graph Analysis

These 3 signals are combined into a network (graph). Connected wallet groups = one cluster = one entity.

Cluster 1: 380 wallets → 67% of Supply
Cluster 2: 12 wallets → 8% of Supply

What is a Sybil Attack?

A sybil attack is when a single entity subverts the reputation system of a network by creating a large number of pseudonymous identities. In crypto, the most common uses: airdrop farming and inflating holder count.

⚠️ Wallet age < 24 hours

70%+ new → +35 points

⚠️ Single token wallet

60%+ single token → +25 points

⚠️ Similar SOL balance

0.001–0.003 SOL → +20 points

⚠️ Sudden holder drop

50% drop in 10 mins → +30 points

Real holders = real trust

If clustering analysis returns zero on a token, the holders are truly independent people. This alone is a massive trust signal — but it's not enough, check the other 8 metrics as well.

Real case: see PIPPINU

Step-by-step detection of 380 fake holders.

Review Case →