Author: Felix Ng
Compiled by: Aki Chen
In a metal shed with a cooling system just 40 minutes from Ho Chi Minh City, Mirai Labs CEO Corey Wilton first truly realized the enormous scale of abuse of crypto airdrops. "It's really chilling," Wilton said in an interview. He had just visited a 'phone farm' in southern Vietnam, where he estimated that at least 30,000 smartphones were piled up in a space no larger than a single apartment.
For the past four years, Wilton has hoped to witness the behind-the-scenes operations that collapsed his flagship NFT racing game Pegaxy in 2021. "At that time Pegaxy was booming, and our daily active users peaked at around 500,000," Wilton recalled. "We started receiving reports about 'bot farms.'" These bots can simultaneously control hundreds of accounts, quickly purchase horses with higher winning odds, and repeatedly participate in races to earn in-game currency, which can then be converted into real money. "You would see screenshots from people showing dozens or even twenty applications running on their screens, and similar scenes frequently appeared on social media," he explained.
Pegaxy is an automatic system-operated racing game where fifteen horses compete. Wilton said that bot farms transformed the game from 'who can win' to 'who can extract value faster' — the atmosphere of the game thus changed, accelerating the project's decline.
On-site: Uncovering Vietnam's 'professional' phone farm
In May this year, Wilton finally got his wish, with the help of a former Pegaxy player, to have an exclusive visit to a 'highly specialized phone farm' in Vietnam. This player stumbled upon the farm's traces on TikTok.
(Corey Wilton)
"I went to two places, both about a 40-minute drive from my location, which are relatively remote areas," he recalled. "There absolutely wouldn’t be any foreigners going there, and they completely do not wish to be known." Wilton described one of the locations as a metal shed next to the street, with the air conditioning set to "as cold as it can get."
The inside of the metal shed is filled with metal racks, each packed tightly with thousands of smartphones, leaving only narrow passages for employees to walk through. The entire layout looks like a 'sham' crypto mining farm.
Wilton stated that the other party showed him the 'leasing segment' of the business, where clients can rent this phone farm for any purpose according to their needs. Unlike traditional bot servers, each device in the phone farm is equipped with independent SIM cards and device fingerprints, and can disguise IP geographical locations, making detection much more difficult, especially suitable for scenarios requiring each account to bind a phone number. Additionally, smartphones have a high cost-performance ratio between computing power and cost, and even if one of the devices is damaged, it can be quickly replaced without significantly affecting the overall operation.
Wilton stated that in the cases he witnessed, an operator would control a 'master phone' via computer, which is connected to over 500 'slave phones.' Whatever operation is executed on the master phone, all subordinate devices would synchronize and replicate. "Most of their clients actually come from the Web2 industry. For example, K-pop agencies rent these devices to boost traffic; there are also casinos using it to simulate real players, making the games appear more 'real,' but actually to suppress you and guide you to lose money."
"There are also some Web2 players who batch-run mobile games, upgrading accounts through nurturing and then selling these upgraded accounts," he added. However, Wilton stated that the core business of this farm is actually 'manufacturing.'
The operator buys damaged or obsolete smartphones at low prices, then modifies them through software and other means, ultimately packaging them into 'self-service phone farm' devices for sale in overseas markets. The project can produce over 1,000 deployable farm phones each week, with each 'phone farm kit' containing about 20 devices. Wilton said these people do not operate the phones themselves. They do not farm airdrops or perform related operations. Their main business is actually packaging and selling these devices to those overseas who want to operate them from home. All you need to do next is keep these devices online and buy more phones to connect them.
Wilton lamented that it is no wonder that "bot-assisted crypto airdrop farming" has become a major problem in the crypto industry. This so-called crypto airdrop farming refers to obtaining free tokens that should be awarded to real early users by creating a large number of wallet addresses and faking user behavior. Although most crypto airdrops do not require phone number verification, they can still bypass anti-witch attack mechanisms (Sybil protection) through unique device fingerprints and IP addresses.
Such practices of 'farming airdrops' often lead farm users to immediately sell tokens after receiving them, impacting market prices, while also making it harder for real users to receive airdrops. Many projects see a surge of false active behavior before an airdrop, and once the airdrop is distributed, the number of users and token prices often plummet rapidly.
Crypto airdrop controversies are frequent, and bot behaviors are widely criticized.
Whether controlled by a large number of phones or a single computer, bot behaviors have caused significant damage to crypto airdrop activities. Last June, the Ethereum zero-knowledge (ZK) Layer2 scaling project ZKsync faced extensive bot attacks during its airdrop, with users accusing it of opening the door for 'bot farming.'
On-chain data analysis platform Lookonchain reported that an 'airdrop hunter' claimed over 3 million ZKsync (ZK) tokens through 85 wallet addresses, with a total value of up to $753,000 at the time. Another user boasted on social media that they had profited nearly $800,000 through an 'extremely efficient $ZK witch attack strategy.'
The so-called 'witch attack' (Sybil attack) is a security threat behavior in which attackers create multiple fake identities in an attempt to gain an unfair advantage in the network system. The term comes from a book titled (Sybil) that describes a case of a woman with dissociative identity disorder. Mudit Gupta, the security chief of ZKsync's competitor Polygon, called it 'possibly the easiest airdrop to farm in history, and also the most over-farmed,' attributing the problem to the lack of anti-bot mechanisms. Despite ZKsync setting seven qualification screening criteria this time to prevent witch attacks.
ZKsync responded in its official FAQ that the current witch attack strategies are becoming increasingly complex, making it difficult to distinguish them from real users; if overly strict screening criteria are adopted, while they may block some witch attackers, they could also inadvertently harm a large number of genuine users.
However, just last month, Binance presented a different view when it reformed the bot behavior in its 'Binance Alpha Points' program. "Traditional bots usually follow predictable, repetitive behavior patterns, making them relatively easy to identify," a Binance spokesperson stated in an interview. "But with the rise of AI-driven bots, we are now facing a system that closely resembles human behavior — from browsing habits to interaction times, which can be highly simulated, significantly increasing the difficulty of identification." Binance stated that the platform is continuously intensifying its anti-bot efforts and developing new tools to identify abnormal operations from large-scale behavior patterns. For instance, address entity association analysis can help identify clusters of wallets controlled by the same entity, even if these wallets appear to be independent on the surface.
These analyses are particularly critical for revealing behaviors such as disguised holdings, multi-address batch transfer manipulation, and wash trading — tactics commonly used by AI-driven bots to fabricate real engagement and false liquidity. And it’s not just crypto airdrops that suffer; bots are also accused of flooding the market, creating countless worthless meme coins. Coinbase product head Conor Grogan recently pointed out on the X platform that "most tokens launched on PumpFun and LetsBonk platforms are almost entirely controlled by bots." He found that on the meme coin platform LetsBonk, top accounts release a new token on average every three minutes.
Daren Matsuoka, a data scientist and partner at a16z Crypto, believes that witch attacks (Sybil attacks) are a problem that has only emerged in recent years. "Throughout most of the cryptocurrency's development history, we actually had a certain inherent resistance to witch attacks — because the gas fees on these Layer 1 blockchains have always been high," he stated on a16z Crypto podcast in April this year.
"In the past, to qualify for an airdrop, you indeed needed to pay a transaction cost of a few dollars or even tens of dollars. But with the continuous optimization of infrastructure, the cost of operation has now become very low. I believe this will completely change the game between attack and defense mechanisms," said Eddy Lazzarin, CTO of a16z Crypto, who has been emphasizing the importance of building a 'proof of human' mechanism.
"AI can now generate a large number of realistic behavior records. The most advanced bot farms are now nearly impossible to reliably identify, and it won't be long before those with moderate technology become equally undetectable," Lazzarin wrote in an article in May this year. Lazzarin is most interested in developing a 'proof of personhood' mechanism: it should allow real humans to easily and freely verify their identity while making it costly and challenging for bots or fraudsters to commit large-scale deception. He mentioned that the iris scanning project World initiated by Sam Altman is a typical example of such a mechanism. The core idea of the project is that everyone can only register once for a World ID, validated through iris scanning (since everyone's iris is unique).
Lazzarin added in an airdrop-themed podcast, "I really hope to see more people trying systems like World ID, which combines biometric technology with privacy protection mechanisms to limit each person to having only one identity ID."
However, Ethereum co-founder Vitalik Buterin believes that 'one person, one ID' is not a perfect solution, as it means that all historical behaviors may be tied to a single attack point — the key corresponding to that identity. If it is leaked, the risks are immense. At the same time, he pointed out that biometric and government identity information can also be forged.
Why not directly cancel crypto airdrops?
If crypto airdrops are so easily manipulated, the most direct option seems to be to simply cancel the airdrop mechanism. However, some argue that airdrops still have their significance. Distributing tokens to users who genuinely participate in the protocol not only helps achieve decentralization of project governance but can also disperse control through voting rights and other means. Furthermore, airdrops often generate a lot of buzz. "An obvious reason is: when you distribute a large amount of tokens that may have value, it attracts a lot of attention, which in itself has a marketing effect," Lazzarin stated. "Airdrops are essentially a marketing tool."
Wilton also agreed and pointed out that project parties should anticipate that a portion of users will sell their tokens, which is essentially the marketing cost needed to acquire users, with the key being to ensure that these users are real people who 'are willing to stay long-term.' Meanwhile, Binance believes that automated bots are not entirely harmful. In fact, in certain scenarios, if used properly and transparently, bots can play a positive role — for instance, in providing liquidity, executing strategies on behalf of users, or simulating stress tests during audits.
