What Is a Sybil Attack in Crypto?

By Gaurav Roy

As crypto adoption grows and blockchain use cases become more prominent, providing a safe user experience is critical. However, threats to user security can come in many forms. Especially given the relative newness of blockchain technology.

Of course, not all threats attack a network’s users: some aim to attack a blockchain network itself. The Sybil attack, which can affect any peer-to-peer network, is one such threat. 

But, what exactly is a Sybil attack, and what risks can it pose to blockchain networks? Let’s take a look!

What Is a Sybil Attack?

A Sybil attack aims to take over a network using multiple accounts on an online or on-chain network of users. The goal is to corrupt the system and manipulate it to their advantage.

For instance, a Sybil attack can manifest as fraudulent voting in an election or online voting system. Alternatively, it could involve creating multiple social media accounts on platforms like X (Twitter) to spread falsified information, or even worse, to share malicious links designed to harvest users’ confidential information. 

In the case of public blockchains, Sybil attacks generally attempt to overpower the authentic nodes in a blockchain network. If successful, Sybil attackers gain the power to alter the blockchain, compromising network finality in the process. 

To clarify, blockchain finality is the idea that, once written onto the blockchain, a transaction cannot be changed or undone. This concept is fundamental for transactions on a blockchain to be considered valid and trustworthy. For example, blockchain finality is necessary to prevent the same cryptocurrency from being spent more than once (double spending). Similarly, finality is also vital for guaranteeing that the outcomes of smart contracts and functions of decentralized applications are trustworthy and irreversible.

But before we talk about exactly how Sybil attacks can affect finality, let’s discuss their history, which precedes the public blockchains of today.

The History of Sybil Attacks

The name “Sybil” comes from a 1973 book of the same name, that details the treatment of a woman – Sybil Dorsett – with dissociative identity disorder (DID), previously referred to as multiple personality disorder. Therefore, the name Sybil is a nod to the multiple identities that malicious agents create to carry out these attacks.

Computer programmer Brian Zill is credited with coining the term at Microsoft Research in the early 2000s. The term was further cemented by fellow Microsoft researcher, John R. Douceur, in a research paper written around the same time.

Notably, Douceur proposes in that paper that Sybil attacks are of particular concern in a practical P2P system without a centralized authority. In other words, Sybil attacks are something that all decentralized blockchains, by definition, must guard against. 

How Does a Sybil Attack Work in Crypto?

Within the world of crypto, Sybil attacks involve creating multiple network nodes in an attempt to exert control over a blockchain network.

Generally speaking, a crypto node is a single computer that is part of a blockchain network. Each node individually stores all of the information on the blockchain, which is how nodes verify each other. With a Sybil attack, a single bad actor creates multiple false nodes to trick the network into treating the fraudulent accounts as legitimate. 

If the attacker successfully gets enough malicious nodes into the network, they can then use that influence against honest nodes for their benefit. For instance, in a blockchain network where miners vote on proposals, an attacker could use multiple identities to outvote legitimate nodes. Attackers could also intercept and analyze sensitive user data like IP addresses, compromising users’ privacy and security.

Often, the end goal of a Sybil attacker is a 51% attack. This occurs when a single entity gains more than 50% of a network’s hashing (computing) power. This grants the attacker the ability to rewrite parts of the blockchain, meaning that they could reorder transactions, block transactions from being validated, or even reverse their own transactions leading to double spending.

High-Profile Sybil Attacks in Crypto

Monero (2020)

Monero – a privacy-focused blockchain that promises users a way to make untraceable transactions – suffered a 10-day-long Sybil attack back in November 2020. The main goal of the attacker was to deanonymize transactions on the platform. For this attack, a single entity used several malicious nodes to try and disrupt the Monero network. 

The attacker exploited a bug to raise the chances that its malicious nodes would be accepted by the network, intentionally dropped transactions causing them to fail, and tracked IP addresses in an attempt to link them to certain transactions.

Ultimately, the attacker was unable to bypass Monero’s security features, limiting the damage they could do. Specifically, Monero’s use of the privacy-preserving protocol, Dandelion++, prevented the attacker from successfully linking user IP addresses to transactions.

Ethereum Classic (2020)

First, some important context on Ethereum Classic. 

This was actually the original Ethereum network. However, in 2016, after a major hack of Ethereum’s very first DAO resulted in millions of dollars worth of ETH being stolen, Ethereum underwent a hard fork to return funds to victims. At that point, the new chain carried on with the Ethereum name, while those who opposed the fork continued running the old chain as “Ethereum Classic” with its own version of ETH, ETC.

Unfortunately, Ethereum Classic has suffered a few 51% Sybil attacks since then, the worst of which occurred in the summer of 2020. This particular attack saw a hacker gain control over a majority of Ethereum Classic’s hash power. After doing so, the hacker was able to execute a complex double spend: sending ETC to its own wallets and back, all while siphoning off funds through exchanges. In the end, the attacker was able to steal more than $5M in ETC.

Verge (2021)

The Verge blockchain suffered one of the most high-profile recent Sybil attacks in crypto back in 2021. In this case, the attackers were able to execute a 51% attack on the privacy-focused blockchain, which resulted in about 200 days’ worth of transaction data being wiped out. It’s important to note, however, that the network recovered within a couple of days of the attack.

How Do Blockchains Protect Against Sybil Attacks?

In the blockchain ecosystem, consensus mechanisms are the main line of defense against Sybil attacks. While these different methods provide varying levels of protection, they all make it much more difficult for bad actors to create the multiple accounts necessary for a successful Sybil attack. 

Proof-of-Work

In Proof-of-Work blockchains like Bitcoin, the network applies a certain set of rules around creating new blocks. Simply put, an attacker can’t just use a single node to spin up multiple false identities in this instance. Rather, they would need to have the computing to create new blocks, which would be both difficult and incredibly expensive for an attacker. Similarly, the sheer number of Bitcoin miners also makes it difficult for a would-be attacker to gain a notable share of network nodes.

Proof-of-Stake

Proof-of-stake blockchains can also make creating blocks prohibitively expensive for attackers. Ethereum, for example, requires users to stake 32 ETH to act as node operators. Furthermore, there can be harsh financial consequences for node operators who act fraudulently on these networks. Similarly to Bitcoin, the size of Ethereum’s pool of network validators makes it very difficult for attackers to gain a large enough share of nodes to affect the network.

Delegated Proof-of-Stake

Some blockchains like EOS and Tron use Delegated Proof-of-Stake mechanisms. These systems deter Sybil attacks by having “delegates” – a small group of trusted nodes elected by the community. These delegates are incentivized to act honestly as they risk losing their status and rewards, which can take considerable time and money to gain.

Proof-of-Personhood

Proof-of-Personhood (PoP) authentication helps verify a unique individual behind each node through methods such as scanning a QR code or solving a Captcha. The crypto project Worldcoin is notable for using iris biometrics – scanning a user’s eye – as PoP. Another form of this authentication is KYC (Know Your Consumer), which entails users verifying their identity with something like a driver’s license or passport.

Outside of the above methods, other ways to discourage Sybil attacks include ranking nodes by reputation (Proof-of-Authority) and using algorithms or social trust graphs to detect outlier behavior among nodes.

Final Thoughts on Sybil Attacks

As blockchains continue to grow in popularity and usage, they also become a larger target for attackers. Therefore, the need for security in decentralized P2P networks also grows alongside them.

Fortunately, the crypto world has learned from past Sybil attacks and has gotten quite good at mitigating their damage. The Sybil attack on the Monero network in 2020 is a great example, as Monero’s privacy algorithms were able to prevent the attackers from doing any serious harm. The Verge network was similarly able to recover very quickly after its 2021 attack. 

One thing is for sure – blockchain technology will continue to evolve to meet the security challenges that arise. So why not go along your blockchain journey with a partner that understands the importance of that security? Ledger devices give you full control over your private keys while Ledger Live makes it easier than ever to explore the world of blockchain while maintaining your security and privacy.

So what are you waiting for? Join the Ledger ecosystem and start enjoying all the benefits of secure self-custody.