A high profile presale on Solana descended into controversy after a bot farm using more than one thousand wallets reportedly captured almost the entire supply of the Wet (WET) token within seconds. The incident has raised alarm over rising Sybil attacks across token launches and airdrops, prompting renewed calls for stricter security checks.
Presale Overrun by Bot Controlled Wallets
The WET presale was hosted on Jupiter, a popular decentralised exchange aggregator. Although it sold out instantly, genuine retail buyers were effectively locked out. According to organisers, a single actor used a coordinated network of automated wallets to dominate the entire sale.
HumidiFi, the automated market maker running the launch, confirmed that the event had been compromised. The team immediately scrapped the token and announced plans for a fresh sale along with a distribution to legitimate participants. They stated that all verified Wetlist members and JUP stakers would receive tokens through a pro rata airdrop. They emphasised that the sniper would be excluded completely.
Source: Jupiter
The team said they would relaunch the public sale on Monday with a new token to prevent the attacker from benefiting.
Bubblemaps Traces Over One Thousand Identical Wallets
Blockchain analytics firm Bubblemaps reported that it had identified the network behind the attack. The company observed unusual clustering during the sale, including over one thousand one hundred wallets that displayed identical funding behaviour and timing.
Nick Vaiman, chief executive of Bubblemaps, said the team found that most of the newly created wallets showed no previous onchain activity. They were funded within minutes of each other using similar amounts of Solana. The funds originated from a small group of wallets connected to exchange accounts.
Vaiman added that some clusters were not directly linked onchain yet still behaved in an identical manner. According to him, these similarities strongly indicated control by a single actor.
Bubblemaps said the attacker had deposited one thousand USDC into thousands of new wallets shortly before the presale. One cluster reportedly “slipped” allowing investigators to match the activity to a Twitter user known as “Ramarxyz”, who later posted on X asking for a refund.
Sybil Attacks Continue to Rise Across Token Launches
The WET incident is part of a broader trend of Sybil manipulation affecting presales and airdrops. In mid November, one actor captured sixty percent of aPriori’s APR airdrop. Later that month, wallet clusters linked to Edel Finance allegedly acquired thirty percent of their own EDEL tokens. The project’s co founder denied involvement and said the tokens had been placed in a vesting contract.
Vaiman noted that Sybil attacks are increasing even though the patterns differ each time. He warned that without stronger preventative measures, token launches will remain vulnerable to manipulation.
Calls for KYC or Algorithmic Screening
Experts say that project teams should treat Sybil activity as a critical security threat. Vaiman urged developers to consider Know Your Customer checks or algorithmic detection systems to screen out manipulative behaviour. He said teams could also perform manual verification before finalising token allocations.
Bubblemaps demonstrated the wallets participating in the presale. Source: Bubblemaps
He added that dedicated internal teams or specialised external analysts may be required to secure presales and airdrops. Without such measures, the risk of similar incidents is likely to persist.
HumidiFi Prepares for Relaunch
Despite the disruption, HumidiFi assured its community that the relaunch would prioritise fairness. Genuine buyers will receive a guaranteed distribution while the attacker will be fully excluded. The team stressed that the reset aims to protect participants, rebuild trust, and prevent the sniper from profiting.
