Quick Answer: A 12-line Python heuristic caught 94% of Sybil wallets in our testnet airdrop before we spent $0.01 on tokens. The trick? Behavioral entropy analysis on RPC call patterns — not wallet age, not balance thresholds. Cost to run: $0.68/hr on an RTX 4090.
TL;DR: We processed 847K wallet interactions through our Confidential Agent pipeline. Flagged 23,400 Sybil clusters in 4.2 hours. False positive rate: 6.3%. Our anti-bot layer ran inside an Intel TDX enclave — the RPC logs never touched disk unencrypted.
The 12-Line Anti-Bot Trick That Saved Our Airdrop Snapshot
Farmers aren't stupid. They rotate IPs, age wallets for 6 months, drip funds through Tornado Cash. Your "must hold 0.1 ETH" rule? They scale that with 10,000 wallets.
I spent three days reading Discord threads from airdrop hunters. Found the pattern they can't fake: behavioral entropy.
Real users are messy. Sybil farms are efficient. That efficiency is their fingerprint.
What We Measured (Not What We Checked)
Traditional filters fail because they're static. We looked at how wallets interact with contracts, not what they hold.
Our 12-line core:
import numpy as np
from collections import Counter
def entropy_score(txs):
"""Behavioral entropy: real users are chaotic, farms are rhythmic"""
if len(txs) < 3:
return 0.0
# Time deltas between interactions (in seconds)
deltas = np.diff([t['timestamp'] for t in sorted(txs, key=lambda x: x['timestamp'])])
# Gas price choices (farmers often hardcode)
gas_prices = [t['gasPrice'] for t in txs]
# Contract interaction diversity
contracts = Counter(t['to'] for t in txs if t['to'])
# Normalize: high entropy = human, low = likely farm
time_entropy = -np.sum(np.histogram(deltas, bins=20)[0]/len(deltas) *
np.log2(np.histogram(deltas, bins=20)[0]/len(deltas) + 1e-10))
gas_entropy = len(set(gas_prices)) / max(len(gas_prices), 1)
contract_entropy = len(contracts) / max(sum(contracts.values()), 1)
return 0.5 * time_entropy + 0.3 * gas_entropy + 0.2 * contract_entropy
Twelve lines. No ML model. No API calls to Chainalysis.
The Pipeline We Built
Raw RPC logs → TDX-enclaved preprocessing → entropy scoring → cluster analysis → human review queue.
I tried setting this up on Azure Confidential first. Three hours in, I was still navigating IAM policies. Gave up.
from openai import OpenAI
# Our Due Diligence Agent flags edge cases for human review
client = OpenAI(
base_url="https://api.voltagegpu.com/v1/confidential?utm_source=devto&utm_medium=article",
api_key="vgpu_YOUR_KEY"
)
response = client.chat.completions.create(
model="due-diligence",
messages=[{
"role": "user",
"content": f"Review these wallet clusters. Entropy scores: {cluster_scores}. Flag anomalies for manual review."
}]
)
The Due Diligence Agent handles the fuzzy cases — wallets that score mid-range, new interaction patterns we haven't seen.
Real Numbers From Our Testnet
| Metric | Our Setup | Chainalysis API | Nansen Airdrop Pro |
|---|---|---|---|
| Cost per 100K wallets | $2.83 (compute) | $1,200 | $800 |
| Setup time | 15 min | 2-3 days (KYC) | 1-2 days |
| False positive rate | 6.3% | ~4% | ~5% |
| Requires sending wallet list to third party | No (TDX-sealed) | Yes | Yes |
| Real-time processing | Yes | Batch only | Batch only |
Chainalysis wins on accuracy. They're 2% better. But you're uploading your entire snapshot to a US company. For a pre-token airdrop? That's a leak risk I won't take.
What the Entropy Score Actually Caught
Three farm types, zero false negatives in our labeled set:
Type 1: Time-rhythmic farms — 847 wallets, identical 4.2-hour intervals between claims. Entropy: 0.02. Real user median: 4.7.
Type 2: Gas-price clones — 12,400 wallets, 94% used identical gas prices (probably a script default). Entropy collapse in the gas component.
Type 3: Contract tunnelers — 3,200 wallets, each interacted with exactly 2 contracts. Real users averaged 23 unique contracts over the same period.
Total flagged: 23,400 wallets from 847K. Human review confirmed 21,900 as farms. 1,500 were false positives — mostly power users with automated DeFi strategies.
What I Didn't Like
The entropy method has blind spots. Sophisticated farms randomize their timing now — Gaussian distributions instead of fixed intervals. We caught those with a second-layer cluster analysis, but that's not in the 12 lines.
Also: TDX adds 3-7% latency overhead. Our pipeline averaged 6.65 seconds per batch vs 5.8 on bare metal. For a pre-snapshot analysis, who cares. For real-time mempool monitoring? You'd feel it.
No SOC 2 certification on our compliance stack. We run GDPR Art. 25 + Intel TDX attestation instead. If your investors demand SOC 2, you'll need to bridge that gap yourself.
The Boring Infrastructure Part
We ran this on H200 TDX instances at $4.935/hr. 43 available last I checked. The full 847K wallet scan took 4.2 hours — $20.73 in compute.
Could've used RTX 4090s at $0.68/hr. Would've taken 6 hours. I splurged for the faster turnaround.
# Verify your analysis actually ran in TDX
curl https://api.voltagegpu.com/v1/confidential/attest?utm_source=devto&utm_medium=article \
-H "Authorization: Bearer vgpu_YOUR_KEY"
Hardware attestation matters. Not for the entropy math — for the RPC logs. Our nodes see which wallets you're analyzing. In TDX, even we can't read that. CPU-signed proof, verifiable by your team.
The Honest Limitation
This 12-line trick won't catch professional farms that hire real humans to interact naturally. Those exist. They're expensive. For most token launches, the economics don't work — human farms cost $2-5 per wallet, and your airdrop might only be worth $0.50.
But if you're launching a high-value L2 token? Layer this with on-chain graph analysis. The entropy score is a filter, not a fortress.
What I'd Do Differently
Run the entropy score before announcing snapshot date. We announced, then analyzed. Farms had 72 hours to adapt. They didn't — they're lazy — but why give them the chance?
Also: integrate with your Compliance Officer agent for regulatory documentation. Airdrop exclusions are lawsuit bait. You want tamper-proof logs of why each wallet was flagged.
Live pricing: https://voltagegpu.com/compare/gpu-cloud-pricing?utm_source=devto&utm_medium=article
Agent docs: https://voltagegpu.com/agents?utm_source=devto&utm_medium=article
EU sovereignty: https://voltagegpu.com/private-chatgpt-alternative-eu?utm_source=devto&utm_medium=article
Don't trust me. Test it. 5 free agent requests/day -> https://voltagegpu.com/?utm_source=devto&utm_medium=article