I discovered a significant number of wallet groups that exhibit considerable Sybil activity. My methodology for identifying these wallets was straightforward. First, I created a list of wallets that were eligible for the ARB airdrop and appeared in the 'SENDER_WALLET' column of LayerZero's data. Then, I checked their post-airdrop activity and looked for specific patterns.

One pattern involved sending all of their airdrop tokens to the same centralized exchange (CEX) wallet, often alongside other addresses from our list (or collecting the tokens in one wallet first, then sending them to a CEX address)

For me, this is sufficient proof and reasoning to classify these addresses as engaging in Sybil activity. However, I also checked other activities of these addresses and discovered that addresses using the same 'CEX Deposit' or collector wallet (hub wallet) exhibited similar behavior on LayerZero.

For this reason, I divided the addresses into groups according to their 'hub wallet.'

Some of the wallets I found were already in the initial list. I excluded them from the list here, but as we dive into the groups, we will see those addresses labeled to indicate that they are already in the initial list and also match our filters.

Let's start with the first group

After this collection operation, 51,124 ARB was transferred from the collector wallet to a Binance hot wallet. You can view the transaction here.

Below is a screenshot from Arbiscan:

Now, let's check the activity of some of these addresses on LayerZero, but with additional data from txnOrderByWallet. When you examine transactions in the same order, you'll see they involve the same amount of Ether, the same projects, and the same chain-to-destination pattern, but with different addresses. Below are some screenshots for reference.

These are the first transactions of each wallet in this group, on LayerZero. You can observe similar patterns in their second or third transactions as well.

Let's move on to the second group, which includes 884 addresses. These addresses sent all of their ARB airdrop to the collector address '0x770edb43ecc5bcbe6f7088e1049fc42b2d1b195c'. On the same day, these tokens were transferred to Bybit's wallet. We will follow a similar schema as above but with many more rows since there are significantly more addresses.

When I compared this group with the initial list, I found that 270 of the addresses were already included in the initial list. I have removed them from my report and labeled them accordingly (see isInitialList_ column). On the right side, you can see a transaction from Arbiscan showing the collector milking its Sybil addresses just on airdrop day, with a total of 995K ARB. This is quite significant. Now, let's examine the evidence of this collecting activity and review their LayerZero activity.

Additionally, if you go to Arbiscan and look at the pre-airdrop activity of these Sybil addresses, you will see the same pattern. I haven't included more snapshots here to keep my report clear. Now, let's check their LayerZero activity and try to identify similar transactions again. I will put the Transaction Order Number(txnOrderByWallet) as the first column.

The list above includes 20,460 rows, making it challenging to read all the data at once. To aid observation, I've prepared some visualizations with this table, which I'm also sharing.

• At below , we see the number of wallets grouped by Source-Destination chain. The X-axis represents the transaction order by wallet (where 1 indicates wallets making their first transaction with LayerZero).

Upon manual inspection of some transactions, it appears that the pattern resembles the screenshot at the right side addresses minting 'GLEAM' ERC-721.

Notably, between the 13th and 25th transactions, this Sybil group seems to prefer the Polygon-Celo route. Additionally, pay attention to the dates; they make the same transactions with the same route and order on the same day, possibly indicating automated processes.

• On the right corner, we have a similar graph, but this time it's grouped by Project. Out of the 884 addresses in total, 854 of them used the same project as their first farming activity on LayerZero. Refer to the screenshots below for more details.

Our third group consists of 436 addresses, all of which sent their airdrop tokens to the collector address '0x2c440669f1ed93dacd248f2190e21b54a86f7367', after which they were transferred to Binance. Please refer to the table and screenshots below for more details.

This group, the second largest with 436 addresses, is relatively straightforward to confirm as each address has only one transaction. They all exhibit the same pattern: transferring from Arbitrum to Polygon, with an amount ranging from 2 to 2.3 USDC via Stargate. Notably, the timestamps are remarkably close and follow a consistent order.

The fourth group comprises 391 different addresses, with 190 of them already present in the initial list. Thus, I've used a similar template as with Group 2. You can identify addresses from the initial list in this report with the 'isInitialList_' column displaying a 'YES' value. Therefore, I've reported on 200 wallets from this group.

All of the addresses below sent their airdrop to '0x6f2fd4d1151522b2a16a53b4d7990dbcd09dc657', a collector address. This collector address then deposited all of the funds to a Binance deposit address, which subsequently transferred them to the 'Binance hot wallet'.

Acumulating ARBs in '0x6f2fd4d1151522b2a16a53b4d7990dbcd09dc657'

Sending ARB's from collector to binance deposit address ('0x023A9e71848964720aA938D50f1232D34f46b470'

And as you can see here, funds are going to CEX same day with airdrop

As additional proof for these 200 addresses, they exhibit a similar on-chain activity pattern on Arbitrum. To demonstrate this pattern, I am sharing some more screenshots from Arbiscan and distribution graphs for this group.

I serached some of addreeses on arbiscan and they have made same transactions, in same days.

And this is their frist txn before this they are funded via HopProtocol, you can see this activity at internal transactions section on arbiscan

It looks like those addresses started 'farming' ARB airdrop on 2022-07-11

While I'm not certain about the exact methodology LayerZero used to filter addresses and create the initial list, on the right side, we can observe Group 4, filtered by myself. Almost half of them were identified by LayerZero, and I believe I've found the other half of this group.

Towards the end of this group, we notice similar distribution graphs to those of Group 2. From these graphs, it's apparent that most of these addresses are utilizing the same route and project with the same transaction order by wallet.

Similarly to the 4th group, this one comprises 391 addresses, with 189 of them already present on the initial list.

The route of ARB airdrop for this group is: all of the addresses in this group send 100% of their ARB allocation(like in other groups) to '0x58466051e2b049e6c21dca97f1b18e83c79b0c99', after which the ARBs are transferred to the 'Binance Hot Wallet'.

If you can't see the screenshot on the right side, you can view it here.

At the table below you can observe LayerZero activity of this group I would like to take your focus on STARGATE_SWAP_USD column, these addresses making transactions with similar amounts at same time period.

As additional proof I am adding one more table which shows L1 activity of wallets in this group. Look to GAS_LIMIT column you will see some values again and again, maybe someone just set it's bots to gwei.

In the table below, we observe the collector address for each wallet. The 'Number of Sybils Collected' indicates how many wallets send their allocation to this collector. The 'Sybill Address' column shows the sender wallets. 'Hash of Collecting' represents the hash of the ARB transfer from the Sybil to the collector wallet.