Reported Addresses

25939 wallets https://drive.google.com/drive/folders/1ndbGP-iMqM0o0lk_pKDNW7trNjO7fvua?usp=sharing

I can’t upload all the wallets in the comments, I’ll try in parts, but I think Google Drive also displays the last modified time.

Detailed Methodology & Walkthrough

I downloaded all transactions manually from Arbiscan, Optimismscan and Polygonscan from the Umbra protocol for find sybilAddress1. Next step: I use a lot of python software. here you can look at them: light scripts(for blockchain scans - Umbra EOA finder and SybilAddress2), my best software clusterFinderV6.py(+mass nonce checker) and graphVisualisatorV2.py output only single file, graphVisualisatorCombineV2.py (output many folders and files)

What is Umbra? better look at the illustrations from another report: commonwealth

Umbra is a pseudo-anonymous protocol that defines a set of standards and a smart contract to allow stealth addresses (only for single tx) on the EVM blockchains. A stealth address allows a sender to send Ether or ERC20 tokens to an address controlled by the receiver without revealing the identity of the receiver.

Note for another sybilhunter,my soft can get only eth tx, 20-45%erc20 i dont analys

Here is an example:

First transaction (hash 0x777…777):

tx:

1.1. From: SybilAddress1
1.1. To: Umbra contract

Internal transaction: (hash 0x777…777):

1.2. From: Umbra contract
1.2. To: Umbra EOA

Second transaction: (hash 0x666…666)

From: Umbra EOA
To: SybilAddress2

This is how 50-90% of all sybils use Umbra, but there are also smart ones.

clusterOP#63

Smarts use >2 Umbra tx:

clusterOP#67

Dear lz team, team, issue is in the process, but you can download 90% of my clusters op/arb from google: ALL CLUSTERS.rar -> OP or ARB folder. and effort to discover numerous clusters. I apologize for any language errors as I am using translators.Plz don’t ban me and this report, editing the report is in progress, please don’t burn eth, it’s all my money. I worked very long and hard and found many clusters. sorry for my english, i use translators

Note: html file could take few minutes to load according to your network speed. If you open a “large” HTML file >400KB in the browser, the average time is 10 minutes to 3 hours.

+- 5k-10,000 with completed reliable evidence (addresses + hash in csv file + visual of html interactive graphs with hash and hyperlinks to blockchain scans, you can zoom with all nonce(tx count popular evm chains), but this problem is 30-60% complete.

my fist github issue report#496 or 200-700, i really forget, and second #4148 100%, but my github banned :c proof

To avoid as many legitimate wallets as possible, I perform a multi-level check:

first I find clusters with python script interconnected via the Umbra protocol (connected to each other by transactions via the Umbra protocol), then the script visualizes them all at once and compares them with all Layer Zero wallets and the list of Sybils,
then I run a Python script to check the nonces in the popular evm networks (and sorted by the number of eth-mainnet transactions),
I manually looked at all the nonces in the table and if I saw 1 or more addresses with transactions not according to the pattern, highlighted in blue(screenshot below about noncechecker.py), I looked to see if this address was random, 99% this is the parent graph (the first in the chain, the center of the One to many cluster)
the following comparison with uniq date/week/mounth and lz value and manual filtr,
debank fist transaction, sample: “Active since 2022-03-26”.

best quality image: https://drive.google.com/drive/folders/1msu5AkZUFRfXnvbGsps5wgfX494CoC3r

Noncechecker.py is a very simple software, but very demonstrative, it is clear that 90-95% of sybil-addresses found by sybil hunters have approximately the same nonce numbers in all networks, I check the number of transactions {ETHonce} {MATICnonce } {ARBnonce } {OPnonce } { BNBnonce} {Avalanchenonce} 1 unique cluster == 1 unique pattern

you can see for yourself by looking at the google doc. Even a witch with 1man==9000Umbrasybil addresses has her own pattern. I added 80-90% of the optimism umbrasybil addresses I found to this GoogleDoc (in the optimism chain):

op: https://docs.google.com/spreadsheets/d/1sWNJ_KdWnzemj37A_zhHVv3b94LA6iyCKXZWpdZrNn4/edit#gid=0

arb: https://docs.google.com/spreadsheets/d/1Ts-vpbrEWsMysC-K4McgShJGSoN7Dec2-mkQtMqJTOg/edit#gid=0

matic: https://docs.google.com/spreadsheets/d/1R071pF33Ocg-I90rRnhZaMt_v0b192FSTZxnSB6WyBo/edit#gid=0

Number of Transactions: - The number of transactions for these addresses is fetched on several chains using the Etherscan API. - This often indicates sybil behavior, as sybils tend to perform roughly the same number of transactions with some variation to avoid detection. (c)commonwealth another sybil hunter also uses this idea

I downloaded 20-30% dune analytics and added it to Google Docs download from opensource soft: https://github.com/indicatedl/layerzero_stats

I think there are duplicates here, as with other Sybilhunters, and between my clusters in Arbitrum and Optimism, I will delete this. There is also one sibilhunter who also made a report on the umbra protocol, it’s likely that we have a 20-40% coincidence(i about https://commonwealth.im/layerzero/discussion/18823-sybil-cluster-report-from-github-issue-573 ) I didn’t copy anything from this person! proof: last year, while participating in the Connext Sybil Bounty , I had report #336 about umbra in 28-29 August 2023 but without visualization of 1000+ addresses https://teletype.in/@iayanami/HceMZye3bv3 (ctr+f: umbra) cryptoamy had #556 https://teletype.in/@iayanami/wCkGIU_KzFK Aug 31, 2023, but this is only a copy, the originals have been deleted from Github

Lightgreen-colored nodes is sybil wallets, are potential eligible for airdrop (all wallets except official sybil list)

Purple-colored nodesin the graph denote addresses that serve as on-chain connections between all sybil accounts where transfers occurred/were funneled through but were not includ

Black-colored nodes is sybil from lists by LayerZero, Nansen, and Chaos

I’ll post some or all of the software soon

Note: The images are not identical to the HTML files. Each new file launch or browser page refresh generates a slightly new graph visualization

Note: I have two versions of this software “graphVisualisatorv1/v2.py”: in the first, the green columns refer to the address “from” column, and the purple ones refer “to”.

graphVisualisatorV1:

graphVisualisatorV2:

each cluster has a unique folder, example: ALL CLUSTERS\OP\Cluster#1_47wallets, it contains the following files: Cluster#1_252tx.csv (contains all transactions of the cluster) Cluster#1_LZsybilWallets47out_of198.txt all the Sybil wallets I found (47), Cluster#1_interactive_graphV2.html - the best interactive visualization(zoom with mouse, hyperlink to arbiscan or optiscan/polygonscan), also in the fplder ALL CLUSTERS\ALL CLUSTERS\OP\0.All_cluster_wallets contains copies, plus Cluster#1_nonce2.txt with a two at the end, sorted by the number of transactions in ether chain and another nonce check result.

Description

I uploaded all clusters to Google Drive ( link at the very beginning ): 79 clusters in Optimism, 157 in Arbitrum, and 37 in Polygon. Additionally, I included old clusters from May 8-18, which were generated using a different strategy (googledoc with all connected lzSybil#1-umbraEOA-lzSybil#2 umbra arb tx ). I have now expanded the visibility area of the software to include (lzSybil#1 - umbra - dontLzSybil - umbra - lzSybil#2 ), (lzSybil#1 - umbra - dontLZsybil - umbra - dontLZsybil - umbra - lzSybil#2)… Unfortunately, there were some duplicate clusters and addresses, which I have removed only from the entire list. Also, I have not compared clusters across different blockchains. I want to create clusters from all transactions of blockchains where the Umbra protocol is deployed - Optimism, Arbitrum, Polygon, Ethereum, Base, but I definitely won’t have enough time. I mean one cluster has transactions in all chains

Currently, I am conducting a more thorough collection of evidence to exclude 0.1-3% of the entire list of real users, possibly up to a maximum of 5%. I may not have enough time to upload all 273+-50 clusters (around 330 clusters) today, but I am considering uploading 30-70-100 clusters of Optimism today. If there are any improvements needed, please let me know

I tried Arrkham, but it doesn’t seem to work with internal transactions