Sybil Attack Campaign Exposed in Linea LXP Program: Majority of High-Point Accounts Show Suspicious Patterns

Nansen’s on-chain analysis has uncovered a critical issue within the Linea LXP incentive program, revealing that witch attack accounts—commonly known as Sybil accounts—make up a disproportionate share of reward claimants. The discovery raises serious questions about the integrity of the points distribution mechanism.

Data Reveals Concentrated Sybil Activity

The most damaging evidence emerges in the distribution’s high-reward tier. Within the 1000-2000 points concentration zone, malicious Sybil-coordinated accounts substantially outnumber legitimate participants. This clustering pattern is far from random; it suggests organized farming operations designed to exploit the incentive structure rather than genuine ecosystem engagement.

In contrast, normal accounts—those showing authentic usage patterns—occupy a minority position within this critical range. The visual disparity between the red-flagged suspicious accounts and green-verified legitimate users is unmistakable, painting a stark picture of the program’s vulnerability to coordinated attacks.

What This Means for Linea’s Ecosystem

Sybil attacks operate by creating artificial user accounts that appear independent but are controlled by the same entity. These coordinated accounts can collectively drain rewards meant for genuine participants, diluting incentives and undermining fair distribution. The prevalence of such accounts in the Linea LXP program indicates that the initial safeguards were insufficient to prevent large-scale manipulation.

This discovery comes as a reminder that incentive programs, while valuable for bootstrap adoption, must implement robust identity verification and behavioral analytics to prevent exploitation by sophisticated attackers.