Bot Detection for
Crypto & Web3
Stop airdrop farming bots, detect Sybil attacks, prevent fake KYC submissions, and protect your exchange from automated manipulation — all with a single API call.
How Bots Attack Crypto Platforms
From airdrop farming to exchange manipulation, automated attacks exploit the pseudonymous nature of crypto to operate at massive scale.
Airdrop Farming
Professional farmers create thousands of wallets and fake accounts to claim airdrops. They use rotating residential proxies and datacenter IPs to simulate unique users, draining token distributions meant for genuine community members.
Sybil Attacks
Attackers create hundreds of fake identities to manipulate governance votes, farm rewards, game referral programs, and distort community metrics. A single operator behind 500+ "users" can swing DAO votes and drain treasury funds.
Fake KYC & Synthetic Identity
Fraudsters submit fabricated or stolen identity documents through VPNs and proxies to pass KYC verification. These accounts are used for money laundering, sanctions evasion, and as mule accounts for stolen crypto.
Market Manipulation Bots
Wash trading bots inflate volume metrics on exchanges. Spoofing bots place and cancel orders to manipulate price discovery. These bots operate from datacenter IPs and use API access to execute thousands of trades per second.
Account Takeover & Credential Stuffing
Automated bots test leaked credentials against exchange login pages. Successful ATO gives attackers direct access to crypto wallets. With irreversible transactions, stolen crypto is gone in minutes — no chargebacks, no recovery.
Referral & Rewards Abuse
Self-referral bots create fake accounts to claim signup bonuses, referral rewards, and promotional credits. A single fraud ring can drain $100K+ in referral payouts before detection using rotating proxies and disposable emails.
Real-World Crypto Use Cases
See how IPASIS protects crypto exchanges, DeFi protocols, and Web3 projects from automated abuse.
Airdrop & Sybil Detection
Airdrop farmers use thousands of wallets connected through a handful of IP ranges. IPASIS detects the infrastructure behind Sybil operations — datacenter IPs, residential proxies, VPNs, and ASN clustering — to identify when hundreds of "unique users" are actually one operator.
# Python — Airdrop eligibility with Sybil detection
import httpx
from collections import defaultdict
# Track IP clustering across claim attempts
ip_cluster_counts = defaultdict(int) # ASN -> claim count
async def check_airdrop_eligibility(wallet_address, client_ip):
"""Screen airdrop claims for Sybil/farming patterns"""
async with httpx.AsyncClient() as client:
resp = await client.get(
f"https://api.ipasis.com/v1/lookup/{client_ip}",
headers={"Authorization": "Bearer YOUR_API_KEY"},
timeout=0.05
)
ip_data = resp.json()
risk_flags = []
# Infrastructure detection
if ip_data.get("is_datacenter"):
risk_flags.append("DATACENTER_IP")
if ip_data.get("is_residential_proxy"):
risk_flags.append("RESIDENTIAL_PROXY") # Big red flag for farming
if ip_data.get("is_proxy"):
risk_flags.append("PROXY")
if ip_data.get("is_vpn"):
risk_flags.append("VPN")
if ip_data.get("is_tor"):
risk_flags.append("TOR")
# ASN clustering — too many claims from same network
asn = ip_data.get("asn", "unknown")
ip_cluster_counts[asn] += 1
if ip_cluster_counts[asn] > 10:
risk_flags.append("ASN_CLUSTER")
# High risk score
risk_score = ip_data.get("risk_score", 0)
if risk_score >= 0.7:
risk_flags.append("HIGH_RISK_SCORE")
# Decision
if "TOR" in risk_flags or "DATACENTER_IP" in risk_flags:
return {"eligible": False, "reason": "suspicious_infrastructure"}
if "RESIDENTIAL_PROXY" in risk_flags or "ASN_CLUSTER" in risk_flags:
return {"eligible": False, "reason": "sybil_pattern_detected"}
if len(risk_flags) >= 2:
return {"eligible": "pending_review", "flags": risk_flags}
return {"eligible": True, "risk_score": risk_score}Exchange Signup & Login Protection
Crypto exchanges face a unique challenge: they need to onboard users globally (many legitimately use VPNs) while blocking fraudsters who exploit the same anonymity tools. IPASIS provides granular risk scoring that distinguishes between a privacy-conscious trader in Germany and a credential stuffing bot from a datacenter.
// TypeScript — Exchange login/signup risk assessment
interface ExchangeRiskResult {
action: 'allow' | 'mfa_required' | 'enhanced_kyc' | 'block';
riskLevel: 'low' | 'medium' | 'high' | 'critical';
signals: string[];
requiresManualReview: boolean;
}
async function assessExchangeRisk(
clientIP: string,
action: 'signup' | 'login' | 'withdrawal'
): Promise<ExchangeRiskResult> {
const ipData = await fetch(
`https://api.ipasis.com/v1/lookup/${clientIP}`,
{ headers: { Authorization: 'Bearer YOUR_API_KEY' } }
).then(r => r.json());
const signals: string[] = [];
if (ipData.is_datacenter) signals.push('DATACENTER');
if (ipData.is_proxy) signals.push('PROXY');
if (ipData.is_residential_proxy) signals.push('RESIDENTIAL_PROXY');
if (ipData.is_tor) signals.push('TOR');
if (ipData.is_vpn) signals.push('VPN');
if (ipData.risk_score >= 0.7) signals.push('HIGH_RISK');
// Withdrawal = highest security
if (action === 'withdrawal') {
if (signals.includes('TOR') || signals.includes('DATACENTER')) {
return { action: 'block', riskLevel: 'critical', signals, requiresManualReview: true };
}
if (signals.length > 0) {
return { action: 'mfa_required', riskLevel: 'high', signals, requiresManualReview: false };
}
}
// Signup = moderate security, catch Sybils
if (action === 'signup') {
if (ipData.is_datacenter || ipData.is_tor) {
return { action: 'block', riskLevel: 'critical', signals, requiresManualReview: false };
}
if (ipData.is_residential_proxy || (ipData.is_vpn && ipData.risk_score >= 0.6)) {
return { action: 'enhanced_kyc', riskLevel: 'high', signals, requiresManualReview: true };
}
}
// Login = balanced (many legit users use VPNs)
if (signals.includes('DATACENTER') || signals.includes('TOR')) {
return { action: 'mfa_required', riskLevel: 'high', signals, requiresManualReview: false };
}
if (signals.length >= 2) {
return { action: 'mfa_required', riskLevel: 'medium', signals, requiresManualReview: false };
}
return { action: 'allow', riskLevel: 'low', signals, requiresManualReview: false };
}DeFi Protocol & dApp Protection
DeFi protocols and Web3 dApps serve frontends that connect to smart contracts. While on-chain transactions are permissionless, the frontend and API layer can be protected. IPASIS helps identify automated abuse patterns targeting your frontend, faucets, and off-chain services.
// Next.js API route — DeFi frontend protection
// Protect faucets, claim pages, and rate-limited RPC endpoints
import { NextRequest, NextResponse } from 'next/server';
export async function middleware(request: NextRequest) {
const ip = request.headers.get('x-forwarded-for')?.split(',')[0] || '127.0.0.1';
// Only screen sensitive paths (faucet, claim, submit-tx)
const sensitiveRoutes = ['/api/faucet', '/api/claim', '/api/submit'];
const isSensitive = sensitiveRoutes.some(r => request.nextUrl.pathname.startsWith(r));
if (!isSensitive) return NextResponse.next();
try {
const resp = await fetch(`https://api.ipasis.com/v1/lookup/${ip}`, {
headers: { Authorization: 'Bearer YOUR_API_KEY' },
signal: AbortSignal.timeout(50), // 50ms timeout
});
const data = await resp.json();
// Faucet: strict — block all non-residential traffic
if (request.nextUrl.pathname.startsWith('/api/faucet')) {
if (data.is_datacenter || data.is_proxy || data.is_tor || data.is_vpn) {
return NextResponse.json(
{ error: 'Faucet requires residential IP' },
{ status: 403 }
);
}
}
// Claim pages: detect Sybil patterns
if (request.nextUrl.pathname.startsWith('/api/claim')) {
if (data.risk_score >= 0.8 || data.is_datacenter) {
return NextResponse.json(
{ error: 'Claim blocked — suspicious activity detected' },
{ status: 403 }
);
}
}
// Add risk metadata to downstream handlers
const headers = new Headers(request.headers);
headers.set('x-ip-risk', String(data.risk_score || 0));
headers.set('x-ip-datacenter', String(data.is_datacenter || false));
headers.set('x-ip-proxy', String(data.is_proxy || false));
return NextResponse.next({ request: { headers } });
} catch {
return NextResponse.next(); // Fail open on timeout
}
}Why Crypto Needs Different Bot Detection
Traditional fraud prevention tools are built for banks and e-commerce. Crypto has unique challenges that demand specialized approaches.
🔐 Pseudonymous by Design
Crypto users expect privacy. Many legitimate traders use VPNs. You can't just block all VPN traffic — you need risk scoring that distinguishes a privacy-conscious trader from a Sybil operator. IPASIS provides 0-1 risk scores, not binary block/allow.
⚡ Irreversible Transactions
No chargebacks. No reversals. Once crypto is sent, it's gone. This makes pre-transaction fraud detection critical — you need to catch the threat before the withdrawal, not after. 50ms API response means inline protection.
🌍 Global User Base
Your users are in every country, on every network. Geo-blocking entire regions doesn't work in crypto. IPASIS provides per-IP intelligence that works globally — detect threats from any country without blocking legitimate users from restricted regions.
🤖 API-First Platforms
Exchanges expose trading APIs by design. This means bots are expected. The challenge is distinguishing legitimate trading bots from malicious manipulation bots, and detecting when API credentials have been compromised.
Crypto Compliance & Regulation
As crypto regulation tightens globally, IP intelligence becomes essential for compliance with emerging frameworks.
Travel Rule (FATF)
The FATF Travel Rule requires VASPs to exchange originator and beneficiary information. IP intelligence adds a critical layer to verify that the user's location matches their declared jurisdiction.
- ✓ Geographic verification for jurisdiction checks
- ✓ VPN/proxy detection for sanctions screening
- ✓ Audit trail for VASP compliance reports
MiCA (EU)
The Markets in Crypto-Assets regulation requires robust fraud prevention and consumer protection. IP intelligence helps CASPs demonstrate they actively screen for automated abuse and fraudulent activity.
- ✓ Fraud prevention documentation
- ✓ Consumer protection evidence
- ✓ Market manipulation detection signals
KYC/AML
Regulators worldwide require crypto platforms to implement KYC/AML. IPASIS adds an IP verification layer to your identity pipeline, catching VPN/proxy users who may be evading geographic restrictions or sanctions.
- ✓ IP-based sanctions screening
- ✓ VPN detection for restricted jurisdictions
- ✓ Enhanced due diligence triggers
Why IPASIS for Crypto
Built for the unique challenges of crypto: pseudonymous users, global reach, irreversible transactions, and API-first architecture.
Sub-50ms Latency
Screen transactions inline without adding latency to trading flows. Critical for exchanges where milliseconds matter.
Residential Proxy Detection
Critical for catching airdrop farmers and Sybil operators who use residential proxies to appear as unique users. Most tools miss this.
Granular Risk Scores
0-1 risk scores, not binary block/allow. Essential for crypto where many legitimate users use VPNs and you need nuanced decisions.
Global Coverage
Full IPv4 and IPv6 coverage worldwide. Detect threats from any country without relying on geo-blocking or regional restrictions.
ASN & Network Intelligence
Detect clustering patterns at the ASN level — essential for identifying Sybil operations that use the same hosting provider across hundreds of accounts.
Simple REST API
One API call, 30+ signals. Integrate into your exchange backend, DeFi frontend middleware, or airdrop claim service in minutes. No SDK required.
Stop Sybils Before They Drain Your Airdrop
78% of airdrop claims come from farming operations. Start filtering them in under 10 minutes with IPASIS IP intelligence.