To address Sybil attacks in blockchain airdrops—manifesting as fake address generation and artificial activity inflation—this paper proposes a Sybil address detection method based on dual-layer transaction subgraphs. We innovatively model temporal behavioral consistency across the full lifecycle of Sybil addresses, capturing critical events including first transaction, gas claim, airdrop participation, and last transaction. A subgraph-level feature propagation mechanism is designed, jointly encoding temporal, monetary, and topological features via multimodal fusion. Evaluated on a dataset of 193,000 addresses, our LightGBM classifier achieves precision, recall, F1-score, and AUC all exceeding 0.9—significantly outperforming existing approaches. This work is the first to integrate fine-grained temporal behavior modeling with subgraph-level feature propagation for Sybil detection, establishing a novel, interpretable, and robust paradigm for on-chain anomalous address identification.

Sybil attacks pose a significant security threat to blockchain ecosystems, particularly in token airdrop events. This paper proposes a novel sybil address identification method based on subgraph feature extraction lightGBM. The method first constructs a two-layer deep transaction subgraph for each address, then extracts key event operation features according to the lifecycle of sybil addresses, including the time of first transaction, first gas acquisition, participation in airdrop activities, and last transaction. These temporal features effectively capture the consistency of sybil address behavior operations. Additionally, the method extracts amount and network structure features, comprehensively describing address behavior patterns and network topology through feature propagation and fusion. Experiments conducted on a dataset containing 193,701 addresses (including 23,240 sybil addresses) show that this method outperforms existing approaches in terms of precision, recall, F1 score, and AUC, with all metrics exceeding 0.9. The methods and results of this study can be further applied to broader blockchain security areas such as transaction manipulation identification and token liquidity risk assessment, contributing to the construction of a more secure and fair blockchain ecosystem.