Last week, we discussed how sending Red Packets via cryptocurrency seems effortless but actually took the industry sixteen years to conquer four major hurdles: monetary consensus, wallet management, gas fee payment, and bilateral privacy. Ironically, successfully solving these four problems created a new one. My attempt to self-fund an educational campaign to give away Red Packets to “muggles” (non-crypto users) resulted in the majority being snatched up by a single “clever” person, whom let’s call Bob.
Besides the Red Packets distributed through the DHK Newsletter (sponsored by Fluidkey), I personally put up $100 USD under the name of Just Books on Threads. I shared a link inviting 100 muggles to claim a $1 Red Packet as their first step into the Web3 world, hoping to bring more people on-chain during the Lunar New Year.
Goodwill Met with a Sybil Attack
Unlike the DHK Newsletter readership, the audience of Just Books has little to do with cryptocurrency. Furthermore, suspicious behavior like “giving away money” is often suppressed by social media algorithms. Initial engagement was slow: twenty some people claimed packets on the first day, only six on the second, and just one on the third.
I am naturally very “i”, and I wasn’t obsessed with forcing these packets out, so I didn’t push it further. However, around noon on the fourth day, a claim began appearing steadily every 2–3 minutes until the entire $100 was gone. This rhythm—not too many, not too few, no long gaps, but never twice in the same minute—had a probability of occurring naturally that was near zero. It was almost certainly the work of one person: Bob.
To use my analogy from last week about handing out $1 bills on the street: most passersby ignored me, but one person took a packet, walked around the corner, “passed by” again to take another, and repeated this until the bag was empty.
If you call me stupid, I won’t deny it. From the moment I pulled $100 out of my own pocket—or even eight years ago when I started sending crypto Red Packets—I was destined to be the fool. Civic education should be the government’s responsibility; why am I, a person of modest means, writing articles for free and “resorting” to paying out of pocket to get people to join?
But while I may be stupid, I wasn’t so naive as to not expect a Bob to perform a Sybil attack to “farm airdrops”. This is common in Web3. Before sending the first batch, I asked Fluidkey if there was a mechanism to prevent one person from claiming multiple times. They said yes, but I didn’t take it too seriously—not because I didn’t trust them, but because I knew such mechanisms only stop “honest people,” not “villains.” Fluidkey is positioned as a privacy wallet; if they pushed too hard by requiring phone verification to prevent Sybil attacks, it wouldn’t just be an inconvenience—it would be putting the cart before the horse and sacrificing privacy. Therefore, I don’t blame Fluidkey for failing to block Bob.
If Fluidkey has room for improvement, it’s in lowering the minimum amount per packet to ten cents or less. I originally wanted to set random amounts averaging much less than $1. The goal was to bring people on-chain; participants usually aren’t doing it for the money, but for the “good luck” and the fun of a game where everyone gets a piece. Converting someone from 0 to 0.1—or even 0.01—is an infinite times of 0. A smaller amount wouldn’t deter regular users, but it would significantly lower the economic incentive for “farmers.” Unfortunately, Fluidkey’s minimum is $1, so I had to spend $100 for 100 packets, which attracted the Sybil attack.
A Feature in Tech, a Bug in Application
Now, let’s talk about how the Fluidkey privacy wallet works. I’ll keep it brief; it’s too easy to get an AI to explain concepts these days, so I won’t over-explain.
Contrary to the public perception that crypto ensures privacy, “traditional” crypto transfers are like two people talking on Twitter: the transaction records are wide open for the world to see. For example, if DHK posts a wallet address for donations, anyone can search it on Etherscan to see the balance and history. When Alice sends money to DHK, she exposes her own address and her entire transaction history.
Fluidkey’s “magic” allows users to easily generate and manage infinite wallet addresses (using ERC-5564). Through an ENS address like ckxpress.fkey.id, the sender receives a brand-new stealth address every time they open it. One cannot check the history or link it to my other wallets unless I manually merge the assets.
Furthermore, through Account Abstraction (ERC-4337), Fluidkey uses smart contract wallets. Users don’t need to manage seed phrases (they use Passkeys) and can pay gas fees with assets other than ETH, like USDC. This makes transfers easier and enhances privacy; if you had to send ETH to every stealth address just to pay gas, the source of that ETH would eventually link all the addresses together.
By utilizing Account Abstraction and Stealth Addresses, Fluidkey solved three of the four major hurdles of giving away money. They even adapted to local customs by developing a Red Packet feature. However, Fluidkey’s core identity is a privacy wallet, whereas Red Packets are a social behavior. The tension between privacy and social interaction inevitably makes the group-distribution experience feel awkward.
In contrast, WeChat—which pioneered digital Red Packets—is a social app first, a wallet second. In a WeChat group, everyone sees who sent the packet, who claimed it, and who got the “Best Luck.” The money is just the packaging; the interaction is the point. In a privacy-centric wallet, all these interactions are (rightfully) discarded.
Fluidkey, which allows users to use multiple devices and emails to create multiple accounts—each generating multiple stealth addresses—is doing its job perfectly. But in the context of Red Packets, it is destined to never be as successful as a social app. This isn’t a “bug” that fails to identify users; it’s a “feature” that successfully protects privacy.
As for Bob: this giveaway relied on an “honor system.” It wasn’t even a hack. The money was already spent, so it wasn’t a financial “loss” to me. However, Bob deprived others of the chance to learn and enter the Web3 gateway. Furthermore, spending 150 minutes to net $70 means an “hourly wage” of only $28. He now has 70 wallet addresses to manage; he either has to make 70 separate small purchases or spend more time consolidating them, which risks being tracked on-chain anyway. Why be so exhausted? Why not leave the opportunity for the muggles, or write an article/video sharing the “farming” experience to help the community? That would be a much more meaningful contribution.
Leave a Reply