Sam Barrowclough

    How we removed 50% of bot accounts for 0xTechno Toys


    It was 7:37pm New Years Eve when I got a Discord message "hey hey, getting a 500 error when choosing a twitter user to follow". I was 4 pints in celebrating with my girlfriend our first new years together. 0xTechno's partner wir was setting up the Toys joinlist page but was unable to add his Twitter account for people to follow.

    Only a phone, I opened up my database on Safari and tried to add his account manually. In that time 0xTechno had tweeted out a link to the joinlist page - which now stands at over 125k views. I managed to add the account manually. But the replies on the tweet came flooding in. "fyi, its linking to the wrong twitter account lol", "You might wanna fix the follow req its currently directing us to somebody else". Shit. My fat fingers added the wrong account. Everyone thought the joinlist page was a scam.

    I frantically tried to remove account manually while my girlfriend calmed me down. It wasn't letting me. Wir had to disable the whole Twitter requirement. What a mess.

    Now the joinlist page was picking up steam. I checked the amount of requests to my API. 408,799. What? That can't be right. Then people started to message me "i think your page is getting botted heavy". That makes sense. But another problem.

    This is the story of how we removed over 50% of bot accounts for 0xTechno's Toys project.

    Tools used

    This is the list of tools/services/methods we used to determine bots.


    Fingerprintjs is a service which detects how unique your device is based on many attributes such as IP, Browser, and Fonts installed on your computer. It spits out a unique hash based on many inputs.

    If a wallet is registered with the same hash, we know it's coming from the same device. We didn't want to punish people who registered twice from the same location, because this could be couples. The number we chose was 4. Because it's not very common 4 different people would enter at the same location.

    Sketchy emails

    Me and 0xTechno ran through the list manually and spotted some strange emails. One example was {hash}@{unknown-domain}.xyz. The pattern seems to be an 8 character hash, followed by the domain. Very sus. There were about 4 other domains with that we spotted this for. So we just removed any entries that fit this pattern.

    Multi-sig wallets

    Igor Sena reached out to me listing some wallets that were bot suspects. Specifically, wallets funded by a multi-sig contract. Heres an example. You'll notice that this wallet funded 95 other wallets. We removed all these addresses.

    No answers

    Very simple. We filtered out any entries that didn't answer the question to the raffle.

    Invalid emails

    Another simple one. People who registered with an invalid email were not eligble.


    Mintkit recently released an easy to use app which detects bots from a list of wallets. You upload the list, and they assign each wallet a tag such as Bot, Whale etc.. Tagging is done by the funding and wallet activity from the past 180 days.

    ChatGPT Answers

    Once I did my filtering, I sent the list over to 0xTechno. From a total 4249 entries, We got it down to 2297. Around 50% of bot accounts were removed. 0xTechno then wanted to go through this list, and do his own checking. One thing he did was to check answers for any ChatGPT type answers. One example was this:

    I want to collect Toys by 0xTechno because they are unique and creative, and represent an innovative approach to the traditional toy-making process. They combine traditional craftsmanship with modern 3D printing technology to create one-of-a-kind, limited-edition toys that are not only visually appealing but also highly functional and durable. Additionally, 0xTechno toys are made from sustainable materials, making them a great choice for eco-friendly shoppers.

    Once he did his checks, he then tweeted out the final list of 616.


    Overall a great success from our first bot filtering. Toys are now trading at 2 ETH, and trending no.1 on OpenSea.

    Going forward I will be adding cloudflare protection, Google reCAPTCHA, and verification if projects were to opt in. Email verification, 2FA. The added barriers will deter most bot accounts.

    If are starting your allowlist, try Joinlist for free

    Special thanks

    I want to thank 0xTechno for using Joinlist, Wir for reaching out and guiding me through his issues, Igor Sena for his great advice on spotting multi-sig wallets, Eric for his advice on what to do next. And to my lovely girlfriend for being very patient and understanding while we were celebrating our new years together when the floodgates opened.

    Share this post
    Start for free.
    Design and publish your first free allowlist with Joinlist today.