Data 2026-05-20

The 0x...1110 vanity address scam factory: 944 honeypots on Ethereum, 132 this week alone

Since April 6, 944 scam tokens have been deployed at Ethereum vanity addresses ending in '1110'. We tracked the cluster: one wallet alone shipped 21 in 7 days. Full breakdown of the pattern, the deployers, and how to spot the next one.

We track every ERC-20 deployed on Ethereum mainnet through our analyzer pipeline. While reviewing this week’s flagged scams, one thing jumped out: a disproportionate number of addresses end in the same four characters - 1110.

A quick count confirmed it. Of the 1,927 scams flagged in the last 7 days, 132 - or 6.85% - share the 0x...1110 vanity suffix. The total since the pattern first appeared on April 6: 944 confirmed scams.

This is not a coincidence. It is the signature of an active, industrial scam factory operating on Ethereum mainnet.

What is a “vanity address”?

An Ethereum address is the last 20 bytes of the keccak256 hash of a public key. Most addresses look random because the hash is. But you can mine a key whose address starts or ends with a specific pattern - this is called a vanity address.

For a 4-character suffix like 1110, you need to brute-force roughly 65,536 key generations on average (16^4 = 65,536) to find one. A modern GPU does this in seconds to minutes. For a contract address (deployed via CREATE2), you mine a salt instead of a key, but the math is the same.

Legitimate projects sometimes use vanity addresses for branding (Uniswap’s 0xC02a...6cC2 WETH contract, MakerDAO’s 0x6B17...1d0F DAI contract). Scammers do it for the same reason: it makes coordination easier. Their Telegram channels, their bot signals, their watch lists can all key off “look for the next 1110 play”.

The numbers

WindowTotal scams flaggedEnding ...1110Share
Last 7 days1,9271326.85%
Since 2026-04-06 (first 1110)(cumulative)944(industrial scale)

Top deployer wallet over the last 7 days:

  • 0x5a437EbAb8957ac38786d52be2e39Ec3Bf4e6DDe - 21 distinct …1110 scams deployed in 7 days.

That is 3 scams per day from a single wallet. The tickers it shipped this week, all honeypots:

AI, BELLA, CAPYBARA, CHUD, COOL, CTO, GARY, GNOSIS, HONGTANG, HORACE, JOCK, JUDE, MARMOT, MEANINGLESS, NUTZBULLSC, PETS, PIZZAHUT, TAX, TDT, TUSD, W3

The variety is the point. They are not trying to make any one token go viral - they are casting a wide net of brand-jack names (TUSD mimics TrueUSD, GNOSIS mimics the real Gnosis token, AI rides the AI narrative). Each gets a small amount of seed liquidity, a few retail buys before the buy/sell mechanics reveal the honeypot, and then it dies. The deployer’s win does not need to be big per-token - it needs to be repeatable.

What every ...1110 token looks like under the hood

Pulling a sample of 10 from this week, the flag profile is essentially identical:

  • honeypot (sell simulation reverts) - 10/10
  • sell_failed (transfer reverts post-buy) - 10/10
  • buy_only_pattern (on-chain swap events show 100% buys, 0% sells in the first ~50 trades) - 9/10
  • creator_holds_all_lp (deployer wallet holds >80% of LP supply, can pull anytime) - 10/10
  • liquidity_at_creation (LP added in the same tx as pair creation - stealth-launch tell) - 8/10
  • unverified_contract on Etherscan + unverified_bytecode_analyzed - 7/10
  • low_liquidity (under 0.1 ETH in the pool) - 6/10
  • multi_flag_rug_setup (our composite flag for “textbook rug template”) - 10/10

This is the same contract template, recompiled and redeployed dozens of times with different names, different total supplies, and a new mined salt to keep the 1110 suffix. The cost per deployment on mainnet is real (~$5-20 in gas at current rates) but the factory is clearly profitable enough to keep going.

Notable individual scams this week (score 100/100)

Pulled from our token_analysis table, all flagged in the last 7 days, all carrying the full multi_flag_rug_setup signature. Live links to the analysis pages:

TickerNameAddress suffixAddress
CMCCoinMarketCat…1110 (deployed twice)0xfb8aed…da1110
OCPEPEONCHAIN PEPE Token…11100xc9e7f8…ec1110
MAXXINGMAXXING…11100x3b8760…be1110
SNAPHypersnap…11100x231054…7e1110
CJGet CJ Neuralink…11100xfea802…7d1110
T1Trump Mobile(non-vanity, Trump brand-jack)0xf833d2…ca6b5
ElonDogElonDog(non-vanity, Elon brand-jack)0xb6d6f8…4cea48
Flōki X CEOFlōki X CEO(unicode-spoof brand-jack)0x9d01af…42c9ee

The deployer behind the 0x5a437EbA... cluster has a long history - their first deployment on this pattern dates back to April 6, 2026, and they have not slowed down since.

Why the 1110 signature matters for retail

The pattern gives you a fast pre-filter. If a token’s contract address ends in 1110 and you cannot find a verified source, a doxxed team, or audit, your prior should be: this is from the active scam factory, and the risk score is going to come back near 100.

That said: the suffix is not proof on its own. A few legitimate projects do use vanity addresses for branding. The 1110 cluster’s identifying feature is the combination: vanity suffix + unverified or copy-paste contract + brand-jack name + fresh deployer + liquidity-at-creation. When you see all five together, you are looking at a member of this factory.

How to check before you buy

If you are about to interact with any token:

  1. Paste the address into RektRadar - the analyzer runs all 80+ signals, including the multi_flag_rug_setup composite, in under 10 seconds.
  2. If the address ends in 1110 and the contract is unverified, treat it as scam-by-default until you have strong evidence otherwise.
  3. Check whether the deployer wallet has prior scam-flagged deployments. The 0x5a437EbA... address above has 21+ in a week - that is the signature you want to spot.

What we are doing about it

We are flagging every ...1110 deployment in real-time through our factory-watcher service. The cluster is now linked in our graph database, so any new token whose deployer or funder traces back to the same root cluster gets the scam_factory_funder flag automatically (one of the heaviest in our scoring).

If you see a 1110 token being shilled on Telegram or Twitter and want to verify it specifically, drop the address on rektradar.io. The analysis page will show the full flag list, the deployer cluster, and link to the on-chain swap activity.

Methodology note

Data pulled from our PostgreSQL token_analysis table at 2026-05-20 evening. “Last 7 days” = created_at >= NOW() - INTERVAL '7 days'. “Scam” = risk_score >= 70 (our calibrated threshold). Vanity suffix filter = address LIKE '%1110'. The deployer attribution comes from the contract creator address in the raw_data->>'deployer' field, populated by our factory-watcher service from on-chain trace data. Numbers are reproducible at any time via the public scan endpoint.

If you have evidence linking the 0x5a437EbA... deployer to off-chain identities or other suffix patterns we have not caught yet, we are interested - reach out via the rektradar.io contact page.