A single wallet - 0x185e4e5c1afe6b5177fbb81647949f1e1bf3790b - bankrolled 24 different deployer addresses between February 2 and February 3, 2026. Each deployer shipped exactly one ERC-20 token, added liquidity on Uniswap, and drained it within hours. All 24 contracts are flagged at risk score 80 or higher in our database.
The funder itself never deployed a single contract. On Etherscan, it looks like a quiet EOA.
This is a textbook clean-hands pattern. And it is exactly the kind of operation that scoring a contract in isolation will miss - because the smoking gun is one hop away, in the funding graph.
The 25-wallet cluster
RektRadar’s graph crawler groups wallets that share funding ancestors into clusters. The cluster ID 0xe1a5c2...e2372 has size 25:
0x185e4e5c...3790b (funder, 0 contracts shipped)
|
| seed 0.05 - 0.15 ETH
v
[24 deployer wallets, each ships exactly 1 ERC-20]
|
| deploys
v
[24 ERC-20 contracts, all flagged scam (risk >= 80)]100% scam rate. No false positives. No legitimate token deployed by any wallet in this cluster.
The 24 children
Each deployer in the cluster received its seed ETH from 0x185e..., then deployed exactly one ERC-20 within hours. Sample of the token names emitted - note the mix of brand-jacks, meme bait, and pure throwaway tickers:
| Symbol | Name | Bait category |
|---|---|---|
| PLSX | Pulse X | brand-jack - real PulseChain stablecoin lives on PulseChain |
| ONYX | Onyx Finance | brand-jack - real Onyx DeFi protocol on Ethereum |
| ELWIC | ElonWifCat | Elon-meme cluster |
| DDUMP | Donald Dump | Trump-meme cluster |
| NIC | Nicolas | AI-brand bait |
| SHEP | Starship Enterprise | sci-fi meme bait |
| BBC | BigBrotherCoin | generic filler |
| GSGD | Goose Gold | generic filler |
| … | 16 others | HPV, MGMG, NEVER, ASH, ASTRE, CST, APES, BMOD, LOTC, HAPH, ATB, RPR, ATBX, APXL, PXGD, BABA |
Three of these (PLSX, ONYX, ELWIC) are deliberate brand-jacks that capture organic Google traffic on names with existing reputation. The rest are throwaway tickers whose only job is to pad the operation’s deployment volume - most search engines will never crawl them, but they keep the rug-pull conveyor belt moving while the operation waits for one of the brand-jacks to catch fire.
Why scoring a contract is not enough
Run any single contract from this cluster through a scoring tool that only inspects the contract bytecode and the deployer’s recent activity. You will get a high-risk score, sure. Unverified on Etherscan, low liquidity, owner not renounced, fresh wallet, sell simulation fails - the usual hits. Nothing surprising.
What scoring alone will not show you is that 23 sibling contracts deployed in the same 48-hour window by 23 sibling wallets all received their seed ETH from the same source.
That is what makes the cluster pattern dangerous: on Etherscan, each of the 24 deployer wallets looks like a fresh one-shot scammer. There is no previously_deployed_scam flag on any of them - they each only shipped one contract. It is only when you connect the funding edges that the operation comes into view.
without funding-edge analysis: with the graph:
- 24 "fresh" deployers - 24 children of one funder
- looks like 24 independent scams - looks like one operation
- each rug feels random - rugs are batched, coordinatedThe funder pattern is specifically designed to evade contract-level forensics: the wallet that actually orchestrates the operation never touches a smart contract directly, so any analyzer that checks “this address’s contract history” returns clean.
Three takeaways
- One fresh deployer wallet is suspicious. Twenty-four fresh deployer wallets sharing one funder is a factory. Always check the funding edge, not just the contract.
- Brand-jacks ($PLSX, $ONYX) get mixed in with throwaways on purpose. The brand-jacks pull organic search traffic; the throwaways pad volume. Same operation, different bait.
- The funder is still active and unsanctioned. It has shipped zero contracts of its own, so it does not appear on any “top scammer deployer” leaderboard. Watch it. New children will get funded.
You can scan any of the 24 contract addresses listed above on the free RektRadar Ethereum scam scanner - the risk score is returned in under two seconds, and the network panel shows the cluster siblings on the spot. If you want the catalog of every signal that fired on this operation, see the Ethereum risk signals reference (52 flags, grouped by analyzer).
How we found it
The 3D deployer graph explorer we shipped last week visualises 33,311 deployer wallets and 494 connected clusters. Cluster 0xe1a5c2... is one of them - the kind that does not show up on any single-contract scan, only when you trace funding paths across hops. The anatomy of a serial scammer wallet post from last week covered the single-deployer version of the same problem; this is the funder-fan-out variant, which is harder to spot but more common at scale.
We will keep documenting these waves as they happen. The next AI brand will trend, the next funder will spin up its 24 children, and the same playbook will repeat - only the symbol changes.