By Bryan Martin - founder of RektRadar. Ethereum scam-detection infrastructure since 2024. GitHub · LinkedIn.
“This token was deployed by 0x8e3...a72f. That wallet is six hours old and has six transactions.” That sentence describes 98% of scam-deploying wallets on Ethereum. Each scam gets its own pristine deployer - created, funded, used once, abandoned. If you stop your investigation at the deployer wallet, every scam looks like a different actor.
The interesting question is one hop earlier: who funded the deployer? That’s where the actual factory lives. We took every Ethereum wallet that has deployed at least one token classified as a scam by RektRadar (risk score >= 70) - 9,520 wallets in total - and grouped them by the address that first sent them ETH. This article walks through what came out of that.
Dataset snapshot
Numbers in this post are as of 2026-05-16, drawn from RektRadar’s graph_nodes and cluster_metadata tables. The graph crawler runs on its own Ethereum node, maintains a per-wallet scam_contracts_deployed counter, and re-clusters addresses by funding lineage on a rolling basis.
- 25,903 wallets in the deployer graph (any wallet that has deployed a contract at least once)
- 9,520 of them have deployed at least one scam token
- 516 funder-rooted clusters
- 11 of those clusters have a scam ratio >= 50% - i.e. behave like a scam factory rather than a generic wallet hub
The disposable wallet pattern
The first thing the data shows is how disposable Ethereum scam deployers really are. Distribution of scam-deploying wallets by how many scam tokens they have personally deployed:
| Tokens deployed | # wallets | Share |
|---|---|---|
| Exactly 1 | 9,400 | 98.7% |
| 2 to 5 | 114 | 1.20% |
| 6 to 20 | 5 | 0.05% |
| 21 to 100 | 1 | 0.01% |
| 100+ | 0 | 0.00% |
Mean: 1.02 scams per wallet. Median: 1. The 99th percentile is 2.
The implication: looking at a deployer’s “previous scam tokens deployed” count, as a single feature, gives a near-zero signal on 98.7% of scams. By the time you’d notice the same wallet again, the scam has already happened and the wallet is dormant.
This is by design. Spinning up a new wallet on Ethereum costs the price of a transfer (a fraction of a cent in gas terms). Reusing the same wallet would link the new scam to all previous scams - a cheap mistake the operator has no reason to make. The on-chain fingerprint of a “professional” scam team is a fresh wallet, every time. See the new_wallet signal page for the per-flag stats.
What the funder graph adds
Now re-cluster the same 9,520 wallets by the address that first funded them.
A cluster is a set of deployer wallets sharing a common funder, a common bytecode template, or both. RektRadar’s cluster_metadata table tracks 516 such clusters. Most are not scam factories - they cluster around CEX hot wallets (Binance, Coinbase), DEX routers, and legitimate deployment services. A cluster’s scam_ratio is the share of its member wallets that have deployed at least one scam.
Distribution of clusters by scam_ratio:
| scam_ratio bucket | # clusters | Mean size | What they are |
|---|---|---|---|
| < 5% | 482 | ~5,200 | CEX hot wallets, generic deployment services |
| 5% to 50% | 23 | ~140 | Mixed - partly scam-frequented, partly legit |
| 50% to 100% | 11 | 94 | Scam factories - most members produce scam contracts |
The 482 low-ratio clusters carry the bulk of address-space volume (mean size ~5,200), but they are not what we mean by “factory.” A wallet that withdrew from Binance has a 1-in-50,000 chance of being a scam deployer; it shares a funder with millions of legitimate users.
The 11 high-ratio clusters are the actual production lines.
The 11 scam factory clusters
Top 11 clusters where scam_ratio >= 50%, ordered by size:
| Cluster ID (prefix) | Wallets | Scam ratio | First observed |
|---|---|---|---|
0x3650b486... | 399 | 70.4% | 2026-02-15 |
0x8869a5a6... | 365 | 72.5% | 2026-02-15 |
0x0e5d28ec... | 98 | 65.0% | 2026-02-15 |
0x046f8398... | 89 | 55.7% | 2026-02-15 |
0xe1a5c273... | 25 | 100.0% | 2026-02-15 |
0xe5a5ca42... | 23 | 100.0% | 2026-02-15 |
0x4da00370... | 11 | 90.0% | 2026-04-27 |
0x8c384b12... | 9 | 75.0% | 2026-04-21 |
0x4324cc11... | 7 | 50.0% | 2026-03-02 |
0x7fe124bc... | 6 | 60.0% | 2026-05-11 |
0xa9fc467b... | 6 | 60.0% | 2026-03-28 |
Three things to notice.
The shape is heavy-tailed. The top two clusters together cover 764 wallets, while the bottom seven cover 84 combined. A handful of operators are responsible for the bulk of factory output; most “factories” are smaller side operations.
February 15, 2026 is a clustering checkpoint, not a coordinated launch. Six of the eleven clusters carry 2026-02-15 as their first observed date - that is the day the current generation of the graph crawler reprocessed historical data. Their actual deployer wallets stretch back further; that date is a metadata artifact, not an attack starting line. The four post-Feb clusters (April 21, April 27, March 2, May 11, March 28) are genuinely newer.
100% scam ratio is rarer than you’d think. Only two of the eleven (0xe1a5c273... and 0xe5a5ca42...) hit 100%. The others sit in the 50%-90% range, meaning even a confirmed scam factory leaves some “clean” deployer wallets in its trail - typically test deployments or operator-personal wallets that share the funder.
Total output of the 11 factories
Across all 11 high-scam-ratio clusters: 1,038 deployer wallets, 779 confirmed scam contracts, 844 total tokens (the difference is the non-scam test deployments and operator-personal ones).
Compared to the global 9,520-wallet population: the 11 factories account for 10.9% of scam-deploying wallets and roughly 8% of all scams in the dataset.
That 8% is the part the funder graph adds. The other 92% are one-off solo deployers with no detectable factory affiliation. Some of those are likely small factories we haven’t clustered yet (the crawler requires a minimum activity threshold to assert a cluster); some are genuinely individual operators who deployed one scam and walked away.
What this means for detection
Three concrete consequences for anyone scoring contracts:
-
A deployer’s personal history is mostly useless as a feature. 98.7% of scam deployers have a one-scam history that you cannot see at the time of deployment (the wallet is fresh; the scam hasn’t happened yet). Building a model on
deployer.previous_scamswill perform near-randomly because the feature is near-always zero. -
Funder-graph proximity is the feature that scales. Asking “is this wallet’s funder also the funder of known scam wallets?” - the
scam_factory_fundersignal - generalizes to the 8% of factory-produced scams in a way the per-wallet feature cannot. We weight it heavily in the scoring pipeline because it catches the cases where every other signal looks neutral. -
The remaining 92% of scams need contract-level features. Honeypot simulation, source code patterns, liquidity at creation, the
approve_with_transferclass of bytecode patterns. The funder graph won’t help you for a solo operator’s first and only scam - only what the contract itself does will. This is why a multi-dimensional scoring approach exists: no single dimension covers more than ~half the cases on its own.
Limits of this dataset
Three caveats the careful reader should know.
- Funder attribution is one hop. RektRadar’s clustering assigns a wallet to a cluster based on its first ETH funder. It does not currently trace funder chains deeper than that hop. A factory operator who funds wallet A from a hot wallet, which is itself funded by a CEX, will appear in our data as one cluster - but a more sophisticated three-hop analysis might surface different groupings.
- The 9,520 scam-deployer count is a lower bound. We catch tokens via a mempool watcher and a factory contract watcher; tokens deployed without those signatures (e.g. non-standard factory contracts, off-mempool inclusion) may not enter the dataset. The true number is somewhat higher.
- Cluster IDs are bytecode + funder digests, not stable identities. Two clusters with different IDs might be the same operator if they rotate funding wallets. The eleven clusters above are eleven distinct funder-bytecode combinations, not necessarily eleven distinct human actors.
TL;DR
- Ethereum scam deployers are disposable: 98.7% deploy exactly one scam, then go dormant.
- The factory layer is not at the deployer; it is at the funder. Clustering by funder surfaces 516 groups.
- 11 of those groups behave like scam factories (scam ratio >= 50%), grouping 1,038 wallets that produced 779 scam tokens combined.
- The top 2 clusters alone (
0x3650b486...at 399 wallets,0x8869a5a6...at 365) account for two-thirds of the factory output. - For detection: per-wallet deployer history is near-useless; funder-graph proximity is the feature that catches what the other dimensions miss.
Try the free scan, no signup, no card - every result shows the deployer wallet age and the scam factory cluster membership when one applies. Or browse the list of currently-flagged scam tickers for live examples of factory-produced contracts.