We score every new ERC-20 that lands on Ethereum mainnet, and most of that work is pattern recognition: a wallet that quietly funds 24 deployers, a contract whose sell() always reverts, a bytecode that matches a known drainer kit. Fraud leaves a fingerprint. On-chain, we read it for a living.
Last week the same instinct fired on a completely different surface - our own web analytics.
The numbers that looked too clean
A routine check of our product analytics looked, at first glance, like a good day. 46 sessions on app.rektradar.io over 24 hours (after we strip out internal, dev and bot-flagged traffic). A page trending hard. A referrer we had never seen before. Growth.
Then three numbers lined up a little too neatly:
- Top page:
/scam/CLIX- 19 visitors - Top referrer:
demo.rektradar.io- 18 visitors - Top country: Lithuania - 20 visitors
Three different dimensions, three nearly identical counts. Real traffic does not correlate like that. When one page, one referrer and one country all weigh ~19, you are not looking at 19 people. You are looking at one thing.
The first clue is in the shape of the day. Genuine interest dribbles in across every hour. This did not: nineteen of the day’s sessions detonated inside a single 60-minute window, then the line went flat again.
Pulling the thread
We pulled the raw events behind /scam/CLIX and broke them down by IP and device. Two rows explained the entire “spike”:
| IP | ”Visitors” | Network (ASN) | Fingerprint (identical on every hit) |
|---|---|---|---|
31.44.108.77 | 14 | AS21211 Penki, Vilnius LT | Chrome 130 / macOS / 1920x1080 |
104.164.126.204 | 5 | AS18779 EGIHosting (US datacenter) | Mobile Safari 15 / iOS / 480x720 |
Nineteen “distinct visitors.” Two IP addresses.
The five tells
Once you have the raw rows, the fakes are not subtle. Five signals, any one of which should raise an eyebrow, all present at once:
1. Many “users”, one IP. Fourteen distinct visitor IDs came from a single address. A new visitor ID on every hit is what you get when something clears cookies, or opens a fresh browser context, between each request. A real household shares one IP across a handful of devices - not fourteen first-time sessions in one hour.
2. Zero fingerprint entropy. All fourteen sessions reported the exact same browser, OS and screen: Chrome 130, macOS, 1920x1080 - byte for byte. Fourteen real strangers never agree that precisely. Genuine traffic is a cloud of browser versions, OS builds and odd screen sizes. A bot is a single point.
3. Datacenter networks, not homes. Both IPs resolve to hosting providers, not residential ISPs. The US one, EGIHosting, is a VPS shop - the kind of network real iPhone owners do not browse from.
4. Impossible combinations. That second IP claimed to be Mobile Safari on iOS - from a datacenter, at a 480x720 screen. An iPhone does not live in a server rack, and 480x720 is not a real device; it is an emulated viewport. The story the user-agent tells flatly contradicts the network it comes from.
5. A burst, not a stream. All nineteen “visitors” landed inside a single hour. Human interest in a niche page trickles in, spread across the day. Automation arrives all at once and then vanishes.
Where it came from
The referrer gave away the intent. demo.rektradar.io is our own public API demo, and it has been getting scraped hard for weeks - hundreds of calls a day, most of them bouncing off the rate limit. The demo renders a worked example, a token called CLIX, with a link through to the full scam page. So the scraper hit the demo, followed its one outbound link, and the bot’s footprints spilled straight into our product analytics as nineteen phantom “users.”
The fix is not an IP block
The reflex is to ban the two addresses. That is whack-a-mole: datacenter IPs are disposable, and the next run comes from a fresh range.
The durable fix is to filter on what does not change:
- The referrer. Traffic arriving from our own demo is not user acquisition - it is internal plumbing (and, lately, a bot conduit). It should never have been in the “external visitors” number at all.
- The signal, not the address. Datacenter ASNs, zero-entropy fingerprints, one-hour bursts and impossible device/network combinations are stable tells. Bake them into the filter once, and every future run is clean - whichever IP it crawls in from.
Apply that, and almost half of that day’s “growth” turns out to be two machines in a server rack, now routed to nowhere automatically.
Same skill, different surface
None of this is exotic. It is the exact muscle we use on-chain every day: look past the label, weigh the metadata, find the part that cannot be faked. A deployer can spoof a token’s name; it cannot spoof which wallet funded it. A bot can spoof a user-agent string; it cannot spoof a residential network, a varied fingerprint, and human timing all at once.
Fake is fake. It always leaves a fingerprint. The only question is whether anyone is reading it.