Cluster Detection

Cluster Detection is one of the core intelligence components of Raphael Sentinel. Its purpose is to identify groups of wallets that act together in coordinated, patterned, or interdependent ways — whether for development, manipulation, arbitrage, farming, or automated execution.

Because malicious behavior rarely happens in isolation, cluster detection is critical for:

  • identifying dev-controlled wallet networks

  • detecting pre-funded swarms

  • exposing coordinated buy/sell patterns

  • linking wallets to historical scams

  • mapping hidden relationships behind token launches

Clusters form the backbone of Sentinel’s behavioral analysis, especially in bonding-curve environments like Pump.fun, where traditional contract-level risks are minimal, and human behavior is the primary threat vector.

1. Purpose of Cluster Detection

Cluster detection answers the most important questions in Solana token intelligence:

  • Who actually controls early token participation?

  • Are early buyers independent or part of a multiwallet setup?

  • Is the dev hiding behind swarm wallets?

  • Are the same clusters appearing across multiple tokens?

  • Does the cluster operate as a coordinated exit team?

When clusters are present, true market dynamics become distorted:

  • artificial demand

  • hidden supply concentration

  • manipulated exit cascades

  • fake community appearance

  • predictable pump-and-dump structures

Sentinel exists to expose these hidden structures.

2. Types of Clusters Detected

Sentinel identifies multiple cluster categories, each reflecting a different operational pattern.

1. Dev-Controlled Clusters

Wallets directly or indirectly connected to the deployer.

Signals include:

  • shared funding origin

  • multi-hop funding chains

  • synchronized buy timing

  • similar trade structures

  • reappearing in past launches

Impact: extremely high risk.

2. Swarm Clusters

Wallet groups acting in unison to fake early demand or momentum.

Characteristics:

  • identical buy amounts

  • tightly grouped timestamps

  • same routing

  • high correlation in entry/exit actions

Swarm clusters are a hallmark of Pump.fun manipulation.

3. Coordinated Exit Clusters

Wallets that dump in planned sequences rather than individually.

Patterns:

  • staggered but symmetric exits

  • identical percentage-based sell-offs

  • exit windows repeating across tokens

  • timing based on curve-fill or DEX pool creation

These clusters rapidly accelerate retail losses.

4. Funding-Origin Clusters

Wallets connected through shared SOL sources.

Detection focuses on:

  • root funding wallets

  • multi-hop graph connections

  • repeated funding structures

  • circular funding loops

Funding clusters reveal hidden operators.

5. Behavioral Clusters

Wallets that do not share direct funding but exhibit identical behavior patterns.

Detected by:

  • trade sequence similarity

  • timing rhythm

  • symmetric buy/sell structures

  • behavioral fingerprint matching

Behavioral clusters often indicate a single operator controlling multiple wallets.

3. Detection Methodology

Sentinel uses a hybrid detection approach combining structural, temporal, and behavioral signals.

A. Graph-Based Cluster Detection

Using graph analysis on:

  • funding flows

  • transaction paths

  • shared ancestors

  • wallet-to-wallet proximity

Sentinel builds directed graphs to reveal hidden wallet groups.

Tools:

  • BFS/DFS traversal

  • multi-hop connection scoring

  • cluster centrality measures

B. Temporal Correlation Analysis

Cluster behavior often emerges in timing:

  • burst buys within <200ms

  • synchronized entries

  • coordinated exits

  • rhythm-based trading sequences

If multiple wallets move on the same clock → high clustering probability.

C. Behavioral Fingerprinting

Sentinel analyzes long-term wallet patterns from WIM:

  • preferred trade size

  • predictable hold duration

  • buy/sell cadence

  • transaction shape consistency

  • routing preferences

Wallets with similar behavioral fingerprints are likely linked.

D. Multi-Factor Correlation

The final clustering decision uses a composite score from:

  • funding similarity

  • timing similarity

  • structural similarity

  • behavioral similarity

Clusters are only confirmed when multiple dimensions align.

4. Cluster Scoring

Each cluster receives a Cluster Risk Score based on:

1. Influence Score

How much supply or volume the cluster controls.

2. Behavioral Risk

Patterns predictive of manipulation:

  • swarm buying

  • fake demand

  • coordinated dumping

3. Dev Proximity

Is the cluster linked to the deployer wallet?

4. Historical Reputation

Has the cluster appeared in other high-risk or malicious tokens?

5. Exit Dominance

How aggressively the cluster dumps relative to retail.

High-scoring clusters dramatically raise token risk.

5. Integration With Risk Engine

Cluster detection impacts both scoring models:

For SPL Tokens

  • identifies coordinated wash trading

  • exposes LP-manipulating wallet groups

  • improves holder integrity measurement

For Bonding Curve Tokens

  • core component of the dev cluster score

  • key signal for swarm detection

  • critical for exit pattern interpretation

  • central to Pump.fun risk scoring

Clusters = behavioral truth.

6. Continuous Refinement

The Cluster Engine updates over time:

  • new connections strengthen existing clusters

  • new tokens reveal repeated patterns

  • new dev wallets are added to cluster profiles

  • emerging bot-swarm structures expand intelligence

The system becomes stronger and more accurate with every token analyzed.

PreviousToken Overlap EngineNextAPI Overview

Last updated