Security / Audit·EVM · Solana · Bitcoin · TON · Tron · Multi-chain
Scam Sniffer
Web3 anti-phishing detection covering malicious websites, drainer signatures, and known scammer addresses across EVM, Solana, Bitcoin, TON, Tron, Sui, and Ripple. Exposes a Malicious Website Detection API plus public blacklist feeds (domains + addresses) used by wallets, mod tools, and bridges to warn users before they click or sign.
- 01URL + dApp phishing checks
- 02drainer signature warnings
- 03discord/telegram link safety bots
- 04wallet pre-connect screening
- 05scammer address blacklists
| Variable | Scope | Description |
|---|---|---|
| SCAM_SNIFFER_API_KEY | Server | Scam Sniffer API key for the Malicious Website Detection API, sent in the `X-API-KEY` header. |
Use Scam Sniffer to screen URLs and addresses before users click or sign. Site lookup: `GET https://lookup-api.scamsniffer.io/site/{encodedUrl}` with `X-API-KEY: ${SCAM_SNIFFER_API_KEY}` returning `{ status: 'safe' | 'warning' | 'malicious', tags: string[], reason }`. For lighter-weight integration, mirror the public phishing feeds from `https://github.com/scamsniffer/scam-database` (domains + addresses, JSON) into a Bloom filter and refresh hourly. In your wallet/connect flow gate the connect button on `status !== 'malicious'`, surface a confirmation modal on `warning`, and log all `malicious` hits with the offending URL + referrer for incident response. For chat/mod automation, pipe message URLs through the same lookup endpoint before unfurl.
- ⚑Detection is reactive — newly-spun phishing domains have a 1–48 hour blind window; pair with a TLD age + WHOIS heuristic for true zero-day protection rather than relying on the feed alone.
- ⚑Public blacklist feeds are deduplicated and rotate as domains die; cache aggressively but always set a TTL (1–6h) so you do not block users on lapsed domains and rebuild your local Bloom filter on each refresh.
- ⚑False positives happen on legitimate dApps that ape scammer naming patterns or share infrastructure (shared Cloudflare IPs, lookalike subdomains) — provide an explicit 'proceed anyway' path and a feedback link to report mistakes.
- ⚑Chain coverage for the address blacklist is uneven — EVM and Solana are well-covered, while TON / Tron / Sui / Ripple drainer datasets are smaller and skew toward known incidents only.
- ⚑Wallet UX integration via the browser extension hooks the page DOM, not the wallet RPC — server-side or mobile flows will not get extension-level signature warnings unless you call the lookup API directly from your client or backend.
- ⚑Rate limits on the lookup API are tight on the free tier; debounce per-URL lookups and never call once-per-keystroke from address bars.