A comprehensive Web3/blockchain/crypto domain threat intelligence tracker with 448,000+ entries aggregated from 8 upstream feeds. Includes a static web frontend with domain search and multi-chain blockchain investigation tools supporting Ethereum, BSC, Polygon, Arbitrum, Base, Optimism, Solana, and Bitcoin.
Live site: elchacal801.github.io/web3-threat-tracker
Releases: Download CSVs and SQLite DB
- Domain Intelligence — Search 448K+ Web3 threat domains with severity, confidence, and category classification
- SIEM-Ready Exports — Pre-filtered CSVs for direct upload to CrowdStrike NG-SIEM, Splunk, or any SIEM as lookup files
- Multi-Chain Investigation Tools — 5 browser-based blockchain trace tools across 8 chains (Ethereum, BSC, Polygon, Arbitrum, Base, Optimism, Solana, Bitcoin). Fund Flow supports all 8 chains; Gas Tracer, Contract Audit, Mint Tracker, and CCTP Tracer support EVM chains
- Daily Automated Ingestion — GitHub Actions pulls from all upstream sources daily at 06:00 UTC
- Weekly Releases — Tagged releases with downloadable CSVs and SQLite database every Sunday
git clone https://github.com/elchacal801/web3-threat-tracker.git
cd web3-threat-tracker
pip install -e ".[dev]"
# Run ingestion pipeline
python -m scripts.ingest.ingest_metamask
python -m scripts.ingest.ingest_scamsniffer
# ... (or trigger via GitHub Actions)
# Normalize, validate, build
python -m scripts.normalize
python -m scripts.validate
python -m scripts.build_db
python -m scripts.export_csv
python -m scripts.statsEach entry carries the fields described in the Data Dictionary:
| Group | Fields |
|---|---|
| Core Identity | domain, url, type |
| Severity & Classification | severity, confidence, tags |
| Domain Infrastructure | registrar, registration_date, whois_privacy, nameservers, hosting_provider, ip_addresses, asn, ssl_* |
| Blockchain Infrastructure | blockchain_network, wallet_addresses, smart_contract_addresses, ens_name, unstoppable_domain, transaction_hashes |
| Provenance | sources, first_seen, last_seen, added_by, notes, references, related_domains |
| File | Description |
|---|---|
all_domains.csv |
Full dataset, all severity levels |
malicious_only.csv |
Rows where severity = MALICIOUS |
high_confidence.csv |
Rows where confidence = HIGH |
by_tag/<tag>.csv |
One file per threat category tag |
web3_tracker.db |
SQLite database with junction tables for tags, sources, IPs, wallets |
stats.json |
Summary statistics |
Download from Releases or build locally.
| Source | Records | Notes |
|---|---|---|
| ScamSniffer | 331K+ | Real-time wallet drainer and phishing feed with wallet address mapping |
| MetaMask eth-phishing-detect | 105K+ | Community-curated blocklist |
| CryptoScamDB | 9.8K+ | Historic + active scam domains with category classification |
| Forta Network | 6.3K+ | On-chain phishing addresses and malicious smart contracts |
| spmedia | 1K+ | Daily-updated crypto phishing threat intel feed |
| PhishTank | Active | General phishing database, filtered for crypto targets |
| Chainabuse | API | User-reported blockchain abuse (10 req/month free tier) |
| URLhaus | API | Malware URL feed, filtered for crypto tags |
The web frontend includes 5 browser-based investigation tools. All tracing happens client-side — API calls go directly from your browser to the chain's block explorer API. Bring Your Own Key for Etherscan (EVM chains) and Helius (Solana). Bitcoin uses mempool.space (free, no key needed).
| Tool | Chains | Purpose |
|---|---|---|
| Fund Flow | ETH, BSC, Polygon, Arbitrum, Base, Optimism, Solana, Bitcoin | Map transfers, tag known entities (CEX, DEX, bridges, mixers), identify exit paths and funding sources |
| Gas Tracer | EVM chains | Recursively trace native token funding chain to find who funded a wallet |
| Contract Audit | EVM chains | Detect proxy patterns, extract roles/owners, pull upgrade and role change history |
| Mint Tracker | EVM chains | Detect unauthorized token mints (Transfer events from null address) |
| CCTP Tracer | EVM chains | Detect Circle Cross-Chain Transfer Protocol activity |
| Chain | API | Key Required |
|---|---|---|
| Ethereum, BSC, Polygon, Arbitrum, Base, Optimism | Etherscan V2 | Yes (free tier) |
| Solana | Helius RPC | Yes (free tier) |
| Bitcoin | mempool.space | No |
Entity labels dataset includes 75+ tagged addresses across all chains: exchanges (Binance, Coinbase, Kraken), DEXes (Uniswap, Jupiter, Raydium), bridges (Wormhole), mixers (Tornado Cash), and OFAC-sanctioned addresses.
| Level | Meaning |
|---|---|
LEGITIMATE |
Verified safe; used as allowlist baseline |
SUSPICIOUS |
Behavioural or registration anomalies; monitor (schema-reserved, not produced) |
RISKY |
Strong indicators of abuse; block recommended (schema-reserved, not produced) |
MALICIOUS |
Confirmed threat activity; block immediately |
In practice every ingested entry is
MALICIOUS(plus a singleLEGITIMATEbaseline).SUSPICIOUSandRISKYexist in the schema but are not currently produced — differentiate onconfidenceandtags.
Confidence is corroboration-driven: entries seen by 2+ upstream sources are automatically HIGH; single high-quality source (MetaMask, ScamSniffer, PhishTank) = MEDIUM; single lower-quality source = LOW.
| Value | Meaning |
|---|---|
HIGH |
Multi-source corroboration (2+ feeds) |
MEDIUM |
Single high-quality source |
LOW |
Single heuristic or lower-quality source |
drainer phishing rug_pull fake_exchange fake_wallet fake_airdrop etherhiding clickfix pig_butchering address_poisoning ice_phishing investment_scam impersonation c2_infrastructure credential_stealer nft_scam defi_impersonation smishing typosquat cryptojacking
See Threat Landscape for technique descriptions, detection patterns, and key statistics.
See SIEM Integration Guide for detailed instructions:
- CrowdStrike NG-SIEM: Upload
malicious_only.csvas a LogScale Lookup File - Splunk: Upload as lookup table, query with
| lookup web3_threats domain AS query - Generic: Any SIEM supporting CSV lookup files
Pull requests welcome. See CONTRIBUTING.md for:
- How to add manual entries (YAML format)
- PR submission process and schema validation
- Severity/confidence assignment guidelines
This project aggregates data from multiple upstream sources. See NOTICE.md for per-source attribution, licensing, and redistribution terms.
MIT — see LICENSE.