Platform Architecture
Chainara is composed of four integrated systems that form a closed-loop threat intelligence platform: from autonomous threat hunting all the way through to analyst tooling and downstream API distribution.
The Four Systems
| System | Purpose | Primary Users |
|---|---|---|
| Chainara Platform | Threat operations: wallet risk scoring, domain detection, fraud intelligence, API | Security analysts, compliance teams, developers |
| Chainara Intel | Threat collection: AI personas gathering scammer IOCs from social platforms | Threat researchers, SOC teams |
| Chainara Discovery | Proactive threat hunting: passively hunts new scam infrastructure, social media impersonation, and wallet IOCs across the internet | Runs automatically; findings flow into Platform |
| Domain Engine | Automated domain analysis: 8-stage pipeline classifying and scoring every discovered domain | Runs automatically; configurable by admins |
How They Work Together
The Intelligence Loop
The power of this architecture is the closed-loop intelligence cycle:
- Discovery hunts proactively: passively queries Shodan, OTX, crt.sh, ChainAbuse, and scans social media for emerging scam infrastructure before any victim reports it
- Intel deploys personas: AI personas engage scammers on Discord, Twitter, and Telegram, extracting wallets, domains, and campaign details directly from threat actors
- Both feed the Domain Engine: every discovered domain passes through the 8-stage automated analysis pipeline
- Platform gets enriched: scored threats appear instantly in the threat database, visible to analysts and available via API
- Analysts investigate: security teams dig deeper, submit reports, and export intelligence
- API distributes: verified threats flow out via the Threat Feed and webhooks to SIEMs, exchanges, and compliance tools
- Loop continues: new intelligence sharpens future detection accuracy across all four systems
Chainara Platform
The Platform is the single pane of glass for security operations:
- Dashboard: live threat metrics, recent activity, and KPIs
- Wallet Analysis: deep-dive risk profiles for any blockchain address
- Domain Intelligence: searchable database of analyzed domains with full enrichment data
- Fraud Intelligence: aggregated fraud reports with verification workflow
- Flow Analytics: visualize fund movements between wallets
- Network Graph: interactive transaction relationship mapping
- Metrics: enterprise impact tracking and reporting
- API: full REST API for integration with SIEMs, exchanges, and custom workflows
Chainara Intel
The Intel platform is the active threat collection engine: AI personas deployed on social platforms engage real scammers and extract IOCs directly from their campaigns:
- Personas: AI identities deployed across social platforms
- Monitor: real-time feed of all active persona sessions
- Conversations: full transcript archive with IOC extraction
- Threats: discovered threat actors, campaigns, and artifacts
- Artifacts: extracted wallets, domains, URLs, and invite links
- Maps: infrastructure visualizations of scammer networks
- Dark Web Hunter: autonomous Tor-based threat intelligence collection
- Reports: structured intelligence reports on campaigns
Chainara Discovery
Discovery is the passive threat hunting engine: it proactively hunts for new scam infrastructure across the internet before any victim reports it. All reconnaissance is passive: Discovery only queries API-cached data and never makes direct connections to target infrastructure, which avoids alerting scam operators.
Discovery capabilities
What Discovery finds:
| Capability | Description |
|---|---|
| Shodan hunting | Queries Shodan's cached scan data for crypto scam patterns: XRP giveaways, wallet phishing, fake exchanges |
| Infrastructure pivoting | Given one known-bad domain or IP, pivots on favicon hash, SSL certificate, JARM fingerprint, and passive DNS to find all related infrastructure |
| Social media scanning | Detects fake Instagram and YouTube accounts impersonating Ripple executives; extracts embedded wallet addresses and malicious links via OCR |
| ChainAbuse sync | Imports community-submitted blockchain scam reports |
| XUMM blacklist sync | Syncs known-bad XRP addresses from the XUMM community blacklist |
| NEAR Intents analysis | Analyzes cross-chain swap transactions for money laundering patterns |
| Campaign system | Runs structured threat hunting campaigns (XRP phishing, wallet drainer hunting, compromised router DNS hijacking) |
Output: Discovered threats are automatically routed to the Platform and Domain Engine for scoring and monitoring, with no manual intervention required.
Domain Engine
The Domain Engine runs fully automated: analysts configure rules and thresholds; the engine handles the rest:
- 43 configurable detection rules (15 condition types)
- 9 parallel enrichment modules completing in ~2 seconds
- LLM-powered threat classification
- 4-component weighted risk scoring (0–99)
- Detection accuracy: 94.2% true positive rate, 2.1% false positive rate
→ How Domain Detection Works → Risk Scoring → Threat Categories
Data Flow Summary
| Data Type | Origin | Destination |
|---|---|---|
| Scammer wallets | Intel conversations | Platform wallet database |
| Scam domains / IPs | Discovery hunting | Domain Engine → Platform |
| Social impersonation IOCs | Discovery social scanner | Platform fraud intelligence |
| Blockchain scam reports | ChainAbuse / XUMM sync | Platform + Domain Engine |
| Suspicious domains | Intel artifacts + Domain Engine input | Domain Engine → Platform domain database |
| Fraud reports | Analyst submissions + Intel | Platform fraud intelligence feed |
| Risk scores | Domain Engine scoring | Platform UI + API |
| Threat indicators | Platform verification | Threat Feed API + Webhooks |
| IOC intelligence | All systems | External SIEMs, exchanges, compliance tools |