Risk Scoring
Every domain and wallet processed by Chainara Platform receives a risk score from 0–99. This score is calculated by combining four independent weighted components, each measuring a different dimension of threat likelihood.
Score Ranges
| Score | Label | Meaning |
|---|---|---|
| 0–24 | Safe | No significant threat signals detected |
| 25–49 | Low Risk | Minor concerns; worth monitoring |
| 50–74 | Medium Risk | Suspicious patterns detected; flag for review |
| 75–89 | High Risk | Strong indicators of malicious intent |
| 90–99 | Critical | Near-certain threat; immediate action recommended |
A score of 75+ will typically trigger an automatic flag in the Platform dashboard and appear in the threat feed.
The Four Scoring Components
The final score is computed as a weighted sum of four independent inputs:
| Component | Weight | What It Measures |
|---|---|---|
| Rule Matches | 30% | Configurable rule engine hits (keywords, patterns, TLDs) |
| Enrichment Signals | 25% | DNS, RDAP, certificate, VirusTotal, URLhaus, etc. |
| LLM Analysis | 25% | AI judgment on intent, content, and context |
| Threat Intelligence | 20% | Known bad actors, blocklists, cross-platform correlations |
Each component produces a sub-score of 0–100, which is then multiplied by its weight and summed:
final_score = (rules × 0.30) + (enrichment × 0.25) + (llm × 0.25) + (threat_intel × 0.20)
Rule Matches (30%)
The rule engine evaluates the domain or wallet against your configured ruleset. Each matching rule contributes a defined amount to this sub-score. Rules can be configured, enabled/disabled, and tuned by admins. See Domain Detection Rules for the full rule configuration reference.
Enrichment Signals (25%)
Nine enrichment modules run in parallel when a domain is processed, each contributing signals:
| Module | Key Signals |
|---|---|
| DNS | Missing MX/SPF, suspicious nameservers, recent DNS changes |
| RDAP/WHOIS | Domain age (<30 days = high risk), privacy-masked registration |
| Certificate | Free CA (Let's Encrypt), self-signed, certificate age mismatch |
| Typosquatting | Levenshtein distance to known brands (ripple, xrp, coinbase) |
| VirusTotal | Reputation from 70+ security vendors |
| URLhaus | Presence in the URLhaus malware URL database |
| AbuseIPDB | IP reputation and abuse history |
| Geolocation | High-risk hosting countries, VPN/proxy detection |
| HTTP Analysis | Page content, redirect chains, suspicious JavaScript |
Enrichment typically completes in 1.5–2 seconds (all modules run concurrently).
LLM Analysis (25%)
A large language model evaluates the domain holistically: examining the name, content, registration metadata, and enrichment signals together. The LLM provides:
- A structured threat classification
- Confidence level
- A human-readable explanation of its reasoning
This component catches sophisticated attacks that evade pattern matching: for example, a legitimate-looking domain with subtle scam content buried in the page body.
Threat Intelligence (20%)
Cross-references the domain or wallet against:
- Chainara's internal threat database (thousands of malicious domains and blacklisted wallets: see Platform Overview for current scale)
- Community-submitted fraud reports
- Active persona intelligence from the Intel platform
- Historical IOC associations (linked wallets, related domains)
A direct match against a known threat immediately elevates this sub-score, even if other components show low scores.
Worked Example
A newly registered domain xrp-giveaway-official.live might score:
| Component | Sub-Score | Weighted |
|---|---|---|
| Rule Matches | 85 (keyword giveaway, TLD .live, xrp brand) | 25.5 |
| Enrichment | 90 (domain age: 2 days, Let's Encrypt cert, privacy WHOIS) | 22.5 |
| LLM Analysis | 95 (LLM identifies giveaway scam pattern) | 23.75 |
| Threat Intel | 40 (no direct match yet) | 8.0 |
| Final Score | 79.75 → 79 (truncated to integer) |
Score 79 = High Risk: the domain would be auto-flagged and added to the threat feed. Final scores are always truncated (floor) to the nearest integer, never rounded.
Score Updates
Scores are not static. They are recalculated when:
- New fraud reports link to the domain or wallet
- Enrichment modules detect changes (e.g. domain content updated)
- The Intel platform captures a new conversation referencing this address
- An admin manually updates the classification
The Last Updated timestamp on each record shows when the score was last recalculated.
Using Scores in Workflows
| Score | Recommended Action |
|---|---|
| < 25 | No action required |
| 25–49 | Add to watchlist; check again after 7 days |
| 50–74 | Flag for manual review; alert security team |
| 75–89 | Block or blacklist; submit fraud report |
| 90–99 | Immediate blacklist; escalate to threat response |
Scores can be used programmatically via the API: the risk_score field is returned on every wallet and domain lookup.