Threat Intelligence Feed
Your real-time feed of verified blockchain threat data.
Chainara continuously identifies malicious domains, fraudulent wallet addresses, and the connections between them. This feed delivers that intelligence directly to your systems as a bulk export or real-time stream.
Data Overview
| Data Type | What It Is | Volume |
|---|---|---|
| Malicious Domains | Phishing sites, scam pages, and fraud infrastructure | ~1,900 |
| Blacklisted Wallets | Confirmed bad addresses | ~3,150 |
| Suspicious Wallets | Flagged addresses for risk scoring and monitoring | ~7,500 |
| Domain + Wallet Links | Verified connections between scam sites and drain wallets | ~120 |
| Investigation Reports | Full threat reports with analysis and IOCs | ~165 |
| Community Reports | Victim-submitted scam reports with narrative context | ~15 |
Data grows daily as new threats are identified.
How It Works
Two ways to receive data:
1. Snapshot: Pull a full or filtered export anytime via API. Use this for initial setup or periodic sync.
2. Webhook: We push new indicators to your endpoint in real time as they're verified. You receive them within seconds of detection.
Both use the same JSON format, so you only need to build one parser.
Data Format
Every response is wrapped in a simple envelope:
{
"schema_version": "1.0",
"type": "snapshot",
"generated_at": "2026-03-02T14:30:00.000Z",
"source": "chainara",
"total_count": 1000,
"indicators": [ ... ]
}
Inside indicators, each item has a type field that tells you what it is. There are five types:
Malicious Domain
A domain involved in phishing, scams, or fraud.
{
"id": "domain-1042",
"type": "domain",
"value": "xrp-giveaway-bonus.com",
"blockchain": "xrpl",
"confidence": 100,
"risk_score": 100,
"risk_level": "critical",
"threat_types": ["xrp_scam", "giveaway_scam"],
"tags": ["fraud_verified"],
"sources": ["fraud_report"],
"is_active": true,
"first_seen": "2025-11-14T08:22:00.000Z",
"last_checked": "2026-03-01T12:00:00.000Z",
"related_report_count": 3,
"description": "Fake XRP giveaway site impersonating Ripple executives."
}
Key fields:
| Field | Description |
|---|---|
value | The domain name |
confidence | 0–100, how certain we are this is malicious |
risk_level | low, medium, high, or critical |
is_active | Whether the domain is currently live |
sources | Where the evidence came from |
Wallet
A blockchain address linked to fraud. Each wallet has a severity_tier that tells you how to act on it:
| Tier | Meaning | Recommended Action |
|---|---|---|
blacklisted | Confirmed malicious. Corroborated by Ripple, Xaman, fraud investigations, or manual review. | Block transactions. Reject deposits. Flag accounts. |
suspicious | Useful intelligence. Flagged by external threat feeds, community reports, or on-chain pattern analysis. | Monitor. Flag for review. Use in risk scoring. |
Blacklisted wallet (confirmed: block this):
{
"id": "bl-1-rfFzQaMjeGn6sWkYhw5soUjnDigFN72Mpu",
"type": "wallet",
"severity_tier": "blacklisted",
"value": "rfFzQaMjeGn6sWkYhw5soUjnDigFN72Mpu",
"blockchain": "xrpl",
"confidence": 100,
"risk_score": 100,
"risk_level": "critical",
"threat_types": ["scam_recipient"],
"tags": ["rippleflagged", "known_actor"],
"sources": ["ripple_flagged"],
"first_seen": "2025-08-14T00:00:00.000Z",
"description": "Flagged by Ripple. Known bad actor."
}
Suspicious wallet (intelligence: monitor this):
{
"id": "sw-4821",
"type": "wallet",
"severity_tier": "suspicious",
"value": "rN7nJz3GHBEM1FidPxQsj3bXUoSkrhRCdU",
"blockchain": "xrpl",
"confidence": 80,
"risk_score": 85,
"risk_level": "high",
"threat_types": ["exfil_pattern"],
"tags": ["tron-destination", "xrp-to-usdt"],
"sources": ["exfil_detection"],
"first_seen": "2026-01-15T10:00:00.000Z",
"last_activity": "2026-02-28T16:45:00.000Z",
"description": "Suspicious XRP-to-stablecoin swap pattern. Funds bridged to Tron."
}
Key fields:
| Field | Description |
|---|---|
severity_tier | blacklisted (block) or suspicious (monitor) |
value | The blockchain address |
related_domain | The scam domain linked to this wallet, if known |
Domain + Wallet Pair
The high-value connection: a scam domain linked to the wallet it drains funds to.
{
"id": "pair-1042-887",
"type": "domain_wallet_pair",
"domain": "xrp-giveaway-bonus.com",
"wallet": "rN7nJz3GHBEM1FidPxQsj3bXUoSkrhRCdU",
"blockchain": "xrpl",
"confidence": 100,
"risk_level": "critical",
"relationship": "drain_target",
"sources": ["fraud_report"],
"first_seen": "2025-12-01T10:00:00.000Z",
"last_seen": "2026-02-28T16:45:00.000Z",
"description": "Scam domain drains victim XRP to this wallet."
}
Investigation Report
A full threat investigation with detailed analysis. These are the richest intelligence items: they describe how the scam works, who it targets, and what indicators to look for.
{
"id": "fr-dd161e5b-e46d-4178-8cf3-9094c22a65f2",
"type": "fraud_report",
"report_type": "fake_giveaway",
"severity": "critical",
"blockchain": "xrpl",
"wallet_address": "rpN6YorBmkGPU8FohZUmEoaEwnCLGwvPBE",
"domain": "korea-today.com",
"url": "https://korea-today.com/xrp-giveaway",
"summary": "korea-today.com promotes a fake XRP doubling scheme. The site impersonates a legitimate news outlet, using urgency tactics and minimum deposit requirements to lure victims...",
"detected_at": "2026-03-01T02:17:54.000Z",
"sources": ["fraud_report"]
}
report_type values: scam_website, fake_giveaway, fraudulent_wallet, suspicious_domain, social_media_scam
Community Report
A scam report submitted by a Chainara community member and approved by our analysts. Provides victim narratives, social media handles, and other unstructured intelligence.
{
"id": "cr-24",
"type": "community_report",
"report_type": "scam_website",
"blockchain": "xrpl",
"wallet_addresses": ["rnT4nEst8tvJzXKnN5jEnw3HWvfB9b22mX"],
"domains": ["etfxrp.io"],
"urls": ["https://etfxrp.io/"],
"social_handles": [],
"description": "Thieves wallet address and MEMO. Sent funds expecting a return that never came.",
"submitted_at": "2025-11-17T04:15:46.000Z",
"upvote_count": 0
}
Snapshot API
Pull all indicators or filter by type. Supports pagination for large datasets.
GET /api/v2/feed/snapshot
Authentication: X-API-Key: ek_YOUR_API_KEY: Enterprise plan required.
Parameters
| Parameter | Default | Description |
|---|---|---|
types | all | Comma-separated: domain, wallet, domain_wallet_pair, fraud_report, community_report |
severity_tier | all | Wallet filter: blacklisted, suspicious |
min_confidence | 0 | Only return indicators with confidence >= this value |
blockchain | all | Filter by chain: xrpl, stellar |
since | (none) | ISO 8601 timestamp. Only return indicators added or updated after this time |
cursor | (none) | Pagination cursor from previous response |
limit | 1000 | Results per page. Max 10,000 |
Example Requests
# Full snapshot
curl "https://{tenant}-platform.chainara.io/api/v2/feed/snapshot" \
-H "X-API-Key: ek_YOUR_API_KEY"
# Blacklisted wallets and malicious domains on XRPL only
curl "https://{tenant}-platform.chainara.io/api/v2/feed/snapshot?types=wallet,domain&severity_tier=blacklisted&blockchain=xrpl" \
-H "X-API-Key: ek_YOUR_API_KEY"
# Incremental sync: only changes since last fetch
curl "https://{tenant}-platform.chainara.io/api/v2/feed/snapshot?since=2026-03-01T00:00:00Z" \
-H "X-API-Key: ek_YOUR_API_KEY"
Incremental Sync Pattern
Store the generated_at timestamp from each successful response. Pass it as since on your next call to receive only new or updated indicators:
import requests
BASE_URL = "https://{tenant}-platform.chainara.io/api/v2"
headers = {"X-API-Key": "ek_YOUR_API_KEY"}
last_sync = load_last_sync_timestamp() # e.g. "2026-03-01T00:00:00Z"
params = {"since": last_sync} if last_sync else {}
r = requests.get(f"{BASE_URL}/feed/snapshot", headers=headers, params=params)
data = r.json()
for indicator in data["indicators"]:
ingest_into_siem(indicator)
save_last_sync_timestamp(data["generated_at"])
Webhook (Real-Time Push)
Register an endpoint and we push new indicators to you as they are verified: no polling required.
Register
curl -X POST "https://{tenant}-platform.chainara.io/api/v2/webhooks" \
-H "X-API-Key: ek_YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-siem.example.com/chainara-feed",
"event_types": ["indicator_added", "indicator_updated", "indicator_removed"],
"indicator_types": ["wallet", "domain", "domain_wallet_pair"],
"description": "SIEM threat feed"
}'
Store the secret from the response: you'll use it to verify signatures.
Payload Format
{
"schema_version": "1.0",
"type": "feed_update",
"generated_at": "2026-03-02T14:35:12.000Z",
"source": "chainara",
"event": "indicator_added",
"total_count": 1,
"indicators": [ ... ]
}
Events
| Event | Meaning |
|---|---|
indicator_added | New threat verified |
indicator_updated | Existing indicator updated with new evidence |
indicator_removed | False positive or domain taken down |
Signature Verification
Every delivery includes an X-Chainara-Signature header. Verify it before processing:
import hmac, hashlib
def verify_signature(payload_bytes: bytes, signature: str, secret: str) -> bool:
expected = hmac.new(
secret.encode(),
payload_bytes,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(f"sha256={expected}", signature)
Retry Policy
If your endpoint doesn't return 2xx within 10 seconds, we retry up to 5 times:
| Attempt | Delay |
|---|---|
| 1 | 30 seconds |
| 2 | 2 minutes |
| 3 | 10 minutes |
| 4 | 1 hour |
| 5 | Final attempt |
Delivery history is visible in the Platform at Admin → Webhooks → Delivery Log. If your endpoint is offline for an extended period, use GET /feed/snapshot?since=... to catch up on missed events once it's back.
SIEM Integration Pattern
For exchange wallet screening at transaction time, query the wallet endpoint directly rather than the feed: it's faster and returns the full risk profile for a single address:
curl "https://{tenant}-platform.chainara.io/api/v2/wallets/1/{address}/risk-score" \
-H "X-API-Key: ek_YOUR_API_KEY"
# Block if risk_score >= 75 or is_blacklisted == true
Reference
Risk Levels
| Level | Meaning |
|---|---|
critical | Immediate threat. Active scam with confirmed victims. |
high | Strong evidence of malicious activity. |
medium | Suspicious indicators. Warrants monitoring. |
low | Minor signals. Low priority. |
Threat Types
| Type | Description |
|---|---|
xrp_scam | XRP/Ripple-themed scam |
executive_impersonation | Impersonates a public figure |
giveaway_scam | Fake airdrop or doubling scheme |
phishing | Credential theft or account takeover |
investment_fraud | Fake investment or Ponzi scheme |
political_scam | Uses political figures as lure |
scam_recipient | Wallet that received victim funds |
drain_wallet | Wallet used to drain funds from scam site |
exfil_pattern | On-chain fund exfiltration pattern detected |
Sources
Indicators can have multiple sources when corroborated by more than one feed.
| Source | Description |
|---|---|
fraud_report | Chainara verified investigation |
ripple_flagged | Flagged by Ripple |
xumm_blacklist | Xaman (XUMM) wallet blacklist |
chainabuse | ChainAbuse community reports |
community_report | Chainara community member submission |
domain_scan | Chainara automated domain scanning |
exfil_detection | On-chain exfiltration pattern analysis |
external_intel | External threat intelligence feed |
The Threat Intelligence Feed (/feed/snapshot and webhooks) requires an Enterprise plan API key. Contact your Chainara account manager to get access.
Schema version 1.0: Last updated March 2026