Blockchain Threat Intelligence Workflow

This guide covers the two primary workflows for blockchain threat intelligence teams:

Submission - Send a suspicious domain to Chainara's Intel scanner for investigation
Extraction - Receive verified domain + wallet pairs as real-time webhooks into Tines

Both flows use your Enterprise API key. See API & Integration for setup instructions.

Submission: scanning a suspicious domain

When your team identifies a suspicious domain (typosquat, brand impersonation, phishing site), send it to the Intel scanner with a single API call:

curl -X POST "https://{tenant}-platform.chainara.io/api/v2/domains/monitor" \
  -H "X-API-Key: ek_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "example-phish.com",
    "threat_type": "impersonation",
    "confidence": 0.85,
    "reason": "Impersonating brand login page, collecting wallet addresses"
  }'

The scanner receives the domain immediately and dispatches a forensic investigation: screenshots, IOC extraction, risk scoring, and a full intelligence report. No further action needed from you.

Why /domains/monitor and not /domains/report?

/domains/monitor fires the scanner without writing to the threat database, making it ideal for processing tip lists or domains you haven't fully validated yet. Use /domains/report instead if you want the domain recorded in Chainara's threat database as well (for feed subscribers and risk scoring).

Safe to resubmit. If you send the same domain twice, it queues another scan. Nothing breaks.

Submitting a list of domains? Loop through and call /domains/monitor for each. No batch version of this endpoint exists, but the calls are fast and can be parallelised.

import requests

BASE_URL = "https://{tenant}-platform.chainara.io/api/v2"
HEADERS  = {"X-API-Key": "ek_YOUR_API_KEY", "Content-Type": "application/json"}

domains = [
    "example-airdrop-bonus.com",
    "xrp-claim-official.net",
    "fake-support-login.xyz",
]

for domain in domains:
    r = requests.post(f"{BASE_URL}/domains/monitor", headers=HEADERS, json={"domain": domain})
    print(domain, r.json().get("status"))

For full parameter reference and a live test console, see the API Explorer: Domains: Monitor Domain.

Extraction: receiving domain + wallet pairs in Tines

Chainara pushes verified threat indicators to your Tines webhook in real time as analysts confirm new threats. The domain_wallet_pair indicator type is the highest-value signal, linking a confirmed scam domain directly to the wallet draining victim funds.

Step 1: Register your Tines webhook

curl -X POST "https://{tenant}-platform.chainara.io/api/v2/webhooks" \
  -H "X-API-Key: ek_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-team.tines.com/webhook/your-webhook-id",
    "format": "tines",
    "event_types": ["indicator_added", "indicator_updated"],
    "indicator_types": ["domain_wallet_pair", "domain", "wallet"],
    "description": "Brand protection feed"
  }'

Set "format": "tines" to get a flat payload optimised for Tines stories with no envelope metadata to unwrap.

You only need to do this once. Store the id from the response if you need to update or delete the subscription later.

Step 2: What lands in Tines

Each delivery looks like this:

{
  "source": "chainara",
  "event": "indicator_added",
  "entity_type": "domain_wallet_pair",
  "indicator_type": "domain_wallet_pair",
  "identifier": "xrp-giveaway-bonus.com",
  "blockchain": "xrpl",
  "risk_score": 100,
  "risk_level": "critical",
  "threat_type": "scam",
  "tags": ["drain_target", "fraud_verified"],
  "delivered_at": "2026-03-24T14:35:12.000Z",
  "details": null
}

From this payload your Tines story has everything it needs to:

File a brand abuse takedown request
Block the wallet on your internal systems
Alert your team in Slack or email
Log the IOC to your SIEM

Step 3: Test the delivery

Send a test payload to your Tines webhook immediately after registration:

curl -X POST "https://{tenant}-platform.chainara.io/api/v2/webhooks/{id}/test" \
  -H "X-API-Key: ek_YOUR_API_KEY"

note

Test deliveries use synthetic data so risk_score, blockchain, and tags will be null. This is expected. Real deliveries are fully populated.

The full loop

Submission and extraction are independent. You don't need to wait for a domain you submitted to come back through the feed. The feed delivers all verified threats regardless of source.

Reference

What you want to do	Endpoint
Submit a domain for scanning	`POST /domains/monitor`
Submit a domain + record it in the DB	`POST /domains/report`
Check if a domain is already known	`GET /domains/lookup`
Register your Tines webhook	`POST /webhooks`
View webhook delivery history	`GET /webhooks/{id}/deliveries`
Pull a full snapshot of current threats	`GET /feed/snapshot`

Further reading

Integration Guide - full API walkthrough with code examples in Python and TypeScript
Threat Intelligence Feed - data types, indicator formats, and sync patterns
Webhook reference - signature verification, retry policy, all delivery formats

Submission: scanning a suspicious domain​

Extraction: receiving domain + wallet pairs in Tines​

Step 1: Register your Tines webhook​

Step 2: What lands in Tines​

Step 3: Test the delivery​

The full loop​

Reference​