Scanning Methodology
A detailed look at how Crypto404 analyzes blockchain addresses to assess security risks across five distinct scanning steps.
Overview
When you submit an address for scanning, Crypto404 runs it through a multi-layered analysis pipeline. Each step checks the address against a different data source or analysis method. The results are combined into a single risk assessment that reflects the aggregate findings.
Scans are performed in real-time via server-sent events (SSE), allowing you to see progress as each step completes. The entire process typically takes 2-5 seconds, depending on third-party API response times.
Local Threat Database
The first step checks the submitted address against our internal database of flagged addresses. This database contains addresses that have been previously identified as malicious through our own research, confirmed reports, and verified threat intelligence.
What it checks
Exact address matches against the FlaggedAddress table in our database, which stores addresses along with their flag type (scam, phishing, hack, sanctioned, etc.) and severity level.
Data source
Curated internal database, populated through manual review, confirmed community reports, and automated imports from verified threat feeds.
Update frequency
Continuously updated as new threats are confirmed. Changes are reflected immediately in subsequent scans.
Community Reports
The second step checks for user-submitted reports about the address. Community members can report suspicious addresses through our report page, and these reports are checked during every scan.
What it checks
The AddressReport table for any reports matching the scanned address and blockchain. Multiple reports against the same address increase the risk score.
Review process
Reports are manually reviewed before being promoted to the flagged address database. Unreviewed reports still contribute to risk assessment but carry less weight than confirmed flags.
Considerations
Community reports may contain inaccuracies or false accusations. We weight unverified reports lower than confirmed flags and look for corroborating evidence across multiple sources before escalating.
OFAC SDN List
The third step checks the address against the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list. This list includes cryptocurrency addresses associated with sanctioned individuals, entities, and countries.
What it checks
The complete OFAC SDN list for any cryptocurrency address entries matching the scanned address. This includes addresses associated with sanctioned persons, terrorist organizations, and narcotics traffickers.
Data source
Fetched from a public GitHub mirror of the official OFAC SDN list. The list is downloaded and parsed locally; the scanned address is never sent to any government endpoint.
Cache duration
The SDN list is cached for 24 hours after each fetch. This means newly sanctioned addresses may not appear in results for up to a day after being added to the official list.
Impact
An OFAC match automatically elevates the risk level to CRITICAL, as interacting with sanctioned addresses may violate U.S. law and the laws of other jurisdictions.
ChainAbuse Reports
The fourth step queries the ChainAbuse API for crowdsourced scam and abuse reports. ChainAbuse is a third-party platform where users can report cryptocurrency addresses involved in scams, ransomware, phishing, and other malicious activity.
What it checks
The ChainAbuse API for any reports associated with the scanned address. Returns report count, categories, and severity information when available.
Availability
This step is optional and requires a CHAINABUSE_API_KEY environment variable to be configured. If no API key is set, this step is skipped gracefully and does not affect the overall scan.
Data quality
ChainAbuse reports are crowdsourced and not independently verified by Crypto404. The number and recency of reports are factored into the risk score, but a single unverified report alone will not result in a high-risk rating.
Pattern Analysis
The final step performs heuristic analysis on the address itself, looking for patterns commonly associated with suspicious or dangerous addresses.
Burn address detection
Identifies known burn addresses (e.g., 0x0000...0000) that tokens are intentionally sent to and can never be recovered from.
Low entropy analysis
Checks for addresses with unusually low entropy (repetitive patterns), which may indicate vanity addresses or addresses generated through brute-force for phishing purposes (e.g., address poisoning attacks).
Known mixer detection
Compares against a list of known cryptocurrency mixer and tumbler contract addresses. While mixing is not inherently illegal, interaction with certain mixer contracts may carry regulatory risk.
Format validation
Verifies that the address format is valid for the selected blockchain, including checksum validation where applicable.
Risk Scoring Methodology
After all five steps complete, Crypto404 calculates a composite risk score (0-100) and assigns a risk level. The score is determined by weighting findings from each step:
Score: 0
No flags, reports, or suspicious patterns detected across any data source.
Score: 1-25
Minor indicators detected, such as a single unverified community report or minor pattern anomalies. Likely safe but warrants awareness.
Score: 26-50
Multiple indicators or a confirmed report from a single source. Exercise caution and verify the address through additional means before transacting.
Score: 51-75
Strong indicators from multiple sources, confirmed flags, or known association with suspicious activity. Strongly advise against interacting with this address.
Score: 76-100
Address appears on sanctions lists (OFAC), has confirmed involvement in major scams or hacks, or has overwhelming evidence of malicious activity. Do not interact.
Data Freshness
Different data sources have different update intervals:
| Data Source | Update Frequency | Cache Duration |
|---|---|---|
| Local Threat Database | Continuous | None (real-time) |
| Community Reports | Continuous | None (real-time) |
| OFAC SDN List | As published by OFAC | 24 hours |
| ChainAbuse | Continuous (API) | Per-request (no cache) |
| Pattern Analysis | N/A (algorithmic) | N/A |
Limitations and Caveats
While Crypto404 provides valuable security insights, it is important to understand the limitations of automated address scanning:
- ⚠False negatives: An address rated "SAFE" may still be malicious. New scam addresses that have not yet been reported or flagged will not appear in our databases.
- ⚠False positives: Community reports may occasionally flag legitimate addresses. Pattern analysis heuristics may flag unusual but benign addresses.
- ⚠No on-chain analysis: Crypto404 does not currently perform on-chain transaction analysis. We check addresses against known databases and patterns but do not trace fund flows or analyze transaction history.
- ⚠Third-party dependencies: Some scan steps depend on external services (ChainAbuse API, OFAC list mirror). If these services are unavailable, the affected steps will be skipped, and the scan may be less comprehensive.
- ⚠Point-in-time assessment: Scan results reflect the state of our data at the moment of the scan. An address's risk profile can change over time as new information becomes available.
- ⚠Not a substitute for due diligence: Always use multiple sources of information and exercise your own judgment. Crypto404 is one tool in your security toolkit, not the only one.
Ready to Scan?
Try scanning an address now to see our methodology in action.
Open Scanner