Scam Detector Docs

Overview

The Scam Detector is an ideal source of threat intel for Web3 wallets and dashboard tools, as well as for security and compliance solutions serving a retail or institutional audience. Use the Scam Detector to build or supplement a black list, or as a transaction analysis tool by querying the Scam Detector at the point of approval or transaction to determine whether they are malicious.

The Scam Detector provides threat intelligence about malicious smart contracts and EOAs engaging in scams and other end user attacks. It relies on a bundle of underlying Forta bots, each monitoring for a specific threat type (ex: Ice Phishing). The Scam Detector and its underlying bots are collectively maintained by the Forta community, including the Forta Foundation, Nethermind, and dozens of individual security researchers and developers.

How it works

Forta bots are monitoring on-chain activity 24/7/365. Some bots leverage a heuristic-based approach, others leverage machine learning to identify malicious activity. When bots identify an attack or scam on-chain, they create two types of threat intelligence:

Labels. A persistent tag placed on an entity (smart contract or EOA) responsible for a scam or attack. Today, the Scam Detector assigns two labels: “scammer-eoa” and “scammer-contract”. Labels also feature the threat type via the alert ID field (ex: ICE PHISHING), a link to the description of the alert ID, and a confidence score from 0 to 1.
Alerts. Findings emitted in real-time by a bot about something that happened on-chain. Example, if a flashloan occurred in the last block, a bot monitoring for flashloan transactions would emit an alert on that flashloan when the next block is confirmed. Alerts from the Scam Detector contain metadata about the transaction(s) that triggered the alert, the entities involved and the threat type.

The Scam Detector currently monitors on-chain activity for the following threat types:

New threat types are regularly added to the Scam Detector by the Forta community.

Here’s a glossary defining threat types in more detail.

Using the Scam Detector

The Scam Detector labels and alerts are each available via Forta's GraphQL API. For accessing threat intel from the Scam Detector, we recommend querying labels generated by this bot (sourceIds parameter needs to be set to ["0x1d646c4045189991fdfd24a66b192a294158b839a6ec121d740474bdacb3ab23"].) The two primarily labels are 'scammer-eoa' and 'scammer-contract'. Currently, no API key is required.

Labels

Labels allow a contributor to tag an entity (like an address) with a label. Labels are available via our GraphQL API. This API allows one to search by date range and page over results.

Labels will also contain references to other artifacts, such as Alerts, in the source properties of the response. One can also use the GraphQL API to retrieve the alert which will contain other key information about the moment the Label was produced.

A recent one month sample of the labels can be downloaded here.

Note:

To request entries that are currently accurate (and not later removed), pass state: true as part of the input. Otherwise, the response will contain point-in-time events (which may contain removal (remove:true) events).

At least one of: labels, sourceIds, or entities is required.

Example Request

{
 "input": {
   "labels": ["scammer-eoa", "scammer-contract"],   
   "state": true,  // set this to false if you want duplicates and removals 
   "sourceIds": ["0x1d646c4045189991fdfd24a66b192a294158b839a6ec121d740474bdacb3ab23"],
   "createdBefore": 1680875204000,
   "createdSince": 1680874204000,
   "after": {
     "pageToken": "12345" // set this to the pageInfo.endCursor.pageToken of a response to page
   }
 }
}

For a complete list of options, see the LabelsInput specification

Example Response

href="#__codelineno-1-1">{ "data": { "labels": { "pageInfo": { "hasNextPage": true, "endCursor": { "pageToken": "21193" } }, "labels": [ { "createdAt": "2023-03-31T19:08:41.574277485Z", "id": "0xcf652c19db1b816c975440202d9bc4b0ee3c3182b6ba44c5b6e8c6247cb1cefd", "label": { "confidence": 0.5, "entity": "0xd9bc52751d9e4462e0bbae5836d344d3f3ad9dc4", "entityType": "ADDRESS", "label": "scammer-eoa", "metadata": null, "remove": false }, "source": { "alertHash": "0xfa67c24930e927f4a61430fc2229aeba3b40a29bb1e3a135c63b33d666fc17a9", "alertId": "IMPERSONATED-TOKEN-DEPLOYMENT", "id": "0x6aa2012744a3eb210fc4e4b794d9df59684d36d502fd9efe509a867d0efa5127", "bot": { "id": "0x6aa2012744a3eb210fc4e4b794d9df59684d36d502fd9efe509a867d0efa5127", "image": "...", "imageHash": "053edfda50c1cdfef0d822ff5b2f48621e0274f7c44ea7b470da15b6cd294079", "manifest": "QmXFdLehNtaq6W9N8RWETopKyhPy7nQEmGadnDYX33XJym" } } } ] } }

More details on querying labels can be found in our Forta GraphQL API documentation.

Alerts

Whereas labels tell you what the Forta Network knows about a particular entity, alerts tell you something happened (i.e. an attack). There are two ways to access alerts: the API (pull) and subscription (push). Use the GraphQL API to query for alerts - more info here. Alternatively, if you want alerts pushed to you in real-time, you can also subscribe to the Scam Detector directly and select your desired communication channel (webhook, email, Discord, Telegram, Slack).

Matching Threat Intelligence

Forta’s threat intelligence indicators consist of scammer contracts and EOAs that can be matched against transaction data (either pre-signing, during transaction simulation, or after block building.)

Independent on the type of transaction data that will be used to match Forta's threat intelligence, specific matching logic need to be applied to obtain all relevant transactions based on the threat category observed as outlined below:

SCAM-DETECTOR-ICE-PHISHING

Ice phishing involves a user issuing an approval, approvaForAll, increaseApproval or permit transaction. The to address is a benign token contract, but approval is granted to the scammer address specified in the input data of the transaction. As such, the input data or corresponding emitted events for approvals, approval for all and permit transactions need to be parse and the spender value ought to be matched against Forta’s threat intelligence.

SCAM-DETECTOR-FRAUDULENT-SEAPORT-ORDER

Fraudulent seaport orders are challenging to match against the Forta’s threat intelligence as the order is merely signed by a user, collected through web2 infrastructure (such as a web site) and then submitted by the scammer on the user’s behalf. The order itself does not include the scammer address.

However, the order gets executed by the scammer, so matching the from field will match those transactions. Once executed, the seaport protocol will transfer the digital assets to the scammer (which could be a different address from the invoking EOA) and matching emitted events for transfers would yield all relevant transactions.

SCAM-DETECTOR-ADDRESS-POISONING

Address poisoning results in a user’s address history to be poisoned using token transfers or native asset dust. Matching should happen at two levels: 1. Match on any parsed transfer input data fields or corresponding event emissions for tokens. Note, either the to or the from could match the scammer. 2. Match on the from address for native assets transfers.

SCAM-DETECTOR-ADDRESS-POISONER

Address poisoners are the initiator of the address poisoning activity. A simple matching of the from and to field (if a contract) would yield the relevant transactions.

Native ice phishing are straight transfers of native assets to the scammer. Matching the to address of the transaction against Forta threat intelligence yield transactions for this type of scam.

SCAM-DETECTOR-WASH-TRADE

Wash trading artificially inflates the value and trading volume of digital assets the user may hold. In order identify transactions associated with these wash traded digital assets, the scammer addresses need to be matched against to/ from/ input data fields/ and emitted events.

In addition, however, the actual wash traded digital asset is tainted and can be tracked by the transfer function. Note, given the contract could emit events with incorrect information - if created by the scammer; it is not a reliable data source.

SCAM-DETECTOR-SLEEP-MINTING

Sleep minting is similar to wash trading in that the provenance of an NFT is no longer guaranteed. In order track the sleep minted token by the transfer function. Note, given the contract could emit events with incorrect information, which is prevalent in sleep minting attacks; it is not a reliable data source.

What chains are supported?

Ethereum
BNB Chain
Polygon
Avalanche
Arbitrum
Optimism
Fantom

The Forta community evaluates new chains on an ongoing basis.

False Positives

While the Scam Detector maintains high precision, it’s possible that it identifies a false positive. To address this risk, the Forta community manually verifies certain Scam Detector alerts within one business day. If a false positive is identified during the manual verification process, an FP alert will be emitted by the Scam Detector and the label will be removed. If you’re accessing the Labels API via the state endpoint, all labels are up to date and take into account the latest FP information.

Confidence Scores

The confidence score associated with a label is hard coded and based on the precision analysis performed by the Forta community. The score is updated on a monthly basis, and reflects the accuracy of the Scam Detector for a particular alert ID/threat type before manual verification.

Bots included in the Scam Feed

Here’s a list of the underlying bots supporting the Scam Detector:

Name	BotID	AlertId	Stage
Address Poisoning	0x98b87a29ecb6c8c0f8e6ea83598817ec91e01c15d379f03c7ff781fd1141e502	ADDRESS-POISONING-ZERO-VALUE	Exploitation
Fraudulent Seaport	0xd9584a587a469f3cdd8a03ffccb14114bc78485657e28739b8036aee7782df5c	NIP-1	Exploitation
Ice phishing	0x8badbf2ad65abc3df5b1d9cc388e419d9255ef999fb69aac6bf395646cf01c14	ICE-PHISHING-HIGH-NUM-APPROVALS	Preparation
Social engineering	0x1a69f5ec8ef436e4093f9ec4ce1a55252b7a9a2d2c386e3f950b79d164bc99e0	NIP-1, NIP-2, NIP-3, NIP-4	Exploitation
tornado cash withdrawl	0xa91a31df513afff32b9d85a2c2b7e786fdd681b3cdd8d93d6074943ba31ae400	FUNDING-TORNADO-CASH	Funding
tornado cash funding	0x617c356a4ad4b755035ef8024a87d36d895ee3cb0864e7ce9b3cf694dd80c82a	TORNADO-CASH-FUNDED-ACCOUNT-INTERACTION	Funding
money laundering	0x4adff9a0ed29396d51ef3b16297070347aab25575f04a4e2bd62ec43ca4508d2	POSSIBLE-MONEY-LAUNDERING-TORNADO-CASH	MoneyLaundering
txt messaging bot	0x11b3d9ffb13a72b776e1aed26616714d879c481d7a463020506d1fb5f33ec1d4	forta-text-messages-possible-hack	Exploitation
unverified contract creation	0x4c7e56a9a753e29ca92bd57dd593bdab0c03e762bdd04e2bc578cb82b842c1f3	UNVERIFIED-CODE-CONTRACT-CREATION	Preparation
flashbot attack bot	0xbc06a40c341aa1acc139c900fd1b7e3999d71b80c13a9dd50a369d8f923757f5	FLASHBOT-TRANSACTION	Exploitation
Malicious Address Bot	0xd935a697faab13282b3778b2cb8dd0aa4a0dde07877f9425f3bf25ac7b90b895	AE-MALICIOUS-ADDR	Exploitation
Sleep Minting	0x46ce98e921e2766a922840a56e89f24409001052c284e0bd6cbaa4fecd95e9b6	SLEEPMINT-2, SLEEPMINT-1	Preparation
Aztec funded contract interaction	0x127e62dffbe1a9fa47448c29c3ef4e34f515745cb5df4d9324c2a0adae59eeef	AK-AZTEC-PROTOCOL-FUNDED-ACCOUNT-INTERACTION-0	Exploitation
CEX Funding bot	0xf496e3f522ec18ed9be97b815d94ef6a92215fc8e9a1a16338aee9603a5035fb	CEX-FUNDING-1	Funding
Aztec Funding bot	0x9fbf4db19f23627633d86bb1936dabad0b27ebe09b7a38028a126392156f7f32	AK-AZTEC-PROTOCOL-FUNDING	Funding
Malicious Account Funding Bot	0x2df302b07030b5ff8a17c91f36b08f9e2b1e54853094e2513f7cda734cf68a46	MALICIOUS-ACCOUNT-FUNDING	Funding
Umbra bot	0xdba64bc69511d102162914ef52441275e651f817e297276966be16aeffe013b0	UMBRA-RECEIVE	Funding
ChangeNow Funding	0x9324d7865e1bcb933c19825be8482e995af75c9aeab7547631db4d2cd3522e0e	FUNDING-CHANGENOW-NEW-ACCOUNT	Funding
Malicious Token ML	0x887678a85e645ad060b2f096812f7c71e3d20ed6ecf5f3acde6e71baa4cf86ad	SUSPICIOUS-TOKEN-CONTRACT-CREATION	Preparation
NFT Washtrading	0x067e4c4f771f288c686efa574b685b98a92918f038a478b82c9ac5b5b6472732	NFT-WASH-TRADE	Preparation