Detection & Threat Coverage

Google Ads Detection Source

We added a new source for detecting malicious Google Ads, including location and language targeting. This improves coverage for threats tailored to specific geographies.

App Store Scanning & Detection

This month we expanded support for detecting malicious apps on both Apple and Google Play stores in an automated fashion. We now scan app stores daily looking for fake wallet apps and copycat apps.

DexScreener Detection Source

We introduced initial support for detecting copycat tokens via DexScreener search, helping surface early scams in decentralized exchanges.

YouTube Rules Expansion

Improved rule system to auto-approve obvious scams and reduce false positives from legitimate promotions on YouTube. We are now leveraging more metadata from YouTube's API to detect common patterns of behavior used by bots and scammers.

Link Extraction Improvements

Our detection system now extracts links from static and dynamic HTML in a robust way. This improvement will help with threat discovery to make sure that we not only takedown the initial pages that impersonating your brand, but also the malicious links and iframes embedded inside those pages.

Triage System & Organization Configuration

Asset Triage System Rewritten in Rust

We rebuilt our asset triage engine in Rust, resulting in a 100x speed increase for processing incoming threats. This system acts as the first line of defense — processing thousands of URLs, domains, and profiles every few minutes to route them to the right organization. This massive speedup improves our real-time threat triage and ensures faster protection for customers.

Trademark Registration Configuration

Organizations can now upload trademark registration data, helping support providers that require trademark verification during takedown submission.

API Improvements

Asset Parse API

Introduced a new /asset/parse API that exposes our parsing logic to integrators. Use this endpoint to determine what asset type an arbitrary URL has. Read the docs here: https://chainpatrol.com/docs/external-api/asset-parse.

Report Wallet Addresses Across Chains

We now support reporting wallet addresses using the CAIP-2 standard format, allowing for precise attribution across multiple blockchains. This enhancement improves confidence for clients like Coinbase who track malicious contracts and wallets across chains.

Example input:

• eip155:1:0xabc123... (for Ethereum mainnet)

• solana:4k3Dyjzvzp8e... (for Solana)

• etc.

This month, we’ve been busy shipping several improvements to our platform to monitor, review, and take down emerging threats types in the Web3 space.

E2E Mozilla Add-ons Protection

Detection

We’ve integrated targeted monitoring for the Mozilla Add-ons store (AMO) to identify fake crypto wallet extensions containing malicious code. This detection source automatically ingests new submissions from AMO, enabling us to flag threats before they spread widely.

Rules/Reviewing

New detection rules now focus on high-risk extensions impersonating wallet brands like MetaMask, Sui, Rabby, and Coinbase. Automated analysis looks for phishing behavior and other red flags. Potentially malicious add-ons are then queued for rapid human review, ensuring that high-confidence threats move quickly to takedown.

Takedowns

Confirmed threats are sent through our automated takedown system, removing them directly from the Mozilla Add-ons store. This streamlined pipeline reduces the time from detection to removal, protecting end-users from credential theft and asset loss.

Collaborating With Mozilla

We’re actively collaborating with Mozilla’s security and add-ons teams to combat this emerging threat category, in direct alignment with their recent public warning: Crypto wallet scams: thwarting a new threat. ChainPatrol continues to be committed to covering new threat environments and collaborating with platforms to better combat waves of new threats.

Expanded Social Platform Coverage

We're excited to share that we’ve added automated detection for profiles on:

• Bluesky

• Farcaster

• Primal

• DeSo

• Snapchat

These platforms are actively being abused to target our customers recently. In response, we rapidly prototyped, tested, and delivered these new detection sources in under a week. At ChainPatrol, we are constantly iterating on our engineering and threat intelligence in alignment with our customers' needs.

Intercom Integration (Beta)

Many Web3 brands we work with rely on Intercom for customer support and ticketing. Increasingly, customer support teams are handling incoming reports from users who have been scammed or are at risk.

To reduce delays in gathering this valuable threat intel, our new Intercom Integration allows customer threat submissions to flow directly from Intercom conversations into ChainPatrol, ensuring faster triage and takedown.

If your team uses Intercom, please reach out to us to get access to the Beta.

Miscellaneous Improvements

• Detection Page Chart Improvements – Better x-axis labels and updated colors for easier interpretation.

• Detection Chart by Time – Filter detections using an interactive bar chart; click and drag to select time ranges.

• Detection Chart by Asset Type – View detection breakdowns by asset type over time to spot trends.

• Proposal Rule Result UI Refactor – New layout for rule contributions and score explanations for clearer reviews.

• Web3 Rule Group – New rule group for detecting Web3 presence in URLs, enabling confident automation.

• Open PageRank & Tranco Legitimacy Check – Added Open PageRank check and updated Tranco logic to reduce false positives.

• Search Page UX Refactor – Tabbed search UI by category for cleaner navigation.

• Polkadot Phishing Data Server – Now displays blocklist info from the Polkadot ecosystem.

Detection Upgrades & Transparency

This month, we focused on improving the flexibility, visibility, and interpretability of ChainPatrol’s detection pipeline.

Detection Chart by Asset Type

The Detection page now features a time-based chart that shows detection results split by asset type. This helps teams monitor system health, identify emerging threat patterns, and better prioritize triage.

Multiple Detection Configurations per Source

It’s now possible to maintain multiple configurations for a single detection source. For example, we can create separate configs for URLScan to search for “similar screenshots to scam site”, “request to a known C2 server”, and “favicon similar to official site” all under the same organization so that we can roll-out new detection configs without affecting existing ones. This enables safer experimentation with queries and more precise tuning of detection logic.

Passed Rule Checks on Search Page

The Search page now includes a breakdown of which detection rules an asset passed during analysis. This improves transparency and helps explain why a threat may not have been flagged.

Organizational Settings Improvements

We also shipped new tooling to help teams better manage and audit their protection setup at the organization level.

Organization Terms Revamp

Keyword-based brand protection terms have been reworked to better match scam patterns and reduce missed detections—particularly for impersonation threats. You can now specify for each term whether you want to use an “exact” match or a “loose/fuzzy” match. This change will lead to more accurate results and avoid false positives on the Detection page.

Detection & Configuration

In May, we introduced better configurability and transparency across the detection pipeline, including new data sources and configuration UI.

Preview Assets in Manual Detection Runs

When you you make a change to a source, it’s helpful to get a preview of what types of results the detection source will return. Now, you can click the “Run detection” button in the configuration modal on the Detections page to preview results. This enables faster iteration and validation when tuning queries.

Dynamic Field Detection Config UI

Source configurations now support dynamic fields, improving setup flexibility and accuracy. For detection sources like Twitter Post Search, Google Search, and Reddit Subreddit Search, this change allows us to expose more options to you to configure detection sources to reduce noise.

Global Detection Configs

Detection sources can now be shared across multiple orgs through a global configuration system. This means that we can run searches across broad search queries like “crypto wallet”, “airdrop”, and more. We can leverage our brand triage system to direct the right detection results to the right organization.

Reddit Detection Source

Reddit Subreddit Search is a new detection source that automatically searches for subreddits that might impersonate your brand and contain scam URLs and malicious behavior. This new source is currently enabled in Evaluate mode for select orgs, and we’ll be rolling it out more widely across organization is the coming weeks.

Captcha Detection and Labeling

Our scanning system now detects captchas and Cloudflare interstitial pages and applies a captcha label. Our reviewers can filter these scans more easily using the new label filter in the interface to identify threats that require manual intervention to access the target content.

Proposal Review & Rule Engine

This month, we shipped a few new rules and review features to improve scoring reliability and reduce false positives.

New Web3 & Wallet Connect Rules

We shipped a new rule to detect Web3 JavaScript snippets on webpages and wallet connection prompts—two common components on most Web3 sites. By detection these, we can filter out the vast number of sites that don’t have anything to do with Web3, reducing the risk of false positives and focusing our resources on sites that are more likely to be targeting Web3 brands.

Rule Grouping for Auto Reporting & Review UI

Similar rules are now grouped together to avoid over-weighting some rules that have a low precision. By grouping rules by type, we can more safely roll out new rules and make it clearer for our reviewing system and staff to interpret the results of the rules we execute as part of our threat analysis.

Search Page Enhancements

Asset Scan History

The Search page now shows a full scan history for each asset for logged in users, including failed scans and error reasons. This adds transparency to scan results and helps staff validate detections over time.

Note: this feature is only available to logged in users.

Asset Scan Liveness Status

We now display the liveness status of historical scans on the Search page alongside the labels and status of individual scan enrichments. Use this to feature to identify interesting points where our systems detected a change in asset behaviour.

Note: this feature is only available to logged in users.

Takedown System Improvements

Hosting and Registrar Information

Hosting and registrar information is now available directly within the takedown drawer. We auto-detect the correct hosting provider for each asset to make sure that takedown submissions are directed to the right abuse reporting contacts.

Email Inbox for Takedown Replies

We now show an email inbox of replies from hosting providers in a new Inbox tab within the takedown drawer. When hosting providers require supporting evidence, our staff check these inboxes to make sure that we respond as quickly as possible.

Asset Triage & Labelling

Triage

Assets submitted without a known organization are now automatically routed to the correct organization via a new asset triage service. This ensures fewer misattributed detections and helps us handle reports from the community at much greater scale.

Labeling

Assets are now auto-labeled by category (e.g. phishing, impersonation) during the scanning process, enabling faster filtering and clearer insight into threat types.

Discord Bot Link Monitoring

ChainPatrol’s Discord bot can now monitor designated channels for malicious links. This enables automated protection for Web3 communities using Discord.

To enable this feature, head to the Integrations page in your organization’s settings and toggle “Link Monitoring”.

This month, we’ve introduced several improvements to better protect your brand by enhancing monitoring, reviewing, and takedowns of malicious threats.

Automated Takedowns for Google Sites/Forms, Cloudflare, and IPFS

Our automated takedown system now extends to Google Sites, Google Forms, Cloudflare-hosted pages, and IPFS. Once an asset is blocked, ChainPatrol files a takedown request without any manual steps to the correct domain or hosting provider. This streamlined approach helps remove harmful content faster and minimizes time to remediation.

We’re focused on a goal of reaching 90% automation of takedown operations with <0.1% false positive rate by the end of 2025. We started the year at ~18% automation, and with these and other changes we’ve shipped, we’re now at ~46%. Heading into Q2, you can expect us to continue on this goal with improvements to our liveness checking and detecting cases where human intervention is needed to resolve takedowns faster.

Enhanced Reporting with AI & Confidence Scoring

We’ve introduced a broader range of detection rules to improve accuracy and reduce the need for manual reviews. Offline (“dead”) assets are now placed on a watchlist, so if they come back online, the system automatically reassesses them. We’ve also optimized data handling and infrastructure to speed up threat evaluations and ensure more efficient protection.

New Reviewing Rules

We’ve expanded our automated analysis to catch a wider range of threats, including phishing attempts like seed phrase requests, obfuscated code, and suspicious Twitter accounts. These automated rules lighten the workload for our threat analysts and human reviewers, letting them focus on more complex or high-priority cases.

Refined Threats Page Experience

We refreshed the Threats Page to fix some of the UI/UX paper cuts. We added a skeleton loader and improved error handling with clear instructions and retry options. Page and filter changes also update instantly, giving you a smoother, more responsive way to track and address active threats.

In April, we’ll be hunting down more UI/UX issues and performance bugs to make our dashboards faster to load and easier to use.

Here’s a roundup of the most relevant product updates the ChainPatrol team rolled out in February. We've been busy making takedowns faster, reducing manual work, and giving you more control over your assets.

Vercel Integration

ChainPatrol now integrates with Vercel, a leading platform for hosting and deploying web applications. This integration helps us track legitimate Vercel deployments, ensuring that our takedown efforts focus only on malicious or scam sites—without mistakenly flagging your legitimate projects.

If you use Vercel, this means no false positives and no unnecessary disruptions to your deployments while we continue protecting your brand. To take advantage of this feature, simply install the integration at this link.

Teachable Automated Takedowns

Teachable.com is a website for selling courses and other educational products. Like other content hosting sites such as Gitbook and Webflow, we’ve seen a rise in its abuse for hosting malicious content targeting Web3 brands.

This month, we worked on making takedown requests for Teachable assets fully automated. Now when a Teachable asset is blocked, a takedown email is automatically sent to Teachable without any need for manual intervention. This update ensures immediate action on blocked assets, significantly reducing the workload for our staff. 

With less manual effort required, enforcement becomes faster, compliance improves, and the entire process becomes more efficient.

Organization Asset Removal 

Organization admins now have the ability to delete assets from their organization’s asset list. Previously, once an asset was added, it couldn’t be removed easily, leading to clutter and potential mistakes accumulating over time.

With this new functionality, admins have greater control over their organization's assets. The update allows you to clean up unwanted or mistakenly added assets, ensuring that asset lists remain organized and relevant. 

By reducing the reliance on support teams or workaround solutions, this change streamlines asset management. To use this feature, admins can navigate to Organization Settings, then select Organization Assets to manage and remove assets as needed.

Keeping organization assets up-to-date means more accurate detections, scans, and automated enforcement actions, and faster time to remediation.

Semi-Automated Takedowns Refile for Medium

For some providers, multiple takedown requests are required to successfully remove an asset. While the initial takedown requests are largely automated, the process of refiling has historically been a manual task. 

This update introduces a semi-automated approach for refiling takedown requests specifically for Medium. Using our refiling tool, the system now handles follow-up requests, significantly speeding up the takedown process. 

By reducing the need for manual intervention, this update not only improves efficiency but also minimizes human error and delays. More consistent enforcement of takedown requests ensures a smoother experience for everyone.

Have questions about ChainPatrol’s February product update? Feel free to contact your customer success representative, or email us.

Here’s a roundup of the most relevant product updates the ChainPatrol team rolled out in January. From real-time webhooks and seamless API integrations to smarter detection and an automated Medium takedown system, these updates are all about improving accuracy, efficiency, and user experience. 

Webhooks for Real-Time Blocklist Updates

You can now set up webhooks to get notified the moment ChainPatrol updates its global blocklist. This means you’ll have access to the latest scam data within seconds—perfect for keeping your integrations up to date in real-time. To start using webhooks, head to the Webhooks section in your ChainPatrol dashboard settings.

API Keys for Seamless Integrations

You can now programmatically interact with ChainPatrol through our integrations using API Keys. These keys let us verify and identify your requests, unlocking more features and deeper integration with the ChainPatrol app. To get started, generate your API Key in the API Keys section of your ChainPatrol dashboard settings.

Smarter Detection & Fewer False Positives

We've improved ChainPatrol's detection flow to reduce false positives and make enforcement more accurate. Now, enforcement won’t apply to social media assets if the organization has none, legitimacy checks help verify popular YouTube channels and videos, and our browser extension has enhanced scanning capabilities. These updates mean fewer interruptions for legitimate users while maintaining strong protection.

Enhanced Medium Threat Detection & Automated Takedowns

ChainPatrol now features a two-part automated system for removing scam content on Medium. When fraudulent content is blocked, an immediate UI report is generated, and every three hours, a batch email takedown request is sent—reducing manual effort while keeping scam removal efficient. 

The system handles both methods without manual intervention, but manual triggers remain available for urgent cases. This automated system streamlines enforcement, minimizes false positives, and ensures ChainPatrol’s brand protection is more comprehensive than ever.

Public ChainPatrol Status Page

We’ve launched a public status page to keep you informed about the health of our services, including our Dashboard, APIs, and Website. If there’s an outage or disruption, you can check for real-time updates from our team.

The status page helps you quickly determine whether an issue is affecting only you or if it’s a broader outage. API integrators can use it to check for service disruptions when they spot errors in their logs. Plus, it keeps you informed about scheduled maintenance, outages, and performance issues—all in one place.

You can visit the status page anytime you experience issues with the app or API. We’ll post real-time updates, and if you need urgent support, you can use the Get in Touch button to contact our team immediately. View the Status Page, here. 

Have questions about ChainPatrol’s January product update? Feel free to contact your customer success representative, or email us.