Wallet Check
Score any EVM wallet's exposure to known scam, compromised, sanctioned, and high-risk counterparties — in one request, across four chains.
What it does
You give Wallet Check an address, it returns a 0–100 exposure score and the list of risky counterparties that address has interacted with. Under the hood it walks the full on-chain interaction graph, cross-references against 2.6 M+ flagged addresses, and weights hits by recency, volume, and severity.
Good at: spotting wallets that have touched Tornado Cash outputs, North Korea-attributed clusters, rug-pull deployer wallets, flash-loan attackers, phishing drainers. Not designed to evaluate smart-contract code — use Rugpull Scorer for that.
Using the web UI
Open threatchain.io/wallet-check, paste an address, pick a chain (Ethereum by default), click Check.
The results page shows:
- A headline score (0–100) and risk bucket
- Every flagged counterparty with category + last-interaction timestamp
- Total value transferred to/from flagged addresses
- Links to each counterparty's dedicated page with full context
No signup for basic checks. Batch mode and history export require an API key.
How the score works
The score blends four signals. Each signal is normalized to 0–100 and combined with tunable weights:
| Signal | Weight | What it measures |
|---|---|---|
| Direct hits | 45% | Did this wallet transact directly with a flagged address? |
| One-hop proximity | 25% | Did any sender/receiver send value to a flagged address within 7 days? |
| Volume weighting | 15% | How much value moved through flagged counterparties vs total volume |
| Recency | 15% | Last flagged interaction in hours, weighted inversely |
Categories inherit different severity multipliers: sanctions (OFAC SDN) = 100× baseline, known hacker = 80×, rug pull = 60×, phishing drainer = 50×, Tornado Cash = 30× (privacy tool, not inherently malicious but elevates risk).
Risk buckets
The score maps to a bucket so product and compliance teams can set thresholds:
| Score | Bucket | Recommendation |
|---|---|---|
| 0–14 | Safe | No flagged interactions found. Treat as clean. |
| 15–34 | Low risk | Some indirect exposure. Fine for most contexts; review manually for compliance-sensitive use. |
| 35–59 | Medium | Direct interactions with low-severity flags (privacy tools, inactive scam tokens). Require manual review before large transfers. |
| 60–84 | High | Direct interaction with known hacker, drainer, or rug-pull cluster. Block or human-review before sending. |
| 85–100 | Critical | Sanctioned address or direct hacker proceeds. Never send funds. Report as appropriate. |
API reference
Single check
curl "https://threatchain.io/wallet/check?address=0x28C6c06298d514Db089934071355E5743bf21d60&chain=ethereum"Batch check
Up to 100 addresses per request.
curl -X POST "https://threatchain.io/wallet/check/batch" \
-H "Content-Type: application/json" \
-H "X-API-Key: tck_live_yourkey" \
-d '{
"addresses": ["0xabc...", "0xdef..."],
"chain": "ethereum"
}'Response shape
{
"address": "0x28c6...",
"chain": "ethereum",
"score": 72,
"bucket": "high",
"checked_at": "2026-04-20T16:12:00Z",
"summary": {
"total_tx": 4721,
"flagged_hits": 3,
"total_value_flagged_usd": "125430.50"
},
"hits": [
{
"counterparty": "0xa160cdA...",
"category": "phishing_drainer",
"severity": "high",
"last_tx": "2026-04-18T04:22:11Z",
"tx_count": 2,
"value_usd": "120000.00",
"source": "ScamSniffer"
}
]
}Chain coverage
| Chain | Param value | Refresh interval |
|---|---|---|
| Ethereum | ethereum (default) | Every block |
| Arbitrum One | arbitrum | Every block |
| Base | base | Every block |
| Polygon PoS | polygon | Every block |
BSC, Optimism, Avalanche, and zkSync Era are in active development — email us for priority.
Data sources
Flagged-address inventory is pulled from and continuously reconciled across:
- OFAC SDN list — sanctioned addresses (Tornado Cash, Lazarus clusters, etc.)
- Chainalysis public tags — attributed hacker clusters
- ScamSniffer / Drainer feeds — phishing drainers flagged within 6 hours of first use
- Community tags — ThreatChain-verified submissions
- Protocol post-mortem lists — addresses identified in protocol incident reports
- DeFiLlama hacks — attacker wallets from confirmed exploits
Integration recipes
Pre-send check in a dApp
Block sending to a high-risk address before the transaction goes through. Example in a React component:
async function checkRecipient(addr) {
const r = await fetch(
`https://threatchain.io/wallet/check?address=${addr}&chain=ethereum`
);
const { score, bucket, hits } = await r.json();
if (bucket === "critical") {
throw new Error(`Cannot send: address is flagged as ${hits[0].category}`);
}
if (bucket === "high") {
return confirm(`⚠️ This address has a risk score of ${score}. Continue?`);
}
return true;
}Telegram "is this wallet safe" bot
Tiny Python bot — forward any address to it, get a scored reply.
import httpx, os
from telegram.ext import Application, MessageHandler, filters
async def handle(update, ctx):
addr = update.message.text.strip()
if not addr.startswith("0x") or len(addr) != 42:
return await update.message.reply_text("Send a valid 0x... address.")
r = httpx.get(f"https://threatchain.io/wallet/check?address={addr}").json()
msg = f"Score: {r['score']} ({r['bucket']})\n{r['summary']['flagged_hits']} flagged counterparties"
await update.message.reply_text(msg)
app = Application.builder().token(os.environ["TG_TOKEN"]).build()
app.add_handler(MessageHandler(filters.TEXT, handle))
app.run_polling()False positives
Three situations produce a false positive:
- Received airdrop dust from a flagged address — attackers spray tiny amounts to unrelated wallets to taint them. Wallet Check weights volume, so a $0.01 dust hit barely moves the score, but combined with other weak signals it can push a clean wallet into Low.
- Used a privacy tool that's category-flagged — Tornado Cash and similar mixers add 30× multiplier. Legitimate privacy users will score Medium.
- Reused exchange hot wallet — centralized exchange wallets transact with everyone, including hackers. ThreatChain maintains an exchange-wallet allowlist to suppress this, but cold/hot migrations occasionally slip through.
Submit false positives via contact form with category "Something else" and we'll review within 24h.
FAQ
Q — Does checking an address add it to any public list?
No. Checks are logged for abuse prevention and rate limiting but never surfaced publicly.
Q — How fresh is the data?
Flagged-address feeds update continuously (ScamSniffer drainers in ~6 hours from first exploit; OFAC list within 1 hour of publication). On-chain interaction graph is built from a full node with ~15-second lag.
Q — Do you check non-EVM chains?
Not yet via this endpoint. Solana and Bitcoin are on the roadmap — contact us if you need them now.
Q — Can I use this in a compliance pipeline?
The scoring methodology is public and auditable (this page is the spec). Enterprise tier includes an SLA on data freshness and a downloadable audit log. Talk to sales.