Blockchain Focused Phishing Detection
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 60 commits ahead, 26 commits behind x0rz:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Phishing detection for cryptocurrency projects

Phishing remains one of the greatest off-chain security threats to the cryptocurrency space, with increasingly sophisticated groups targeting their victims across Slack, Telegram, forums, as well as email. This project streams newly registered SSL certificates using certstream and attempts to identify suspicious domains based on keywords set by the user in near real time. You can read about it in more detail in our blog post.



The program has not been tested with Python 2, we'd strongly recommend using Python 3.

You will need the following python packages installed:

  • termcolor
  • certstream
  • tqdm
  • tld
  • python_Levenshtein
  • gspread
  • fuzzywuzzy
  • pythonwhois

On the host, you will need to install:

To install the packages run:

pip3 install -r requirements.txt


In order to service your own project, you will need to create a monitoring profile. The simplest way to do this is copy one of the existing profiles in the monitoring_profiles directory. After doing so, adapt the configuration of the file as outlined below.


The watchlist variable in settings refers to specific domain(s) that you intend to monitor. These will typically be the domain(s) associated with your tokensale, project or company.

"watchlist" : {
    "": {
      "myetherwallet": 100, "myether": 50

In addition to the domains that you would like to monitor, you can associate an arbitrary number of keywords with that domain. In the example above, MyEtherWallet also wants to monitor the keywords "mew" and "".

You can also whitelist domains that you do not want to monitor by adding them to the whitelist variable in your monitoring profile:

"whitelisted_domains" : [""]

Google SOC

A Security Operations Centre (SOC) is a unit dedicated to handling security incidents in large organizations. Most teams working out of the crypto/blockchain space will not have a SOC, and as a result this project attempts to create a lean & reliable substitute by bootstrapping off of Google Sheets. Doing so allows teams to handle and attend to phishing incidents with relative ease, including setting email alerts to notify of changes to the spreadsheet.

In order to configure this project to work with Google Sheets, you will need to create signed credentials.

  1. Create signed credentials for your google account. (Guide here)
  2. Save these credentials in a file called creds.json in the credentials directory in this project.
  3. Create a copy of the spreadsheet, or alternatively create a blank spreadsheet. Ensure that you grant edit permission to the spreadsheet by the email address in your google creds.json.
  4. Update the following fields in your monitoring_profiles/monitoring_profile.json file:
  "google_spreadsheet_key" : "<your spreadsheet key>", #This is the value from the URL
  "google_threshold" : 90, #Domains over this score will be written to the spreadsheet

You should now start seeing domains that score over the specified threshold being written to your spreadsheet. Setup email notifications on the spreadsheet to receive notifications any time the program writes to the spreadsheet.


By default, WHOIS lookups on suspicious domains are turned off, but you can enable this in the file.

Unit tests

You can ensure that everything is running as intended and setup correctly by running:

python3 -m unittest discover -s tests/ -p '*'


$ python3 monitoring_profiles/profile.json

Examples of suspicious domains

An obvious clone of an existing well known brand with minor changes: Clone

A simple typo on MyEtherWallet:


A homograph attack on MyEtherWallet (note the 'e's).


Further assistance

If you would like further assistance with combatting phishing attacks we'd love to hear from you.


Thanks to @x0rz for the original inspiration.




ETH Donation Address: 0x4fC60C34266af4106353c35d9600585e17F60512