From 506444f19e72e7331efa3f523ecf235150a4f2c8 Mon Sep 17 00:00:00 2001 From: Mustafa Siddiqui Date: Wed, 17 Dec 2025 14:34:18 -0500 Subject: [PATCH 1/5] wip: initial AI draft --- concepts/allowlist.mdx | 414 +++++++++++++ concepts/asset-scans.mdx | 468 ++++++++++++++ concepts/blocklist.mdx | 581 ++++++++++++++++++ concepts/brands.mdx | 419 +++++++++++++ concepts/detections.mdx | 459 ++++++++++++++ concepts/legal-docs.mdx | 403 ++++++++++++ concepts/metrics.mdx | 471 ++++++++++++++ concepts/organizations.mdx | 350 +++++++++++ concepts/reports.mdx | 393 ++++++++++++ concepts/reviews.mdx | 520 ++++++++++++++++ concepts/security-portal.mdx | 476 ++++++++++++++ concepts/takedowns.mdx | 413 +++++++++++++ concepts/watchlist.mdx | 393 ++++++++++++ getting-started/how-it-works/asset-scans.mdx | 224 +++++++ getting-started/how-it-works/blocklist.mdx | 357 +++++++++++ .../how-it-works/detection-sources.mdx | 323 ++++++++++ .../how-it-works/how-we-use-ai.mdx | 246 ++++++++ getting-started/how-it-works/review.mdx | 264 ++++++++ getting-started/how-it-works/takedown.mdx | 370 +++++++++++ getting-started/how-it-works/watchlist.mdx | 288 +++++++++ .../what-we-do/brand-impersonation.mdx | 137 +++++ .../what-we-do/general-phishing.mdx | 92 +++ getting-started/what-we-do/introduction.mdx | 116 ++++ guides/api-keys.mdx | 8 + guides/communicating-with-chainpatrol.mdx | 8 + guides/enabling-disabling-services.mdx | 8 + guides/false-positives.mdx | 8 + guides/gathering-allowlist.mdx | 8 + guides/public-reports.mdx | 8 + guides/setting-up-brands.mdx | 8 + guides/sso.mdx | 8 + guides/unflagging-your-assets.mdx | 8 + mint.json | 83 ++- .../onboarding-requirements.mdx | 410 ++++++++++++ protect-your-brand/ongoing-communication.mdx | 400 ++++++++++++ protect-your-brand/services-setup.mdx | 478 ++++++++++++++ protect-your-brand/who-should-be-involved.mdx | 418 +++++++++++++ 37 files changed, 10018 insertions(+), 20 deletions(-) create mode 100644 concepts/allowlist.mdx create mode 100644 concepts/asset-scans.mdx create mode 100644 concepts/blocklist.mdx create mode 100644 concepts/brands.mdx create mode 100644 concepts/detections.mdx create mode 100644 concepts/legal-docs.mdx create mode 100644 concepts/metrics.mdx create mode 100644 concepts/organizations.mdx create mode 100644 concepts/reports.mdx create mode 100644 concepts/reviews.mdx create mode 100644 concepts/security-portal.mdx create mode 100644 concepts/takedowns.mdx create mode 100644 concepts/watchlist.mdx create mode 100644 getting-started/how-it-works/asset-scans.mdx create mode 100644 getting-started/how-it-works/blocklist.mdx create mode 100644 getting-started/how-it-works/detection-sources.mdx create mode 100644 getting-started/how-it-works/how-we-use-ai.mdx create mode 100644 getting-started/how-it-works/review.mdx create mode 100644 getting-started/how-it-works/takedown.mdx create mode 100644 getting-started/how-it-works/watchlist.mdx create mode 100644 getting-started/what-we-do/brand-impersonation.mdx create mode 100644 getting-started/what-we-do/general-phishing.mdx create mode 100644 getting-started/what-we-do/introduction.mdx create mode 100644 guides/api-keys.mdx create mode 100644 guides/communicating-with-chainpatrol.mdx create mode 100644 guides/enabling-disabling-services.mdx create mode 100644 guides/false-positives.mdx create mode 100644 guides/gathering-allowlist.mdx create mode 100644 guides/public-reports.mdx create mode 100644 guides/setting-up-brands.mdx create mode 100644 guides/sso.mdx create mode 100644 guides/unflagging-your-assets.mdx create mode 100644 protect-your-brand/onboarding-requirements.mdx create mode 100644 protect-your-brand/ongoing-communication.mdx create mode 100644 protect-your-brand/services-setup.mdx create mode 100644 protect-your-brand/who-should-be-involved.mdx diff --git a/concepts/allowlist.mdx b/concepts/allowlist.mdx new file mode 100644 index 0000000..2d6fbc1 --- /dev/null +++ b/concepts/allowlist.mdx @@ -0,0 +1,414 @@ +--- +title: "Allowlist" +description: "Understanding how ChainPatrol identifies and protects legitimate assets" +--- + +## What Is an Allowlist? + +An **allowlist** is a curated list of known, trusted assets that are explicitly recognized as legitimate within ChainPatrol. + + +Assets added to the allowlist are considered **official or approved** and are treated differently from unknown or suspicious assets during threat detection and analysis. + + +Allowlisting helps ChainPatrol distinguish between genuine brand-owned content and potential impersonation or abuse. + + +Unlike blocklists, which focus on malicious content, allowlists define what is **known to be safe**. + + +## Why We Use an Allowlist at ChainPatrol + +Allowlists play a critical role in improving both **detection accuracy** and **signal quality**. + +### Dual Purpose + + + + **Preventing false positives** + + When an asset is allowlisted, it is excluded from automatic threat detection. + + **Benefits:** + - Prevents legitimate brand-owned assets from being mistakenly flagged as impersonation + - Reduces false positives + - Eliminates unnecessary investigations + - Improves team efficiency + + **Example:** + Your official website `example.com` is allowlisted, so it will never be flagged as a phishing site, even if detection rules would normally trigger on brand-related keywords. + + + + **Comparison for threat analysis** + + Allowlisted assets are used as **reference points** when analyzing potentially malicious content. + + **How it works:** + ChainPatrol can compare a suspected phishing page against an allowlisted official website to determine whether: + - Branding is being copied + - Layout is being imitated + - Content is being duplicated + - Visual elements are being stolen + + **Example:** + A suspicious site `examp1e.com` is detected. ChainPatrol compares it against your allowlisted `example.com` and identifies: + - 95% visual similarity + - Identical logo usage + - Copied page structure + - **Result:** High-confidence brand impersonation detection + + + + +This dual role—exclusion from detection and use as a trusted baseline—makes allowlists essential for reliable brand impersonation analysis. + + +## What Can Be Allowlisted? + +In ChainPatrol, **any asset type can be allowlisted**. + + + + Official websites and web applications + + + + Verified brand and employee accounts + + + + App store listings and hosted content + + + + Testing, staging, and QA environments + + + + Vercel, Netlify, and other preview URLs + + + + Official smart contracts and wallets + + + + Official company and team emails + + + + Any asset legitimately controlled by your organization + + + + +Allowlisting is not limited by platform or asset category, as long as the asset is known to be legitimately controlled by the organization or brand. + + +## What Should and Shouldn't Be Allowlisted? + +### Should Be Allowlisted ✅ + +Assets that are **owned, controlled, or intentionally operated** by the organization or its brands: + + + + - Primary company website + - Product websites + - Documentation sites + - Support portals + - Marketing landing pages + + **Example:** `company.com`, `docs.company.com`, `support.company.com` + + + + - Official Twitter/X accounts + - Official Discord servers + - Official Telegram channels + - Official YouTube channels + - Verified employee accounts + + **Example:** `@CompanyOfficial`, `discord.gg/company-official` + + + + - QA environments + - Staging servers + - Internal testing sites + - Employee development environments + + **Example:** `staging.company.com`, `qa-env.company.com` + + + + - Vercel deployments owned by the company + - Netlify preview URLs + - GitHub Pages for official repositories + - CI/CD preview environments + + **Example:** `company-app.vercel.app`, `preview-123.netlify.app` + + + + - Official smart contracts + - Treasury wallets + - Multisig addresses + - Token contracts + + **Example:** `0x1234...` (official token contract) + + + +### Should NOT Be Allowlisted ❌ + + + + Content that is merely tolerated but not controlled by your organization. + + **Examples:** + - Partner websites mentioning your brand + - News articles about your company + - Third-party reviews or comparisons + - Affiliate or reseller sites + + + Even if the content is positive or authorized, if you don't control it, don't allowlist it. + + + + + Content created by users, even on your platforms. + + **Examples:** + - User profiles on your platform + - Community-submitted content + - User comments or posts + - Customer testimonials on external sites + + + + Assets where you don't have complete control or ownership. + + **Examples:** + - Shared hosting environments + - Third-party integrations + - External widgets or embeds + - Temporary or borrowed infrastructure + + + If there's any doubt about control or ownership, err on the side of caution and don't allowlist. + + + + + +**Important:** Allowlisting an asset implicitly signals trust. Because allowlisted assets are excluded from automatic detection, incorrectly allowlisting an asset can reduce visibility into real threats. + + +## Risk Handling and Escalation + +Allowlisting does not permanently exempt an asset from scrutiny. + + +If an allowlisted asset shows suspicious behavior or is believed to be compromised, it can still be escalated, investigated, and acted upon. + + +### Compromise Scenarios + + + + **Scenario:** Your official Twitter account is hacked + + **What happens:** + 1. Asset is allowlisted, so automatic detection doesn't flag it + 2. Community reports suspicious activity + 3. Manual investigation reveals compromise + 4. Asset is temporarily removed from allowlist + 5. Threat is blocked and reported + 6. After recovery, asset is re-allowlisted + + + + **Scenario:** Your domain is hijacked or DNS is compromised + + **What happens:** + 1. Asset is allowlisted, so automatic detection doesn't flag it + 2. Monitoring detects unusual behavior or content changes + 3. Security team investigates + 4. Asset is removed from allowlist during incident + 5. Malicious content is blocked + 6. After resolution, asset is re-allowlisted + + + + **Scenario:** Your hosting infrastructure is compromised + + **What happens:** + 1. Allowlisted assets start serving malicious content + 2. User reports or automated monitoring detect anomalies + 3. Incident response is triggered + 4. Affected assets are removed from allowlist + 5. Threats are contained and remediated + 6. Assets are re-allowlisted after verification + + + + +This ensures that trust is not absolute and that compromised official assets do not become blind spots. + + +## Granularity of Allowlists + +Allowlists in ChainPatrol can be configured at different levels. + + + + **Applies across all brands** + + Assets allowlisted at the organization level are trusted for the entire organization, regardless of which brand they're associated with. + + **Use cases:** + - Corporate websites + - Shared infrastructure + - Company-wide social accounts + - Central authentication systems + + **Example:** + `company.com` is allowlisted at the organization level, protecting it for all brands under the organization. + + + + **Applies only to a specific brand** + + Assets allowlisted at the brand level are trusted only for that specific brand within the organization. + + **Use cases:** + - Product-specific websites + - Brand-specific social accounts + - Individual product infrastructure + - Brand-specific campaigns + + **Example:** + `product-a.com` is allowlisted for "Product A" brand but not for "Product B" brand. + + + + +This flexibility allows teams managing multiple brands to tailor trust appropriately. + + +### Hierarchy Example + +``` +Organization: Acme Corp +├── Brand: Acme Protocol +│ ├── acme-protocol.com (Brand-level allowlist) +│ └── @AcmeProtocol (Brand-level allowlist) +├── Brand: Acme Wallet +│ ├── acme-wallet.com (Brand-level allowlist) +│ └── @AcmeWallet (Brand-level allowlist) +└── Organization-level allowlist: + ├── acme.com (All brands) + ├── @AcmeCorp (All brands) + └── support@acme.com (All brands) +``` + +## Who Can Update the Allowlist? + +Allowlist management is restricted to **organization administrators and authorized staff members**. + + + + Full control over organization-level and brand-level allowlists + + + + ChainPatrol staff can assist with allowlist management + + + + Standard users cannot modify allowlists + + + + All allowlist changes are logged and tracked + + + + +Limiting access helps ensure that allowlists remain accurate, intentional, and aligned with security best practices. + + +### Best Practices for Allowlist Management + + + + Only allowlist assets you definitively control and trust + + + + Periodically review your allowlist (quarterly recommended) to remove outdated or deprecated assets + + + + Maintain internal documentation of why assets were allowlisted + + + + Immediately remove any asset suspected of being compromised + + + + Only re-allowlist assets after confirming they're secure and under your control + + + +--- + +## Key Takeaways + + + + Allowlists define what is explicitly trusted + + + + Excludes from detection and serves as reference baseline + + + + Domains, social accounts, apps, blockchain addresses, and more + + + + Only allowlist assets you definitively control + + + + Compromised assets can still be investigated and blocked + + + + Organization-level or brand-level allowlisting + + + + Only administrators can modify allowlists + + + + Periodic reviews keep allowlists accurate and current + + + +--- + + + Access your organization settings to view and update your allowlist + diff --git a/concepts/asset-scans.mdx b/concepts/asset-scans.mdx new file mode 100644 index 0000000..5c3c215 --- /dev/null +++ b/concepts/asset-scans.mdx @@ -0,0 +1,468 @@ +--- +title: "Asset Scans" +description: "Understanding how ChainPatrol evaluates assets at specific points in time" +--- + +## Definition + + +An **asset scan** is a single security check ChainPatrol performs on an asset (like a URL, social profile, app listing, crypto address, or email) at a specific moment in time. + + +### What It Captures + + + + Visual and content snapshot + + + + Enrichment data collected + + + + Risk assessment and scores + + + +### Why It Matters + +Asset scans are the building blocks ChainPatrol uses to: + +- Understand threats over time +- Update asset status +- Support reviews and takedowns +- Power reporting and analytics + +## Key Characteristics + + + + **One scan, one asset** + + Every asset scan belongs to exactly one asset and, through that asset, to an organization and optionally a brand. + + **Hierarchy:** + ``` + Organization + └── Brand (optional) + └── Asset + └── Asset Scan + ``` + + + + **Point-in-time record** + + Each scan has a timestamp and stands on its own. Later scans might see different: + - Content + - Liveness status + - Risk indicators + - Infrastructure + + + This allows ChainPatrol to track how threats evolve over time. + + + + + **Scan lifecycle states** + + A scan has a simple status reflecting where it is in the checking process: + + + + Scan queued but not yet started + + + + Actively collecting data and running checks + + + + Scan finished successfully with results + + + + Scan encountered errors and couldn't complete + + + + + + **What each scan contains** + + **Inputs:** + - What we were asked to scan (URL, address, profile) + - Related context (organization, brand, detection source) + + **Outputs:** + - Enrichments (extra data we fetched) + - Labels (risk tags) + - Liveness status + - Overall risk score for that point in time + + + +## What Lives Inside a Scan + +### Enrichments (Extra Context) + +Structured information gathered during the scan: + + + + - Page HTML and text content + - Title, description, keywords + - Meta tags and structured data + - Screenshots and visual captures + - Form fields and input elements + + + + - Outbound links from the page + - Redirect chains + - External resources loaded + - Related infrastructure + + + + - DNS records and resolution + - TLS/SSL certificate information + - IP addresses and hosting + - Server headers and responses + - Network infrastructure + + + + - Social profile attributes (followers, posts, bio) + - App store listing information (ratings, reviews, permissions) + - Blockchain data (contract code, transactions) + - Email validation results + + + + +Each enrichment knows where it came from (e.g., "page content", "network", or an external scanner) and whether it succeeded or failed. + + +### Labels (Findings) + +Human-readable tags with scores that categorize risk: + + + + Visual or textual mimicry of your brand + + + + Credential harvesting or scam patterns + + + + Suspended or blocked by hosting provider + + + + Malicious wallet connection code + + + + Domain reserved but not in use + + + + Domain closely resembling legitimate one + + + + +These labels are used to group risk into categories like **general phishing**, **brand impersonation**, or **wallet-related risk**. + + +### Scores and Liveness + +A scan tracks two key metrics: + + + + **Combined risk assessment** + + A numerical score (typically 0-1) representing the overall risk level at that point in time. + + **Calculated from:** + - Label scores + - Rule evaluations + - Confidence levels + - Historical patterns + + + + **Asset accessibility** + + Indicates whether the asset is currently accessible: + + + + Asset is accessible and active + + + + Asset is inaccessible or removed + + + + Status cannot be determined + + + + **Reasons tracked:** + - DNS failed + - Parked domain detected + - Suspended by provider + - 404 not found + - Connection timeout + + + +## How Asset Scans Relate to Other Concepts + + + + **The foundation** + + The asset is the "thing" (URL, profile, listing, address); scans are the history of what we have seen about that thing. + + **Relationship:** + - One asset → Many scans over time + - Scans build a timeline of the asset's behavior + - Most recent scan typically used for current status + + + + **Input for threat identification** + + Threat records (detections) use scan labels and scores as key inputs to decide whether something should be treated as an active threat for your organization. + + **How they connect:** + - Detection triggers → Asset scan + - Scan results → Threat score + - Threat score → Detection confidence + + + + **Evidence for decision-making** + + When your team reviews a reported asset, they see the most relevant scan results to understand why it was flagged and whether it should be allowed, blocked, or escalated. + + **What reviewers see:** + - Screenshots from scans + - Labels and scores + - Enrichment data + - Historical scan timeline + + + + **Status determination** + + Repeated scan results help decide: + + - **Blocked** - Assets that consistently look malicious + - **Allowed** - Assets that can be treated as safe + - **Watchlisted** - Assets that are sensitive or change frequently + + **Decision factors:** + - Consistent risk scores across scans + - Liveness changes over time + - Pattern stability + + + + **Evidence for removal** + + For assets that need to be taken down, scan data provides evidence to support outreach to hosting providers, registrars, and platforms. + + **What's provided:** + - Screenshots showing malicious content + - Metadata and technical details + - Liveness history + - Timeline of activity + + + + **Campaign mapping** + + When scans find links and redirects, they can be connected together to show clusters of related pages or infrastructure. + + **Benefits:** + - Identify broader campaigns + - Map attacker infrastructure + - Understand threat networks + - Coordinate takedowns + + + +## Examples + + + + **Scenario:** + A new login page is found in search results. + + **Scan Process:** + 1. ChainPatrol scans the page + 2. Sees it closely imitates your brand + 3. Detects wallet connection requests + 4. Assigns strong phishing and brand-impersonation labels + + **Result:** + - Scan feeds into a threat record for your organization + - Appears in your triage queue + - High-priority review recommended + + + High-confidence scans like this often trigger automatic blocking. + + + + + **Scenario:** + Your official website is added as an asset and monitored. + + **Scan Process:** + 1. Regular scans performed (daily or weekly) + 2. Shows asset is alive and consistent + 3. Does not trigger risky labels + 4. Maintains stable risk score near zero + + **Result:** + - Remains allowed + - Serves as a "known good" reference + - Used for comparison against suspicious assets + + + Regular scanning of official assets helps establish baselines for comparison. + + + + + **Scenario:** + A social profile claiming to be one of your employees is discovered. + + **Scan Process:** + 1. Profile scanned for attributes + 2. Shows overlapping branding + 3. Detects suspicious outreach behavior + 4. Increases impersonation scores + + **Result:** + - Scan supports team decision-making + - Evidence for escalation + - Basis for pursuing takedown + - Documented proof of impersonation + + + Social profile scans capture bio, images, posts, and engagement patterns. + + + + +## What Asset Scans Are Not + + + + Asset scans are system-generated. **Reports** are created by users or external systems raising issues. + + + + A scan can be clean or suspicious. A threat or incident record is created only when risk crosses thresholds or a human escalates it. + + + + Scans use your **rules**, **thresholds**, and **service settings**, but they are not where you configure behavior—they are the evidence those settings produce. + + + +## Scan Workflow + +```mermaid +flowchart TD + Trigger[Scan Trigger] --> Pending[Status: Pending] + Pending --> InProgress[Status: In Progress] + + InProgress --> Enrich[Collect Enrichments] + Enrich --> Web[Web Content] + Enrich --> Network[Network Data] + Enrich --> Platform[Platform Data] + + Web --> Evaluate[Evaluate Rules] + Network --> Evaluate + Platform --> Evaluate + + Evaluate --> Labels[Generate Labels] + Evaluate --> Score[Calculate Risk Score] + Evaluate --> Liveness[Determine Liveness] + + Labels --> Complete[Status: Completed] + Score --> Complete + Liveness --> Complete + + InProgress -->|Error| Failed[Status: Failed] + + Complete --> Decision{Risk Level?} + Decision -->|High| Block[Block Asset] + Decision -->|Medium| Review[Manual Review] + Decision -->|Low| Monitor[Continue Monitoring] + + style Trigger fill:#3b82f6 + style InProgress fill:#8b5cf6 + style Evaluate fill:#f59e0b + style Complete fill:#10b981 + style Failed fill:#ef4444 +``` + +## Key Takeaways + + + + Each scan captures asset state at a specific moment + + + + Scans are fundamental to threat understanding + + + + Enrichments provide comprehensive asset intelligence + + + + Human-readable categorization of threats + + + + Multiple scans show asset evolution over time + + + + Provides proof for reviews and takedowns + + + + Links between assets reveal campaigns + + + + Consistent, repeatable security checks + + + +--- + + + Access your dashboard to review asset scans and their results + diff --git a/concepts/blocklist.mdx b/concepts/blocklist.mdx new file mode 100644 index 0000000..c7125cf --- /dev/null +++ b/concepts/blocklist.mdx @@ -0,0 +1,581 @@ +--- +title: "Blocklist" +description: "Understanding ChainPatrol's threat intelligence database" +--- + +## What is a Blocklist? + +A blocklist (also known as a denylist) is a database of confirmed malicious entities that should be blocked or flagged to protect users. In the context of web3 security, a blocklist contains verified phishing websites, scam social media accounts, fraudulent crypto addresses, and other malicious assets that pose a threat to users. + + +ChainPatrol's blocklist functions as a **threat intelligence database** that's continuously updated and distributed in real-time. + + +### Real-Time Protection + +Unlike traditional security databases that may update daily or weekly, our blocklist provides immediate updates as threats are confirmed, ensuring protection is deployed within **15-30 minutes** rather than hours or days. + + +The blocklist serves as the foundation of proactive security—instead of waiting for users to encounter threats, we identify, verify, and distribute threat intelligence to prevent exposure before it happens. + + +## Why Do We Use a Blocklist and Why Is It Effective? + +### The Problem with Traditional Takedowns + +Traditional cybersecurity approaches rely heavily on **takedowns**—requesting hosting providers or domain registrars to remove malicious content. However, this approach has critical limitations: + + + + 4-48 hours for hosting providers, 24-72 hours for domain takedowns + + + + Some providers never respond or operate in non-cooperative jurisdictions + + + + Scammers can steal funds within minutes of launching a phishing site + + + + Attackers quickly spin up new domains or move to different providers + + + +### The Blocklist Advantage + +ChainPatrol's blocklist provides **immediate protection** through a "blocklist-first, takedown-second" approach: + + + + Assets are blocklisted and distributed in **15-30 minutes** after confirmation + + + + Protection works regardless of hosting provider, jurisdiction, or whether the malicious content remains online + + + + Blocks are enforced at the browser, wallet, and network level—where users actually interact with threats + + + + Even if a scammer sets up 100 copycat sites, each one gets blocklisted as soon as it's detected + + + + +In web3, where transactions are irreversible and scams can drain wallets in seconds, **prevention at the point of interaction is critical**. + + +### Network Effects + +The effectiveness of our blocklist increases exponentially with distribution: + +```mermaid +flowchart TD + Detection[Threat Detected] --> Confirmation[ChainPatrol Confirms] + Confirmation --> Blocklist[Added to Blocklist] + + Blocklist --> Browsers[Browser Security] + Blocklist --> Wallets[20+ Wallets] + Blocklist --> Enterprise[Enterprise Networks] + Blocklist --> Partners[Partner Organizations] + + Browsers --> Users1[Millions of Users Protected] + Wallets --> Users1 + Enterprise --> Users1 + Partners --> Users1 + + style Detection fill:#f59e0b + style Confirmation fill:#3b82f6 + style Blocklist fill:#6622DC + style Users1 fill:#10b981 +``` + + +**One confirmation protects millions of users** across the entire web3 ecosystem. + + +## Who Contributes to the Blocklist? + +ChainPatrol's blocklist is powered by a diverse network of contributors: + + + + **Grassroots threat intelligence** + + + + Anyone can report suspicious assets through our public reporting interface + + + + Discord moderators, Twitter users, and Reddit communities actively report scams targeting their communities + + + + Users who've encountered or fallen victim to scams help us identify active threats + + + + + + **Collaborative threat sharing** + + + + Companies using ChainPatrol for brand protection contribute threat intelligence + + + + MetaMask, Phantom, Coinbase Wallet, and others share detected threats + + + + SEAL-ISAC, Crypto-ISAC, and other information sharing networks + + + + Web3 protocols and DAOs monitoring for impersonation attacks + + + + + + **AI-powered threat discovery** + + + + Detection engine continuously monitors using 50+ detection rules + + + + Real-time monitoring of newly registered domains + + + + Automated detection of impersonation accounts and scam posts + + + + Intentional traps that identify and track attacker infrastructure + + + + + + **Human verification layer** + + While many sources contribute **detections**, all blocklist entries are verified by ChainPatrol's security team before being added. + + **Why this matters:** + - Ensures accuracy + - Minimizes false positives + - Maintains blocklist quality + - Provides human judgment for edge cases + + + This human-in-the-loop review process is critical for maintaining trust in the blocklist. + + + + +## What Is In Scope for Being Added to the Blocklist? + +Assets are added to the blocklist when they meet two criteria: **intent** and **confirmation**. + +### Intent: Malicious Purpose + +Assets must demonstrate clear malicious intent: + + + + Sites designed to steal credentials, seed phrases, or private keys + + + + Fraudulent schemes (fake airdrops, rug pulls, Ponzi schemes) + + + + Content falsely claiming to represent legitimate brands + + + + Sites or links that distribute malicious software + + + + Content designed to manipulate users into compromising security + + + +### Confirmation: Evidence-Based Verification + +Assets must be confirmed as malicious through: + + + + Independent sources reporting the same threat + + + + Proof of successful attacks or victim reports + + + + Malicious code or behavior detected + + + + Clear alignment with known attack techniques + + + + Verification of unauthorized use (when applicable) + + + +### Out of Scope + +The following are **not** added to the blocklist: + + + + Negative reviews, critical commentary, or parody (protected speech) + + + + Content from legitimate competitors, even if unfavorable + + + + Projects accused of being scams without concrete evidence of malicious activity + + + + Trademark disputes, contract disagreements, or business conflicts (handle through legal channels) + + + + Suspicious but unconfirmed assets (may be monitored, but not blocklisted) + + + + +This scope ensures our blocklist maintains high accuracy and focuses on clear, immediate threats to user security. + + +## What Type of Data Is In Our Blocklist? + +ChainPatrol's blocklist includes multiple asset types, each with specific attributes: + + + + **Web-based threats** + + - **Full URLs**: Specific phishing pages (e.g., `https://metamask-security-verify.com/connect`) + - **Domains**: Root domains and subdomains (e.g., `phishing-site.com`, `scam.evil-host.net`) + - **Status**: Current blocklist status and distribution state + - **First Seen**: When the asset was first detected or reported + - **Blocklist Date**: When it was added to the blocklist + - **Associated Data**: Screenshots, detection rules triggered, related assets + + + + **Platform impersonation** + + + + Impersonation and scam accounts + + + + Fake support channels and scam groups + + + + Phishing servers and fake community servers + + + + Scam livestreams and fake giveaways + + + + Impersonation pages and scam groups + + + + **Platform-Specific Identifiers**: Account handles, user IDs, channel links + + + + **On-chain threats** + + - **Ethereum Addresses**: Scam contracts, phishing wallets, rug pull contracts + - **Multi-Chain Support**: Addresses across multiple blockchain networks + - **Contract Metadata**: Contract code analysis, transaction patterns + - **Labels**: Scam type (fake airdrop, phishing, Ponzi scheme) + + + + **Email-based threats** + + - **Phishing Emails**: Addresses used in phishing campaigns + - **Scam Support**: Fake customer support email addresses + - **Associated Domains**: Email domains linked to scam operations + + + + **Additional threat vectors** + + + + Fake wallet apps, scam applications + + + + Malicious extensions that steal credentials + + + + Decentralized content hosting phishing pages + + + + Scam NFT projects and counterfeit collections + + + + + +### Metadata for All Assets + +Every blocklisted asset includes comprehensive metadata: + + + + Category of the malicious asset + + + + Current state (BLOCKED, ALLOWED, PENDING) + + + + Risk level assessment + + + + Connected infrastructure (same scam campaign) + + + + Which rules or sources identified the threat + + + + Which partners have received the update + + + + Timeline of status changes and reviews + + + +## Who Uses Our Blocklist? + +ChainPatrol's blocklist protects users across the web3 ecosystem through multiple integration types: + + + + **Universal web protection** + + + + Powers protection in Chrome, Safari, Edge, Firefox, and other browsers + + + + Network-level protection for enterprises and organizations + + + + Custom integrations for web3-focused browsers + + + + **Impact**: Blocklisted URLs are prevented from loading or show warning pages, protecting users regardless of which website they're visiting. + + + + **Transaction-level protection** + + + + Direct integration via Eth-Phishing-Detect + + + + Real-time API integration + + + + Via multiple blocklist sources + + + + Integration through WalletConnect and other channels + + + + Real-time API protection + + + + Various integration methods + + + + **Impact**: Wallets warn users before connecting to malicious sites or interacting with scam contracts, preventing fund loss at the point of transaction. + + + + **Platform-specific protection** + + + + Content moderation and user protection + + + + Governance platform security + + + + Filtering scam collections and malicious listings + + + + Protecting users from fake interfaces and phishing sites + + + + **Impact**: Applications can automatically filter malicious content and warn users about threats specific to their platform. + + + + **Ecosystem-wide sharing** + + + + Security Alliance's information sharing network (600+ members) + + + + Cryptocurrency industry threat intelligence + + + + Ethereum ecosystem blocklist (ChainPatrol is a core contributor) + + + + Cross-chain threat sharing + + + + **Impact**: Our blocklist feeds into the broader security ecosystem, creating a network effect where threats are shared across organizations and platforms. + + + + **Organizational protection** + + + + Protect employees and users + + + + Monitor and block impersonation attempts + + + + API access for internal security tools and workflows + + + + **Impact**: Organizations can integrate ChainPatrol's threat intelligence into their existing security infrastructure for comprehensive protection. + + + + **Open threat intelligence** + + + + Freely accessible blocklist API for developers and security researchers + + + + Developer tools for easy integration + + + + Search and lookup interface for manual checks + + + + **Impact**: Anyone can access our blocklist data to build security tools, perform research, or check suspicious assets. + + + +--- + +## Key Takeaways + + + + 15-30 minute response time vs. hours or days for takedowns + + + + Works regardless of hosting provider or jurisdiction + + + + One confirmation protects millions of users + + + + Community, partners, automation, and expert review + + + + Requires both malicious intent and confirmation + + + + URLs, social accounts, blockchain addresses, and more + + + + Browsers, wallets, applications, and enterprises + + + + Open API and SDK for developers and researchers + + + +--- + + + View blocklisted assets and check suspicious content in your dashboard + diff --git a/concepts/brands.mdx b/concepts/brands.mdx new file mode 100644 index 0000000..077035f --- /dev/null +++ b/concepts/brands.mdx @@ -0,0 +1,419 @@ +--- +title: "Brands" +description: "Understanding brand protection in ChainPatrol" +--- + +## What Is a Brand in ChainPatrol? + +A **brand** represents an identity that ChainPatrol protects. + + +Brands belong to an **organization**, and a single organization can have **multiple brands**. + + +## Types of Brands + +ChainPatrol supports two types of brands: + + + + **What they represent:** + + These represent the organization itself or its products. + + **Examples:** + - "ChainPatrol" (primary brand) + - Product lines or services + - Sub-brands created for specific business units + - Regional or market-specific brands + + + A Web3 company protecting their main protocol name, their governance token, and their NFT marketplace brand + + + + + **What they represent:** + + These represent key people associated with the organization. + + **Examples:** + - CEO + - Executives + - Public-facing employees + - Founders + - Brand ambassadors + + + Protecting a CEO who is frequently impersonated on Twitter/X and Telegram by scammers offering fake investment opportunities + + + + + +Both company and individual brands can be targeted by impersonation, scams, or fraud, and ChainPatrol protects both. + + +## What Information Is Stored in a Brand? + +Each brand includes several components that help ChainPatrol understand what legitimate content looks like and identify potential threats. + + + + Keywords and variations + + + + Logos and visual elements + + + + Official properties + + + +### Brand Terms + + + Brand terms are **keywords associated with a brand** that describe how the brand is commonly referenced online. + + **They include:** + - Official brand names + - Variations and abbreviations + - Product names + - Nicknames or widely used informal names + - Individual names (for personal brands) + + **Examples for "ChainPatrol":** + - ChainPatrol + - Chain Patrol + - CP + - @chainpatrol + - chainpatrol.io + + + +By defining brand terms, ChainPatrol is able to recognize when content is likely related to a specific brand and assess whether that content may be legitimate or potentially impersonating the brand. + + +### Brand Images + + + Brand images include visual elements that represent the brand. + + **They include:** + - Logos (all variations) + - Official graphics and design elements + - Profile photos for individuals + - Brand marks and symbols + - Visual identity assets + + **How they're used:** + + These images are used during detection to help identify potential impersonation, for example by matching logos or profile photos against suspicious content that may be attempting to mimic the brand. + + +### Brand Assets + + + Brand assets represent **known, legitimate assets owned by the brand**. + + These are used to distinguish between real content and potentially harmful impersonation. + + **A brand asset can be any asset type supported by ChainPatrol:** + + + + Official websites and domains + + + + Twitter, Discord, Telegram profiles + + + + App store and extension listings + + + + GitHub and code repositories + + + + Telegram channels and groups + + + + Any verified online property + + + + + +Brand assets serve as a **whitelist** of what is considered authentic. + + +## How Brand Information Is Used + +ChainPatrol combines **brand terms**, **brand images**, and **brand assets** to understand a brand's identity and accurately assign threats to the correct brand. + +### The Attribution Process + + + + Suspicious content is detected across the internet + + + + ChainPatrol analyzes the content for: + - Brand terms (name, keywords) + - Brand images (logos, visuals) + - Similarity to brand assets (mimicking official properties) + + + + The threat is automatically associated with the relevant brand + + + + The threat is properly evaluated and acted upon in the context of that brand + + + + +This attribution process happens automatically and at a high level, allowing threats to be categorized without requiring manual intervention in most cases. + + +### Example Attribution + + + + **Detected Threat:** + - Domain: `chainpatr0l-airdrop.com` + - Uses ChainPatrol logo + - Mimics official website design + + **Attribution:** + - Matches brand term: "chainpatrol" (with typo) + - Matches brand image: Official logo detected + - Mimics brand asset: Official website structure + + **Result:** Automatically attributed to "ChainPatrol" brand + + + + **Detected Threat:** + - Twitter account: `@chainpatrol_support` + - Profile photo: ChainPatrol logo + - Bio mentions: "Official ChainPatrol Support" + + **Attribution:** + - Matches brand term: "chainpatrol" + - Matches brand image: Logo in profile photo + - Impersonates brand asset: Claims to be official support + + **Result:** Automatically attributed to "ChainPatrol" brand + + + + **Detected Threat:** + - Telegram account: Claims to be CEO + - Profile photo: CEO's headshot + - Messages: Offering investment opportunities + + **Attribution:** + - Matches brand term: CEO's name + - Matches brand image: CEO's photo + - Impersonates individual brand + + **Result:** Automatically attributed to CEO's individual brand + + + +### Benefits of Accurate Attribution + + + + Organizations have clear visibility into which brands are being impersonated + + + + Understand how frequently each brand is targeted + + + + See which takedowns or mitigation actions are associated with each brand + + + + Identify patterns and emerging threats per brand + + + +## Brands and Organizations + +A single organization may be responsible for managing and protecting multiple brands. + +### Common Multi-Brand Scenarios + + + + A company safeguarding both its corporate identity and several product lines. + + **Example:** + - Main brand: "Acme Protocol" + - Product brand: "Acme Swap" + - Product brand: "Acme Wallet" + - Product brand: "Acme DAO" + + + + Protecting individual executives or other public-facing staff members. + + **Example:** + - Main brand: "Acme Protocol" + - Individual brand: "Jane Smith (CEO)" + - Individual brand: "John Doe (CTO)" + - Individual brand: "Sarah Johnson (CMO)" + + + + Maintaining distinct brands used across different markets, languages, or regions. + + **Example:** + - Main brand: "Acme Protocol" + - Regional brand: "Acme Asia" + - Regional brand: "Acme Europe" + - Regional brand: "Acme LATAM" + + + + Managing brands from acquired companies while maintaining their separate identities. + + **Example:** + - Parent brand: "Acme Holdings" + - Acquired brand: "Beta Protocol" + - Acquired brand: "Gamma Finance" + + + + +ChainPatrol keeps brand information structured and separate to ensure that each brand can be protected individually while still remaining clearly associated with the same organization. + + +### Organizational Benefits + + + + **Brand-Level Management** + + - Configure protection settings per brand + - Track metrics for each brand independently + - Assign different team members to different brands + - Customize detection rules by brand + + + + **Organization-Level Oversight** + + - See all brands in one dashboard + - Compare threat volumes across brands + - Aggregate metrics for reporting + - Maintain consistent policies across brands + + + + **Scalable Architecture** + + - Add new brands as you grow + - Reorganize brands as needed + - Merge or split brands + - Maintain historical data + + + +--- + +## Brand Protection Workflow + +```mermaid +flowchart TD + Org[Organization] --> Brand1[Brand: Company] + Org --> Brand2[Brand: Product A] + Org --> Brand3[Brand: CEO] + + Brand1 --> Terms1[Brand Terms] + Brand1 --> Images1[Brand Images] + Brand1 --> Assets1[Brand Assets] + + Brand2 --> Terms2[Brand Terms] + Brand2 --> Images2[Brand Images] + Brand2 --> Assets2[Brand Assets] + + Brand3 --> Terms3[Brand Terms] + Brand3 --> Images3[Brand Images] + Brand3 --> Assets3[Brand Assets] + + Terms1 --> Detection[Threat Detection] + Images1 --> Detection + Assets1 --> Detection + + Terms2 --> Detection + Images2 --> Detection + Assets2 --> Detection + + Terms3 --> Detection + Images3 --> Detection + Assets3 --> Detection + + Detection --> Attribution[Automatic Attribution] + Attribution --> Action[Evaluation & Action] + + style Org fill:#6622DC + style Brand1 fill:#985EFD + style Brand2 fill:#985EFD + style Brand3 fill:#985EFD + style Detection fill:#10b981 + style Attribution fill:#f59e0b + style Action fill:#ef4444 +``` + +--- + +## Key Takeaways + + + + Brands represent identities that need protection + + + + Company brands and individual brands + + + + Terms, images, and assets define each brand + + + + Threats are automatically assigned to brands + + + + One organization can protect many brands + + + + Individual control with organizational oversight + + + +--- + + + Access your organization dashboard to configure and protect your brands + diff --git a/concepts/detections.mdx b/concepts/detections.mdx new file mode 100644 index 0000000..9efc250 --- /dev/null +++ b/concepts/detections.mdx @@ -0,0 +1,459 @@ +--- +title: "Detections" +description: "How ChainPatrol automatically identifies potential security threats" +--- + +A **detection** is a potential security threat that has been automatically identified by ChainPatrol's monitoring system. When a detection source discovers suspicious content that may be impersonating your brand or attempting to defraud users, it creates a detection record for your security team to review. + +## What is a Detection? + +Detections represent automated findings from ChainPatrol's continuous monitoring across the internet. + +### Components of a Detection + +Each detection contains: + + + + The specific URL, social account, or content identified + + + + Which detection source discovered it + + + + Confidence level (0-1) indicating likelihood of being malicious + + + + Why it was flagged and which rules triggered + + + + Your organization being targeted + + + + When the threat was first detected + + + + Current state (reported, under review, awaiting action) + + + +## Detection Lifecycle + + + + A detection source finds content matching your monitoring keywords or patterns. + + **Example:** Google Search detects a website containing your brand name plus terms like "airdrop" or "claim tokens" + + + + The discovered asset is automatically submitted to ChainPatrol's analysis pipeline, where it: + + - Creates or retrieves the asset record + - Validates the asset hasn't already been marked as legitimate (allowed) + - Checks for duplicate detections + + + + The asset undergoes comprehensive scanning to gather intelligence: + + + + - Webpage screenshots + - HTML content + - Metadata extraction + - Text and image analysis + + + + - DNS records + - IP addresses + - Hosting information + - CDN and infrastructure + + + + - WHOIS data + - Registration date + - Registrar information + - Historical records + + + + - Social media profiles + - App store information + - Platform metadata + - Account details + + + + - Logo detection + - Similarity matching + - Brand element identification + - Visual fingerprinting + + + + - Smart contract analysis + - Token information + - Transaction patterns + - Wallet connections + + + + + + The system executes dozens of detection rules against the enriched asset data. + + **Each rule evaluates specific threat indicators:** + + + + Newly registered domains (< 30 days old) + + + + Logo or design mimicking your brand + + + + URLs or names that closely match yours + + + + Known malicious infrastructure or patterns + + + + Wallet drainer code, phishing forms + + + + + + Based on rule results, the system calculates a **threat score** (0-1) representing confidence that the asset is malicious. + + **Score Calculation:** + + + + Rules are grouped by category: + - Visual Similarity + - Threat Intelligence + - Domain Age + - Text Matching + - Behavioral Analysis + + + + Each rule has a confidence level: + - Very Low + - Low + - Medium + - High + - Very High + + + + - Weighted scores combined across all triggered rules + - Organization-specific adjustments applied + - Brand impersonation factors considered + + + + + + A detection record is created in the database with all gathered intelligence + + + + If your organization has auto-reporting enabled and the detection score exceeds your **medium threshold**, the system can automatically: + + - Create a report with the detected asset + - Mark the asset as blocked + - Submit takedown requests (if configured) + - Send notifications to your team + + + **Auto-Reporting Requirements:** + - Score must meet or exceed your medium threshold (typically 0.6-0.7) + - Detection source must be enabled + - Asset must not already be blocked + - Asset must not have been previously rejected multiple times + + + + +## Confidence Levels + +Detections are categorized into confidence levels based on your organization's thresholds: + + + + **Score:** 0 to Low Threshold (typically < 0.4) + + **Description:** + Low confidence detections. May be false positives or tangentially related to your brand. + + **Use case:** + Useful for monitoring trends but rarely require action. + + **Example:** + - Generic mention of your brand in unrelated context + - Weak keyword matches + - Minimal similarity indicators + + + + **Score:** Low Threshold to Medium Threshold (typically 0.4 - 0.6) + + **Description:** + Some indicators suggest a potential threat, but evidence is limited. Requires manual review to confirm. + + **Common scenarios:** + - Domain contains your brand name but has legitimate business purpose + - Social media mentions your brand in neutral context + - Weak visual or textual similarity + + **Action:** Manual review recommended + + + + **Score:** Medium Threshold to High Threshold (typically 0.6 - 0.8) + + **Description:** + Strong indicators of malicious intent. Multiple detection rules triggered with reasonable confidence. + + **Common scenarios:** + - New domain with brand name and suspicious keywords + - Social media account impersonating your brand with stolen logo + - Token contract with similar name on blockchain + + **Action:** Often eligible for auto-reporting if enabled + + + This is the typical threshold for automatic reporting and blocking. + + + + + **Score:** High Threshold and above (typically > 0.8) + + **Description:** + Very strong evidence of malicious activity. Multiple high-confidence rules triggered. + + **Common scenarios:** + - Perfect visual replica of your website + - Domain nearly identical to yours (typosquatting) + - Known phishing infrastructure + - Contains wallet drainer code + + **Action:** Typically auto-reported immediately and prioritized for takedown + + + High confidence detections require immediate attention and rapid response. + + + + +## Understanding Detection Groups + +Detections can be grouped together using a **Group ID** to represent related threats discovered from a single source. + +### Relationship Extraction + +When analyzing an asset, the system may discover additional related threats: + + + + A phishing page that links to multiple other scam domains + + + + A URL that redirects through several malicious domains + + + + Social media posts that mention multiple scam websites + + + + +All related detections share the same group ID, making it easy to identify and report entire phishing campaigns at once. + + +### Campaign Tracking + +Group IDs help you: + + + + Recognize coordinated phishing campaigns + + + + Map relationships between threats + + + + Report entire attack networks simultaneously + + + + Analyze attacker tactics and patterns + + + +## Deduplication + +The system automatically handles duplicate detections to prevent alert fatigue: + + + + **Scenario:** + The same asset is detected multiple times by the same source for your organization. + + **Behavior:** + Only one detection record is kept. + + **Why:** + Prevents alert fatigue from repeated discoveries of the same threat. + + **Example:** + - Google Search finds `fake-metamask.com` on Monday + - Google Search finds `fake-metamask.com` again on Wednesday + - **Result:** Only the first detection is kept + + + + **Scenario:** + Multiple detection sources independently find the same threat. + + **Behavior:** + Separate detection records are created. + + **Why:** + This helps you: + - Validate threat confidence (multiple sources agree) + - Understand which sources are most effective + - Track how threats spread across platforms + + **Example:** + - Google Search finds `fake-metamask.com` + - Twitter monitoring finds `fake-metamask.com` + - **Result:** Two detection records, higher confidence + + + + **Scenario:** + Related assets in the same attack campaign. + + **Behavior:** + Linked via group IDs but maintained as separate detections. + + **Why:** + Allows you to: + - Report each asset individually + - Track takedown progress per asset + - Understand campaign scope + + **Example:** + - `fake-metamask.com` (main phishing site) + - `claim-airdrop.com` (linked from main site) + - `support-metamask.com` (redirect target) + - **Result:** Three detections with same group ID + + + +## Detection Workflow + +```mermaid +flowchart TD + Source[Detection Source] --> Discovery[Discovery] + Discovery --> Process[Asset Processing] + Process --> Scan[Scanning & Enrichment] + + Scan --> Content[Content Analysis] + Scan --> Network[Network Data] + Scan --> Domain[Domain Registration] + Scan --> Platform[Platform Data] + Scan --> Visual[Visual Analysis] + Scan --> Blockchain[Blockchain Data] + + Content --> Rules[Rule Evaluation] + Network --> Rules + Domain --> Rules + Platform --> Rules + Visual --> Rules + Blockchain --> Rules + + Rules --> Score[Threat Scoring] + Score --> Detection[Detection Created] + + Detection --> Check{Score ≥
Medium
Threshold?} + Check -->|Yes| AutoReport[Auto-Report] + Check -->|No| Manual[Manual Review Queue] + + AutoReport --> Action[Block & Takedown] + Manual --> Review[Human Review] + + style Source fill:#3b82f6 + style Discovery fill:#8b5cf6 + style Scan fill:#10b981 + style Rules fill:#f59e0b + style Score fill:#ef4444 + style Detection fill:#ec4899 + style AutoReport fill:#10b981 +``` + +## Key Takeaways + + + + Detections are automatically identified by monitoring sources + + + + Multiple data types analyzed for each detection + + + + 0-1 score indicates likelihood of being malicious + + + + Dozens of rules evaluate threat indicators + + + + Related threats linked via group IDs + + + + Prevents alert fatigue while maintaining visibility + + + + High-confidence threats can be automatically reported + + + + Full visibility from discovery to resolution + + + +--- + + + Access your dashboard to review and manage detections + diff --git a/concepts/legal-docs.mdx b/concepts/legal-docs.mdx new file mode 100644 index 0000000..ecddcc8 --- /dev/null +++ b/concepts/legal-docs.mdx @@ -0,0 +1,403 @@ +--- +title: "Legal Docs" +description: "Understanding legal documentation for takedown requests" +--- + +## What Are Legal Documents? + +**Legal documents** are official documents that prove a company's ownership rights, authorization, or identity when requesting the removal of harmful or fraudulent content. + + +Many online platforms require verified legal documentation before they will act on a takedown request, especially when dealing with impersonation, trademark misuse, or brand-related abuse. + + +### Why They're Required + +These documents help providers confirm that the takedown request is legitimate and submitted by an authorized party. + + + + Confirm the requesting party represents the organization + + + + Demonstrate legitimate ownership of brand or trademark + + + + Show authorization to request content removal + + + +## Types of Legal Documents + +ChainPatrol typically works with the following categories of legal documentation: + + + + **Proof of brand ownership** + + + Official documentation proving that an organization legally owns a brand name, logo, or trademark. + + + **When It's Required:** + - Content is impersonating a brand + - Misusing protected intellectual property + - Claiming false association with trademark + - Using brand elements without authorization + + **What It Includes:** + - Trademark registration number + - Registration date and jurisdiction + - Description of protected marks + - Visual representations (logos, wordmarks) + - Goods and services covered + + **Common Formats:** + - USPTO registration certificates (United States) + - EUIPO certificates (European Union) + - National trademark office documents + - International (Madrid Protocol) registrations + + + Providers often require this when content is impersonating a brand or misusing protected intellectual property. + + + + + **Authorization to act on behalf** + + + A document in which the brand owner declares that ChainPatrol is authorized to submit takedown requests on their behalf. + + + **Key Components:** + - Organization's legal name and details + - Statement of authorization + - Specific actions ChainPatrol is authorized to perform + - Authorized representative's signature + - Date of authorization + - Contact information + + **Typical Use Cases:** + - Social media takedowns (especially Twitter/X) + - App store removal requests + - Hosting provider complaints + - General brand protection activities + + **Example Statement:** + > "[Organization Name] hereby authorizes ChainPatrol to submit takedown requests, abuse reports, and content removal requests on our behalf for the purpose of protecting our brand and trademarks from impersonation, fraud, and unauthorized use." + + + LOAs are typically simpler and faster to obtain than Power of Attorney documents. + + + + + **Formal legal authorization** + + + A formal legal authorization allowing ChainPatrol to act for the organization in a broader or more formal capacity. + + + **Key Differences from LOA:** + - More formal legal standing + - Broader scope of authority + - Often notarized or witnessed + - Recognized across more jurisdictions + - Required for high-impact actions + + **When It's Required:** + - Domain suspensions + - TLD-level takedowns + - Registrar-level actions + - High-impact or escalated cases + - International jurisdictions + + **What It Authorizes:** + - Filing formal legal complaints + - Representing the organization in takedown proceedings + - Making binding statements on behalf of the organization + - Escalating to legal authorities if needed + + + Some providers require a POA for escalated or high-impact takedowns such as domain suspensions. + + + + +### Document Usage Across Platforms + + + + **Hosting providers and registrars** + + **Typically required:** + - Trademark registration + - LOA or POA + - Business registration documents + + **Why:** + - Verify legitimate brand ownership + - Confirm authorization to request removal + - Protect against false takedown requests + + + + **Platforms like Twitter/X, Facebook, Instagram** + + **Typically required:** + - LOA (especially for Twitter/X) + - Trademark registration (for verified impersonation) + - Government-issued ID (for individual impersonation) + + **Why:** + - Prevent abuse of reporting systems + - Verify authorized representative + - Confirm legitimate brand protection claim + + + + **Google Play, Apple App Store** + + **Typically required:** + - Trademark registration + - LOA or POA + - Proof of brand ownership + + **Why:** + - Verify app is infringing on legitimate trademark + - Confirm authorization to request removal + - Protect against competitive abuse + + + + **Top-level domain registries** + + **Typically required:** + - POA (formal authorization) + - Trademark registration + - Detailed evidence of abuse + + **Why:** + - High-impact action (entire domain suspension) + - Legal liability considerations + - Requires formal legal standing + + + +## What Legal Documents Are Used For + +Legal documents are attached to takedown submissions so platforms can verify that: + + + + The requesting party truly represents the organization + + + + The brand or trademark is legitimately owned + + + + ChainPatrol has the authority to request removal of the content + + + + The takedown request complies with the provider's legal requirements + + + + +Without these documents, many providers may refuse or delay action on a takedown request. + + +## How Legal Documents Are Stored + +All legal documentation provided to ChainPatrol is handled with strong security controls. + + + + **Protected environment** + + Legal documents are stored in a **secure storage bucket**, designed specifically to protect sensitive files. + + **Security measures:** + + + + Only authorized systems and personnel + + + + Data encrypted at rest and in transit + + + + Separated from general application data + + + + All access attempts are logged + + + + Complete history of document usage + + + + Meets industry security standards + + + + + + **Restricted to authorized personnel** + + Only authorized ChainPatrol systems and personnel can access these documents. + + **Who has access:** + - Takedown specialists (when processing requests) + - Legal team members (for review and verification) + - Authorized support staff (for customer assistance) + - Automated systems (for document attachment during submission) + + **Access controls:** + - Role-based permissions + - Multi-factor authentication required + - Access logged and monitored + - Regular access reviews + + + Documents are used solely for the purpose of supporting takedown submissions. + + + + + **Applied only when needed** + + Legal documents are **not directly part of the takedown object**—they are applied only during the submission process when a provider requires them. + + **How it works:** + + + + Takedown request is created for a malicious asset + + + + System determines which provider to contact + + + + System checks if provider requires legal documentation + + + + If required, appropriate documents are automatically attached + + + + Complete takedown request with documentation is submitted + + + + + This approach minimizes unnecessary exposure of sensitive documents while ensuring they're available when needed. + + + + +## Document Management Best Practices + + + + **Regular updates are important** + + - Update POA/LOA documents annually + - Refresh after organizational changes + - Update contact information promptly + - Renew before expiration dates + + + Expired or outdated documents can delay takedown processing. + + + + + **Different providers have different requirements** + + Keep documents in multiple formats: + - PDF (most common) + - Scanned originals + - Notarized copies (for POA) + - Translated versions (for international takedowns) + + + + **Ensure proper authorization** + + - Have legal team review documents + - Ensure authorized signatories + - Verify scope of authorization + - Confirm compliance with company policies + + + + **Monitor effectiveness** + + - Track which providers accept which documents + - Note any rejection reasons + - Update documents based on feedback + - Maintain records of successful takedowns + + + +--- + +## Key Takeaways + + + + Legal docs prove ownership and authorization + + + + Trademark registration, LOA, and POA + + + + Different platforms require different documents + + + + Protected with encryption and access controls + + + + Only authorized personnel can access + + + + Applied only during submission process + + + + Keep documents current and valid + + + + Required for most takedown requests + + + +--- + + + Access your organization settings to upload and manage legal documentation + diff --git a/concepts/metrics.mdx b/concepts/metrics.mdx new file mode 100644 index 0000000..eaf93fb --- /dev/null +++ b/concepts/metrics.mdx @@ -0,0 +1,471 @@ +--- +title: "Metrics" +description: "Understanding how ChainPatrol measures and reports threat protection" +--- + +## Definition + + +**Metrics** are the high-level numbers and charts ChainPatrol shows to summarize how many threats we're seeing, how many we've blocked or taken down, and how quickly we're responding over a chosen time period. + + +They are built by aggregating your organization's activity (reports, detections, blocked assets, takedowns) into simple, readable summaries. + +### Why It Matters + + + Metrics help you answer **"Are we protected?"** by showing threat volume, coverage, and response quality to your internal stakeholders and, when enabled, to external audiences via your Security Portal. + + +## Key Characteristics + + + + **Tied to your organization** + + Metrics are always calculated for a specific **organization**, and reflect only that organization's reports, threats, and takedown activity. + + **What this means:** + - You only see your organization's data + - No cross-organization visibility + - Customized to your brands and assets + - Reflects your specific threat landscape + + + + **Summary over a period** + + Every metrics view uses a time window (e.g., "last 30 days" or a custom range chosen via the date filter). + + **Common time periods:** + - Last 7 days + - Last 30 days + - Last 90 days + - Custom date range + + + The same metric (e.g., "New Threats") may look very different depending on the period you select. + + + + + **Segmented by multiple dimensions** + + Many metrics can be filtered by **brand** and broken down by: + + + + - Domains + - Twitter/X + - Telegram + - Other platforms + + + + - Brand impersonation + - Employee impersonation + - General phishing + - Specific attack types + + + + + + **What they contain** + + + + - Reports received + - New threats blocked + - Threats on watchlist + - Takedowns filed + - Takedowns completed + + + + - Threats by asset type + - Threats per brand + - Detections by source + - Category distributions + + + + - Threats blocked per day + - Takedowns completed per day + - Median time to takedown + - Trend analysis + + + + + +## What Lives Inside Metrics + +### Core Volume Metrics + + + + How many submissions your organization received from users, partners, and integrations + + + + How many assets were blocked as threats (domains, social profiles, Telegram channels, etc.) + + + + Threats you're actively watching (takedowns not appropriate or on hold) + + + + How many takedown requests your organization has initiated + + + + How many takedown requests have been successfully resolved + + + +### Threat Breakdowns + + + + **Platform-specific threat counts** + + + + Blocked malicious domains and URLs + + **Includes:** + - Phishing websites + - Fake landing pages + - Impersonation sites + - Malicious web applications + + + + Blocked threats on Twitter/X + + **Includes:** + - Impersonation accounts + - Scam posts + - Fake support accounts + - Fraudulent giveaways + + + + Blocked threats on Telegram + + **Includes:** + - Fake support channels + - Scam groups + - Impersonation accounts + - Phishing bots + + + + Blocked threats on all other supported surfaces + + **Includes:** + - App stores + - Other social networks (Discord, Reddit, etc.) + - Developer platforms (GitHub, npm) + - Email addresses + - Blockchain addresses + + + + + + **Brand-specific targeting** + + Threats blocked per brand inside your organization, showing which brands are targeted more heavily. + + **Use cases:** + - Identify most-targeted brands + - Allocate protection resources + - Track brand-specific campaigns + - Compare threat levels across portfolio + + **Example visualization:** + ``` + Brand A: 150 threats (45%) + Brand B: 100 threats (30%) + Brand C: 85 threats (25%) + ``` + + + +### Time-Series and Speed Metrics + + + + **Daily threat volume over time** + + Shows how many assets were blocked on each day in the selected range. + + **Insights:** + - Identify threat spikes + - Track seasonal patterns + - Measure detection effectiveness + - Spot coordinated campaigns + + **Visualization:** Line chart showing daily counts + + + + **Daily takedown completion rate** + + Shows how many takedowns reached "completed" status on each day. + + **Insights:** + - Track takedown velocity + - Measure provider responsiveness + - Identify bottlenecks + - Monitor team efficiency + + **Visualization:** Bar chart showing daily completions + + + + **Speed of threat removal** + + Calculated from when a takedown request is created to when it is first marked completed. + + **Available breakdowns:** + - Overall median + - By asset type (domains, social media, etc.) + - By threat category (brand vs. employee impersonation) + + **Example:** + - Overall: 36 hours + - Domains: 48 hours + - Social media: 24 hours + - Telegram: 18 hours + + + Lower median times indicate faster threat removal and better provider relationships. + + + + +## How Metrics Relate to Other Concepts + + + + **From scans to metrics** + + When asset scans and reviews lead to an asset being **blocked**, that asset contributes to metrics such as: + - **New Threats** + - **Threats by asset type** + - **Threats blocked per day** + + Ongoing scans and liveness updates ensure that metrics reflect the current state of your threat surface (e.g., how many blocked assets are still alive). + + + + **Detection to metric pipeline** + + Every detection or blocked asset rolls up into counts like: + - **New threats** + - **Detections by type** + - **Domains blocked** + + Metrics summarize how much malicious activity is being found and neutralized for your organization over time. + + + + **From reports to action** + + - **Reports** raised by your team or users drive the **Reports** metric + - Review outcomes (e.g., approving a threat as real and blocking it) flow into threat and takedown metrics + - Shows how well your review process is keeping up with incoming threats + + + + **Takedown effectiveness** + + Takedown records power: + - **Takedowns Filed** and **Takedowns Completed** + - **Median time to takedown** per asset type and category + + These metrics show how quickly threats are being removed once identified. + + + + **Service impact on visibility** + + - Metrics can be filtered by **brand** to show which brands are most targeted + - Enabling services like **detection**, **reviewing**, **takedowns**, and **wallet blocking** typically increases visibility in metrics (more threats found, blocked, and removed) rather than reducing numbers to zero + + + Higher threat counts don't mean you're less secure—they mean you're detecting more threats that were always there. + + + + +## Examples + + + + **Scenario:** Executive reporting + + + + You select "Last 90 days" on the Metrics page + + + + The dashboard shows: + - Reports received: 245 + - New threats blocked: 187 + - Takedowns filed: 142 + - Takedowns completed: 128 + - Plus charts of threats blocked per day + + + + You share these numbers with leadership to summarize how much malicious activity was detected and what action was taken + + + + **Key insights:** + - 76% of reports resulted in blocked threats + - 90% of takedowns were completed + - Average of 2 threats blocked per day + - Clear demonstration of protection value + + + + **Scenario:** Threat landscape analysis + + + + You compare threat counts for the last month: + - **Domain Threats**: 45 (down from 60 last month) + - **Twitter Threats**: 30 (stable) + - **Telegram Threats**: 55 (up from 35 last month) + - **Other Threats**: 20 (stable) + + + + You see that domain threats have decreased while Telegram threats have increased + + + + You adjust your monitoring and communication plans: + - Increase Telegram monitoring frequency + - Alert community about Telegram scams + - Investigate why attackers shifted platforms + + + + **Key insights:** + - Attackers are shifting to Telegram + - Domain blocking is working (deterrent effect) + - Need to enhance Telegram-specific defenses + - Community education opportunity + + + + **Scenario:** Provider performance review + + **Median time to takedown by asset type:** + - Domains: 48 hours + - Twitter: 24 hours + - Telegram: 18 hours + - App stores: 72 hours + + **Insights:** + - Social platforms respond faster than hosting providers + - App stores have longest response times + - Telegram is most responsive + + **Actions:** + - Focus on improving domain takedown speed + - Investigate app store delays + - Document Telegram best practices + - Consider alternative providers for slow responders + + + +## Metrics Dashboard Layout + +```mermaid +graph TD + Dashboard[Metrics Dashboard] --> Filters[Time & Brand Filters] + Dashboard --> Volume[Volume Metrics] + Dashboard --> Breakdown[Threat Breakdowns] + Dashboard --> Timeline[Time-Series Charts] + Dashboard --> Speed[Speed Metrics] + + Volume --> Reports[Reports] + Volume --> NewThreats[New Threats] + Volume --> Watchlist[Watchlisted] + Volume --> Filed[Takedowns Filed] + Volume --> Completed[Takedowns Completed] + + Breakdown --> AssetType[By Asset Type] + Breakdown --> Brand[By Brand] + Breakdown --> Category[By Category] + + Timeline --> BlockedPerDay[Threats Blocked/Day] + Timeline --> CompletedPerDay[Takedowns Completed/Day] + + Speed --> MedianTime[Median Time to Takedown] + Speed --> ByType[By Asset Type] + Speed --> ByCategory[By Threat Category] + + style Dashboard fill:#6622DC + style Volume fill:#3b82f6 + style Breakdown fill:#8b5cf6 + style Timeline fill:#10b981 + style Speed fill:#f59e0b +``` + +--- + +## Key Takeaways + + + + Metrics aggregate activity into readable summaries + + + + Always calculated for your specific organization + + + + Every view uses a specific time window + + + + Break down by brand, asset type, and category + + + + Reports, threats, watchlist, and takedowns + + + + By asset type, brand, and category + + + + Median time to takedown and daily trends + + + + Identify trends and adjust protection strategies + + + +--- + + + Access your dashboard to explore metrics and analyze your threat landscape + diff --git a/concepts/organizations.mdx b/concepts/organizations.mdx new file mode 100644 index 0000000..242c873 --- /dev/null +++ b/concepts/organizations.mdx @@ -0,0 +1,350 @@ +--- +title: "Organizations" +description: "Understanding your workspace in ChainPatrol" +--- + +## Your Workspace in ChainPatrol + +Everything you see and do in ChainPatrol happens inside an **Organization**. Think of it as your team's dedicated workspace where you manage your brands, track your assets, and measure how ChainPatrol is protecting you from threats. + + +An organization is the top-level container for all your security operations, team members, and protected assets in ChainPatrol. + + +## How ChainPatrol Manages Security for You + +ChainPatrol is a **fully managed security product**. This means our team handles the heavy lifting: + + + + Continuous scanning across platforms + + + + Expert analysis of potential threats + + + + Detailed evaluation of threat patterns + + + + Professional requests to providers and platforms + + + + +You don't need to become a security expert or dedicate staff to monitor threats around the clock. We do that work for you. + + +### Your Level of Involvement + +That said, you're not locked out of the process. If you want your team to be more hands-on, you can: + + + + **Invite Members** + + Invite team members into your organization's dashboard with customized permissions and roles. + + + + **Report Threats** + + Your team can report threats they discover through the dashboard or integrations. + + + + **Approve or Decline** + + Review and approve specific takedowns or blocklist decisions before they take effect. + + + + **Connect Tools** + + Integrate Slack, Telegram, SSO, and other tools to fit ChainPatrol into your existing workflows. + + + + +You decide how involved you want to be—from fully hands-off to deeply integrated with your team's operations. + + +## Brands and Assets + +Every organization has one or more **brands** that ChainPatrol protects. + +### What is a Brand? + + + + A brand could be: + - Your company name + - A product line + - Your executives or key personnel + - A key identity that attackers might try to impersonate + + + + We use brands to detect **brand impersonation** attacks: + - Lookalike domains + - Fake social profiles + - Scam campaigns borrowing your brand's name + - Imagery or messaging designed to trick people + + + +### What are Assets? + +In addition to brands, your organization also has **assets**—the digital properties that actually belong to you: + + + + Domains and web applications + + + + Twitter, Discord, Telegram, etc. + + + + App store and extension marketplace listings + + + + Blockchain addresses and contracts + + + + Official company and team emails + + + + GitHub repos, forums, documentation sites + + + + +We track your official assets so we can spot copycats and **general phishing** pages that mimic your legitimate sites or channels. When we find something suspiciously similar to your assets but not actually yours, it gets flagged for review. + + +## Services You Can Enable + +Each organization can turn individual services on or off depending on what you need. These services control which ChainPatrol features are active for your organization: + + + + Enables ChainPatrol's automated scanning across the web, social platforms, app stores, and other sources. When this is turned on, we continuously look for new threats targeting your brands. + + **Status:** Foundation service—required for all other services + + + + Activates the systems that collect and organize reports and detections into a single view. This powers your dashboards and ensures you have up-to-date visibility into what's happening. + + **Status:** Recommended for all organizations + + + + Turns on ChainPatrol's review workflows, where our team validates suspicious assets and decides whether they should be blocked, allowed, watchlisted, or escalated. + + **Status:** Recommended for accuracy and quality control + + + + Adds a final approval step for specific types of assets. When enabled, you choose which asset categories (like domains, social media, or messaging platforms) require explicit confirmation from an admin in your organization before ChainPatrol's blocklist decisions take effect. + + **Configuration:** If you don't select any specific types, all asset types will require approval. + + **Status:** Optional—for organizations requiring internal oversight + + + + Allows approved crypto-related threats to be added to ChainPatrol's global blocklist, which is consumed by partner wallets like Coinbase Wallet and MetaMask to protect their users from known malicious addresses. + + **Status:** Essential for Web3 organizations + + + + Enables ChainPatrol to file takedown requests with hosting providers, registrars, and platforms on your behalf. When this service is on, we don't just block threats—we work to get them removed from the internet entirely. + + **Requirements:** Legal documentation (trademark proof, authorized representative details) + + **Status:** Recommended for comprehensive protection + + + + Speeds up the takedown process for clear-cut cases. Once you've provided the required legal documents (like a Power of Attorney) and your main website URL, ChainPatrol can automatically submit takedown requests for approved threats without waiting for manual back-and-forth on every case. + + **Requirements:** + - Power of Attorney document + - Main website URL + - All other services enabled + + **Status:** Advanced—for high-volume threat environments + + + + +Learn more about configuring these services in our [Services Setup guide](/protect-your-brand/services-setup). + + +## Members, Roles, and Permissions + +You control who can access your organization and what they're allowed to do. + +### How It Works + + + + Invite team members into your organization's dashboard + + + + Assign them roles that determine their access level + + + + Configure specific permissions for what they can do + + + + Retain ultimate control over approvals and sensitive actions + + + +### What Permissions Control + + + + Ability to report and submit threats + + + + Approve or reject blocklist changes + + + + Modify organization settings and configuration + + + + View confidential data and reports + + + + Enable or disable organization services + + + + Invite, remove, or modify team members + + + + +This permission system ensures that potentially destructive actions—like turning on Wallet Blocking or Automated Takedowns—only happen with your organization's explicit permission. + + +### Division of Responsibility + +```mermaid +flowchart LR + ChainPatrol[ChainPatrol Team] -->|Handles| Operations[Day-to-Day Operations] + ChainPatrol -->|Manages| Scanning[Threat Scanning] + ChainPatrol -->|Performs| Review[Expert Review] + ChainPatrol -->|Executes| Takedowns[Takedown Filing] + + Organization[Your Organization] -->|Controls| Approvals[Final Approvals] + Organization -->|Manages| Access[Team Access] + Organization -->|Configures| Services[Service Settings] + Organization -->|Decides| Involvement[Level of Involvement] + + style ChainPatrol fill:#6622DC + style Organization fill:#985EFD +``` + + +ChainPatrol's staff handle the day-to-day security operations, but you retain ultimate control over approvals, visibility, and how the platform integrates with your team. + + +## Organization Structure + +### Typical Organization Hierarchy + + + + **Simple Structure** + + Most organizations have a single brand: + - One company identity + - All assets under one brand + - Straightforward management + + **Example:** A startup protecting their main product + + + + **Complex Structure** + + Some organizations manage multiple brands: + - Parent company + subsidiaries + - Multiple product lines + - Acquired companies + - Regional brands + + **Example:** A holding company protecting multiple portfolio companies + + + + **Advanced Structure** + + Large enterprises may have: + - Multiple brands + - Hundreds or thousands of assets + - Complex approval workflows + - Multiple teams with different permissions + + **Example:** A Fortune 500 company with global operations + + + +--- + +## Key Takeaways + + + + Everything happens within your organization + + + + ChainPatrol handles day-to-day operations + + + + Choose your level of hands-on participation + + + + Enable only what you need + + + + Control who can do what + + + + Final say on all critical decisions + + + +--- + + + Access your organization dashboard to configure services and invite team members + diff --git a/concepts/reports.mdx b/concepts/reports.mdx new file mode 100644 index 0000000..bcf56bc --- /dev/null +++ b/concepts/reports.mdx @@ -0,0 +1,393 @@ +--- +title: "Reports" +description: "How suspicious or safe activity gets submitted to ChainPatrol for review" +--- + +## What is a Report? + +A **Report** is how suspicious or safe activity gets submitted to ChainPatrol for review. Each report bundles together one or more assets, like websites, social profiles, or crypto addresses, along with the evidence needed to evaluate them. + + +When you create a report, you're proposing that specific assets should either be **blocked** (because they're malicious) or **allowed** (because they're safe). + + +### What a Report Contains + + + + One or more URLs, profiles, or addresses + + + + Title and description explaining the threat + + + + Screenshots and supporting materials + + + +## When Reports Get Created + +Reports flow into ChainPatrol from multiple sources: + + + + **Your team or ChainPatrol staff** can create reports directly in the dashboard whenever they spot something suspicious. + + **Who can create:** + - Organization members + - ChainPatrol staff + - Security team members + + **When to use:** + - Discovered threats + - Community-reported issues + - Proactive monitoring + + + + **From your community** when your organization has a public Security Portal enabled, anyone can submit a report. + + **How it works:** + - Public submission form + - Automatically flagged as customer report + - No login required + + **Benefits:** + - Community-powered detection + - Early threat discovery + - User engagement + + + + **Through the API** if you have integrations or partners that need to submit threats programmatically. + + **Use cases:** + - Automated monitoring tools + - Partner integrations + - Custom workflows + - Bulk submissions + + + See our [API documentation](/external-api/report-create) for integration details. + + + + + **From automated detection** where ChainPatrol's systems continuously scan the web, social platforms, and other sources for threats. + + **How it works:** + - Continuous monitoring + - Automatic report creation + - Pre-analyzed evidence + - Instant submission + + **Coverage:** + - 50+ platforms monitored + - 24/7 scanning + - Real-time detection + + + +## How Reports Get Reviewed + +Every report that comes into your organization is reviewed by ChainPatrol's team. + + + + Reviewers examine the evidence, screenshots, and context provided + + + + Run automated security scans and analysis on the reported assets + + + + Decide whether each asset should be: + - **Blocked** - Confirmed malicious + - **Allowed** - Confirmed legitimate + - **Watchlisted** - Monitored for changes + - **Escalated** - Requires additional investigation + + + + Apply the decision and update asset status + + + +### Automatic Review + +In some cases, the review happens automatically: + + + + When our systems have extremely high confidence that an asset is malicious. + + **Examples:** + - Known wallet drainer script detected + - Exact copy of known phishing site + - Matches multiple high-confidence rules + + **Result:** Approved immediately without manual validation + + + + When the report comes from someone we've marked as a trusted reporter. + + **Who qualifies:** + - Verified security researchers + - Trusted partner organizations + - ChainPatrol staff + + **Result:** Fast-tracked for approval + + + +### Organization Admin Approval + + +If you've enabled **Obligatory Organization Admin Approval** for certain types of assets, there's an extra step. + + +Even after ChainPatrol's team approves a report, the changes won't be applied to your blocklist until someone from your organization with admin permissions confirms them. + + + + Our team reviews and approves the report + + + + Report waits for organization admin confirmation + + + + Your admin reviews and approves or rejects + + + + Asset status is updated based on final decision + + + +## Report Status + +Reports move through three stages as they're processed: + + + + The report is waiting in the queue for review + + + + ChainPatrol staff or automated systems are actively reviewing it + + + + The review is complete and decisions have been made on all assets + + + +### Status Transitions + +```mermaid +flowchart LR + TODO[TODO] -->|Review Started| IN_PROGRESS[IN_PROGRESS] + IN_PROGRESS -->|Review Complete| CLOSED[CLOSED] + + style TODO fill:#f59e0b + style IN_PROGRESS fill:#3b82f6 + style CLOSED fill:#10b981 +``` + +## Finding Your Reports + +The **Reports page** in your dashboard shows all the reports for your organization, whether they're pending review, currently being worked on, or already closed. + +### Filtering and Search + + + + Find reports by who created them + + + + Filter by submission date + + + + Search for specific assets + + + + View TODO, IN_PROGRESS, or CLOSED reports + + + + +This makes it easy to track the status of something you reported or follow up on threats that were flagged by your community. + + +## How to Submit a Report + +Creating a report in ChainPatrol is straightforward: + + + + Start by clicking **Create Report** from the dashboard + + + + Paste in the assets you want to report, one per line: + - URLs (e.g., `https://fake-metamask.com`) + - Social media profiles (e.g., `@fake_support`) + - Blockchain addresses (e.g., `0x123...`) + - Any other asset type ChainPatrol monitors + + + The system automatically figures out what kind of asset each one is, so you don't need to categorize them yourself. + + + + + Provide information to help reviewers: + + **Title:** + - Summarize what you're reporting + - Be clear and concise + - Example: "Fake MetaMask wallet drainer site" + + **Description:** + - Explain why these assets are suspicious + - Include any relevant details + - Describe how you found them + - Note any user reports or complaints + + + + If you have screenshots or other visual evidence, upload them: + - Screenshots of malicious content + - User reports or messages + - Social media posts + - Any supporting documentation + + + Visual evidence helps reviewers quickly understand what's going on and speeds up the review process. + + + + + Hit **Submit** and your report goes into the review queue + + + +### What Happens Next + + + + **Right After Submission:** + - Report enters TODO status + - You receive confirmation + - Report appears in your dashboard + - ChainPatrol team is notified + + + + **During Review:** + - Status changes to IN_PROGRESS + - Assets are scanned and analyzed + - Evidence is evaluated + - Decisions are made + + + + **After Review:** + - Status changes to CLOSED + - Asset statuses are updated + - You're notified of the outcome + - Actions are taken (blocking, allowing, etc.) + + + +## Report Best Practices + + + + The more context you provide, the faster and more accurate the review will be. + + **Include:** + - How you discovered the threat + - Why you believe it's malicious + - Any user reports or complaints + - Timeline of when it appeared + + + + Screenshots are extremely valuable for reviewers. + + **Capture:** + - The full page or profile + - Specific malicious elements + - User-facing content + - Before it gets taken down + + + + The sooner you report a threat, the sooner it can be blocked. + + **Why it matters:** + - Faster protection for users + - Less time for scammers to operate + - Better chance of successful takedown + + + + If multiple assets are part of the same campaign, report them together. + + **Benefits:** + - Reviewers see the full picture + - More efficient review process + - Better threat intelligence + - Coordinated response + + + +--- + +## Key Takeaways + + + + Reports can contain multiple related assets + + + + Created manually, via API, or automatically + + + + ChainPatrol team reviews every report + + + + TODO, IN_PROGRESS, CLOSED + + + + Simple process with automatic asset detection + + + + More evidence = faster, better review + + + +--- + + + Access your dashboard to create and track reports + diff --git a/concepts/reviews.mdx b/concepts/reviews.mdx new file mode 100644 index 0000000..e6ddec0 --- /dev/null +++ b/concepts/reviews.mdx @@ -0,0 +1,520 @@ +--- +title: "Reviews" +description: "How ChainPatrol evaluates and makes decisions on reported threats" +--- + +## What is a Review? + +A **review** is a decision made on a **proposal** to either block or allow a reported asset. When someone reports a potentially malicious website, social media account, or other digital asset, ChainPatrol creates a proposal that requires review before taking action. + + +Think of a review as the approval or rejection of a recommendation to block a threat. + + +### Components of a Review + +Each review consists of: + + + + Approve, reject, skip, or escalate + + + + Type of threat (e.g., phishing, brand impersonation) + + + + Optional reasoning explanation + + + + Who made the decision + + + + When the review was made + + + +## Who Can Review? + +Several types of users can make reviews: + + + + **Our security analysts** who review reports for all customers + + **Capabilities:** + - Review all reports + - Create, read, and delete reviews + - Apply expert threat analysis + - Handle complex cases + + + + **Verified security researchers and partners** who have demonstrated expertise in threat identification + + **Capabilities:** + - Submit high-confidence reports + - Auto-approval for trusted submissions + - Create and read reviews + - Fast-track threat blocking + + + + **Admins and owners** of customer organizations who can review reports for their own brand + + **Capabilities:** + - Review reports for their organization + - Approve or reject proposals + - Final say on blocklist decisions + - Override escalations + + + + **Our automation system** that can auto-approve certain high-confidence threats + + **Capabilities:** + - Instant review of clear threats + - Threat score calculation + - Pattern recognition + - 24/7 operation + + + +## Review Actions + +There are four types of review decisions: + + + + **What it means:** + + Confirms that the reported asset is malicious and should be blocked. + + **What happens:** + - Asset is added to ChainPatrol's blocklist + - Distributed to integrated platforms + - Takedown process initiated (if enabled) + - Organization is notified + + **When to use:** + - Clear evidence of malicious activity + - High confidence in threat assessment + - Asset matches known attack patterns + + + + **What it means:** + + Indicates the reported asset is legitimate and should not be blocked. + + **Common reasons:** + - The asset is actually official (false positive) + - The threat has already been removed + - Insufficient evidence of malicious activity + - Misidentification or misunderstanding + + **What happens:** + - Proposal is closed + - Asset remains unblocked + - Reporter may be notified + + + + **What it means:** + + Reviewer cannot make a definitive decision yet. This keeps the proposal in a pending state for another reviewer to examine. + + **Common reasons:** + - Insufficient evidence to confirm or deny the threat + - Need for additional context or investigation + - Waiting for asset to load or become accessible + - Requires more specialized expertise + + **What happens:** + - Proposal remains in queue + - Another reviewer will examine it + - May be escalated if skipped multiple times + + + + **What it means:** + + Passes the review decision to another party for final judgment. + + **Escalation Types:** + + + + Requests the brand owner to review and decide + + **When used:** + - Staff reviewers are uncertain + - Asset type requires customer approval + - Content is ambiguous + + **What happens:** + - Customer team receives notifications (Slack/Discord) + - Proposal stays pending until customer decides + + + + Passes to senior ChainPatrol analysts + + **When used:** + - Customer administrators are uncertain + - Complex cases require expert review + - Multiple conflicting signals + + **What happens:** + - Routes to senior security analysts + - In-depth analysis performed + - Final decision made by experts + + + + + +## Automated Review + +The ChainPatrol automation system automatically reviews proposals under specific conditions: + +### Auto-Approval Criteria + +A proposal is **automatically approved** when: + + + + Reports from trusted reporters are auto-approved if they don't trigger legitimacy warnings + + + + Reports with a threat score of **1.0 or higher** are auto-approved if: + - No legitimacy checks indicate the asset is legitimate + - The organization doesn't require customer approval + - There's no active dispute on the report + + + +### Auto-Skip Criteria + +A proposal is **automatically skipped** (sent for manual review) when: + + + + High-confidence rules indicate the asset appears legitimate + + + + The threat score is below 1.0 + + + + Organization settings require manual approval from their team + + + + Someone has disputed the report + + + + Too many auto-approvals in a short time period + + + +### Threat Scoring + + +The automation system calculates a threat score by analyzing multiple factors. + + +**Scoring Components:** + + + + **Signals analyzed:** + - Visual similarity to known brands + - Logo matching + - Name and text similarity + - Domain typosquatting + - Profile impersonation + + **Score range:** 0.0 - 1.0+ + + + + **Indicators checked:** + - Credential harvesting forms + - Suspicious URL patterns + - Malicious links + - Social engineering tactics + - Wallet connection scams + + **Score range:** 0.0 - 1.0+ + + + + **How it works:** + + The system takes the **maximum score** from each category and adds them together. + + **Example:** + - Brand impersonation: 0.6 + - General phishing: 0.8 + - **Total score: 1.4** ✅ Auto-approved + + + This ensures multiple detections don't artificially inflate the total. + + + + +## Evidence Reviewed + +When making a review decision, reviewers examine multiple types of evidence: + + + + ChainPatrol runs automated detection rules that check for: + + + + Logos, names, visual similarity + + + + Credential forms, suspicious URLs + + + + Official certificates, verified accounts, trusted hosting + + + + Fake wallet connections, transaction scams + + + + + + Screenshots and HTML snapshots showing: + + - Visual appearance of the website or profile + - Page content and text + - Forms and input fields + - External links and resources + - Network requests and behavior + + + + Information from the person who submitted the report: + + - Description of the threat + - Reporter's identity and trust level + - Attachments and supporting evidence + - Report source (form, API, integration) + - Timeline of discovery + + + + Past activity related to the asset: + + - Previous reports of the same or similar assets + - Takedown history + - Related threats from the same infrastructure + - Pattern analysis across campaigns + + + +## How to Revert a Review + +Reviewers can revert their review decisions within **5 minutes** of submission. + + +This safety window allows you to undo a mistaken approval or rejection. + + +### Revert Process + + + + Go to the report page containing your review + + + + Look for the "Need to revert the change?" section + + + + Click the revert button while the timer is still active (within 5 minutes) + + + + The review will be deleted and the proposal will return to pending status + + + + +**Superusers** can revert reviews at any time, but standard reviewers are limited to the 5-minute window. + + +## When Reviews Are Escalated + +Reviews can be escalated in two directions: + +```mermaid +flowchart TD + Review[Review Decision Needed] --> Staff{Staff
Reviewer} + Review --> Customer{Customer
Admin} + + Staff -->|Uncertain| EscCustomer[Escalate to Customer] + Staff -->|Complex| EscTeam[Escalate to Team] + Staff -->|Clear| Decision[Make Decision] + + Customer -->|Uncertain| EscTeam + Customer -->|Clear| Decision + + EscCustomer --> CustomerReview[Customer Reviews] + EscTeam --> SeniorReview[Senior Analyst Reviews] + + CustomerReview --> FinalDecision[Final Decision] + SeniorReview --> FinalDecision + Decision --> FinalDecision + + style Review fill:#f59e0b + style EscCustomer fill:#3b82f6 + style EscTeam fill:#8b5cf6 + style FinalDecision fill:#10b981 +``` + +### Resolving Escalations + + + + **Once escalated to a customer:** + - Proposal stays pending until customer admin reviews it + - Customer approval or rejection finalizes the decision + - Notifications sent via Slack/Discord + - Superusers can override if needed + + + + **Once escalated to team:** + - Routes to senior ChainPatrol analysts + - In-depth investigation performed + - Expert decision made + - Customer notified of outcome + + + +## Why Human Review vs. Automation? + +ChainPatrol uses a **hybrid approach** combining automation with human expertise: + + + + **Ideal scenarios for automation:** + + + + High threat scores with strong evidence + + + + Reports from verified security researchers + + + + Similar to previously confirmed threats + + + + Multiple detection rules agree + + + + + + **Scenarios requiring human judgment:** + + + + Asset shows signs of being official + + + + Unclear or conflicting evidence + + + + Unusual patterns that don't fit standard rules + + + + Organizations that require manual approval + + + + Someone claims the report is incorrect + + + + + + +This approach ensures we block real threats quickly while maintaining accuracy and giving brands control over their security decisions. + + +## Review Permissions + +Different user roles have different review capabilities: + +| Role | Create Reviews | Read Reviews | Delete Reviews | Special Abilities | +|------|----------------|--------------|----------------|-------------------| +| **Staff (Non-Customer)** | ✅ | ✅ | ✅ | Review all reports | +| **Trusted Reporters** | ✅ | ✅ | ❌ | Auto-approval eligible | +| **Customer Admins** | ✅ | ✅ | ❌ | Review own org only | +| **Superusers** | ✅ | ✅ | ✅ | Override escalations, bypass time limits | +| **Reporters/Standard Users** | ❌ | ✅ | ❌ | View only | + +--- + +## Key Takeaways + + + + Reviews approve, reject, skip, or escalate proposals + + + + Combines automation with human expertise + + + + Automated scoring determines auto-approval + + + + Rules, scans, context, and history inform decisions + + + + 5-minute revert window for mistakes + + + + Complex cases go to customers or senior analysts + + + +--- + + + Access your dashboard to review pending proposals + diff --git a/concepts/security-portal.mdx b/concepts/security-portal.mdx new file mode 100644 index 0000000..6409f6e --- /dev/null +++ b/concepts/security-portal.mdx @@ -0,0 +1,476 @@ +--- +title: "Security Portal" +description: "Understanding your organization's public-facing threat reporting page" +--- + +## What is the Security Portal? + +The **Security Portal** is your organization's public-facing page where people outside your team can report suspicious activity directly to ChainPatrol. + + +It's a branded landing page that shows your organization's name and gives anyone with the link an easy way to submit threats they've encountered, whether that's a phishing site, a fake social profile, or a malicious app pretending to be yours. + + +### Transparency Features + +When the Security Portal is enabled, it can also display: + + + + Show what threats have been reported and what action was taken + + + + Display high-level statistics about threats detected and addressed + + + + +This gives your community and stakeholders transparency into how actively threats are being detected and addressed for your organization. + + +## Who Uses It? + +The Security Portal is designed for **your community**: + + + + **Community-powered threat reporting** + + + + People who use your products or services and encounter suspicious content + + **What they report:** + - Phishing sites they've encountered + - Fake social media accounts + - Scam messages claiming to be from your brand + - Suspicious apps or extensions + + + + Discord moderators, Telegram admins, and active community participants + + **What they report:** + - Impersonation in community channels + - Scam posts targeting your community + - Fake support accounts + - Coordinated attack campaigns + + + + Business partners, affiliates, and ecosystem participants + + **What they report:** + - Threats affecting shared users + - Cross-brand impersonation + - Supply chain threats + - Industry-wide campaigns + + + + Independent researchers and white-hat hackers + + **What they report:** + - Newly discovered threats + - Sophisticated attack patterns + - Zero-day phishing campaigns + - Technical vulnerabilities + + + + + Instead of requiring them to have an account or go through complicated channels, they can simply visit your Security Portal and submit a report in a few clicks. + + + + + **Quick access for your team** + + You can also use it internally to give your team a quick, always-available way to report threats without logging into the full ChainPatrol dashboard. + + **Benefits:** + - No login required + - Faster submission for quick reports + - Mobile-friendly interface + - Bookmarkable URL + - Share with non-technical team members + + **Use cases:** + - Customer support spotting scams + - Marketing team finding impersonation + - Community managers reporting threats + - Executives forwarding suspicious content + + + +## Where Can You Find It? + +Your Security Portal lives at a unique URL based on your organization's slug. + + + **Example:** If your organization is `acme`, your Security Portal would be at: + + `chainpatrol.io/acme` + + +### Locating Your Portal URL + + + + Go to **Settings → Security Portal** in your dashboard + + + + Look for the "Security Portal URL" card + + + + Click the link to copy your unique URL and share it with your community + + + + +Add your Security Portal URL to your website footer, documentation, and community resources so users know where to report threats. + + +## Where Can You Configure It? + +You configure the Security Portal in **Settings → Security Portal** within your organization's dashboard. + +### Configuration Options + + + + **Controls who can access the portal** + + + + The portal isn't accessible to anyone + + + + Only members of your organization can see it + + + + Anyone with the link can access it + + + + **When to use each:** + + + + **Use when:** + - Not ready to accept community reports + - Testing other features first + - Temporarily pausing public submissions + + **Effect:** + - Portal returns 404 error + - No one can submit reports via portal + - URL is not accessible + + + + **Use when:** + - Want internal-only reporting + - Testing portal before public launch + - Limiting to team members only + + **Effect:** + - Requires ChainPatrol login + - Only organization members can access + - Good for internal testing + + + + **Use when:** + - Ready for community reporting + - Want to maximize threat detection + - Building transparent security program + + **Effect:** + - Anyone with URL can submit reports + - No authentication required + - Maximum community engagement + + + + + + **Display submitted reports publicly** + + + A toggle that determines whether non-authenticated users can view the reports submitted to your organization. + + + **When enabled:** + - People visiting your Security Portal can see what's been reported + - Shows what action has been taken on each report + - Demonstrates active threat monitoring + - Builds community trust + + **What's displayed:** + - Report title and description + - Assets reported (URLs, accounts, etc.) + - Status (pending, in progress, closed) + - Date submitted + - Action taken (blocked, allowed, etc.) + + **What's NOT displayed:** + - Internal comments + - Reviewer identities + - Sensitive investigation details + - Private organization information + + + Consider your transparency goals and privacy requirements before enabling public reports. + + + + + **Display threat statistics publicly** + + + A toggle that displays high-level threat statistics on your Security Portal. + + + **Metrics displayed:** + - Threats blocked + - Takedowns filed + - Takedowns completed + - Reports received + - Threats by asset type + - Recent activity trends + + **Benefits:** + + + + Show stakeholders you're actively monitoring + + + + Demonstrate security commitment + + + + Show impact of community reports + + + + Signal to attackers that you're protected + + + + + Public metrics demonstrate that your organization takes security seriously without exposing sensitive details. + + + + +## Why Does It Exist? + +The Security Portal serves two primary purposes: + + + + **Make it easy for your community to help protect your brand** + + ### The Problem + + When users encounter a phishing site or a fake profile impersonating you, they often want to report it but don't know how. + + **Common barriers:** + - No clear reporting channel + - Complicated submission process + - Requires account creation + - Unclear if reports are acted upon + + ### The Solution + + The Security Portal gives them a simple, trusted place to submit that information directly to ChainPatrol. + + **Benefits:** + + + + Simple form, no account required + + + + Users know exactly what to report + + + + Official, branded reporting page + + + + See that reports lead to action + + + + + + **Demonstrate active security monitoring** + + By enabling public reports and metrics, you can show: + + + + **Demonstrate security posture** + + - Board members see active threat monitoring + - Investors understand security investment + - Partners verify protection measures + - Auditors review security processes + + + + **Compliance and due diligence** + + - Show proactive threat detection + - Document response procedures + - Demonstrate user protection + - Evidence of security controls + + + + **Build community trust** + + - Users see you take security seriously + - Community understands threat landscape + - Transparency builds confidence + - Encourages more reporting + + + + + This builds trust and demonstrates that your organization takes security seriously. + + + + +## Where Do Community Reports Go? + +When someone submits a report through your Security Portal, it flows into your organization's **Reports** page in the ChainPatrol dashboard, just like any other report. + +### Report Processing Flow + + + + User submits report via Security Portal + + + + Report appears in your organization's Reports page + + + + ChainPatrol's team evaluates the evidence and runs security checks + + + + Determines whether reported assets should be blocked, allowed, or escalated + + + + If "Obligatory Organization Admin Approval" is enabled, your team confirms the action + + + + Asset status is updated and distributed to blocklist + + + + +From there, the report goes through the same review process as any other submission. + + +## Security Portal Workflow + +```mermaid +flowchart TD + User[Community Member] --> Portal[Security Portal] + Portal --> Check{Portal
Visibility?} + + Check -->|Disabled| Error404[404 Error] + Check -->|Private| Login{Logged In?} + Check -->|Public| Form[Report Form] + + Login -->|No| LoginPage[Login Required] + Login -->|Yes| Form + + Form --> Submit[Submit Report] + Submit --> Dashboard[ChainPatrol Dashboard] + + Dashboard --> Review[Review Process] + Review --> AdminCheck{Admin
Approval
Required?} + + AdminCheck -->|No| Action[Action Applied] + AdminCheck -->|Yes| AdminReview[Admin Reviews] + + AdminReview --> Action + Action --> Blocklist[Added to Blocklist] + + Portal --> Display{Public
Reports/Metrics?} + Display -->|Yes| ShowData[Display Public Data] + Display -->|No| FormOnly[Form Only] + + style Portal fill:#6622DC + style Form fill:#3b82f6 + style Review fill:#8b5cf6 + style Action fill:#10b981 + style Error404 fill:#ef4444 +``` + +--- + +## Key Takeaways + + + + Branded landing page for community threat reports + + + + No account required for public portals + + + + Disabled, Private, or Public access + + + + Show public reports and metrics + + + + Enables users to help protect your brand + + + + Reports flow through standard review workflow + + + + Demonstrates active security monitoring + + + + Based on your organization's slug + + + +--- + + + Access Settings → Security Portal to enable and customize your public reporting page + diff --git a/concepts/takedowns.mdx b/concepts/takedowns.mdx new file mode 100644 index 0000000..20b8409 --- /dev/null +++ b/concepts/takedowns.mdx @@ -0,0 +1,413 @@ +--- +title: "Takedowns" +description: "Understanding how ChainPatrol removes malicious content from the internet" +--- + +## What Is a Takedown? + +A **takedown** is a formal request asking an online platform to remove harmful, fraudulent, or unauthorized content. + + +This request is sent to the organization responsible for hosting or displaying that content, such as a hosting provider, domain registrar, social media platform, app store, or TLD registry. + + +## Why Takedowns Matter + +Takedowns are an essential tool for protecting brands and users online. They help remove content that: + + + + Impersonates legitimate organizations + + + + Misleads or scams users + + + + Abuses a brand's trademarks + + + + Spreads harmful information + + + + Distributes fraudulent or malicious applications + + + + Hosts phishing pages or fake login portals + + + +## Where Takedowns Are Sent + +Because digital threats appear across many parts of the internet, takedowns may be sent to a wide range of platforms: + + + + **Web hosting and domain infrastructure** + + + + Organizations that host website content + + **Examples:** + - AWS, Cloudflare, Vercel + - Shared hosting companies + - VPS and dedicated server providers + + **Typical response time:** 4-48 hours + + + + Companies that register and manage domain names + + **Examples:** + - GoDaddy, Namecheap, Google Domains + - Country-specific registrars + - Reseller networks + + **Typical response time:** 24-72 hours + + + + Organizations managing top-level domains (.com, .xyz, etc.) + + **Examples:** + - Verisign (.com, .net) + - Public Interest Registry (.org) + - Country-code registries + + **Typical response time:** Varies widely + + + + + + **Social platforms and communication channels** + + + + Impersonation accounts, scam posts + + + + Fake pages, scam groups + + + + Impersonation profiles, fraudulent posts + + + + Scam livestreams, fake giveaways + + + + Fake support channels, scam groups + + + + Phishing servers, impersonation bots + + + + Scam subreddits, impersonation accounts + + + + Scam videos, impersonation accounts + + + + **What gets removed:** + - Impersonation accounts + - Scam posts and messages + - Fake support channels + - Fraudulent giveaways + + + + **Mobile and browser application marketplaces** + + + + Android applications + + + + iOS applications + + + + Browser extensions + + + + Firefox extensions + + + + Windows applications + + + + **What gets removed:** + - Fake wallet applications + - Malicious browser extensions + - Impersonation apps + - Fraudulent utilities + + + + **Distributed and blockchain-based hosting** + + + **InterPlanetary File System** + + Harmful content can be stored in a distributed way across IPFS nodes. + + **Takedown targets:** + - IPFS gateway operators + - Pinning services + - Node operators hosting malicious content + + **Challenges:** + - Decentralized nature makes complete removal difficult + - Content may persist on some nodes + - Gateway blocking is most effective approach + + + + Decentralized platforms require different takedown strategies, often focusing on gateway access rather than complete content removal. + + + + +## The Purpose of Takedowns + +Regardless of the platform, the purpose of a takedown is the same: + + + **To remove dangerous or unauthorized content quickly, securely, and effectively.** + + +### Takedowns vs. Blocklisting + + + + **Complete removal from the internet** + + **Advantages:** + - Content is permanently removed + - Attackers lose their infrastructure + - Prevents future victims from accessing + - Demonstrates enforcement action + + **Disadvantages:** + - Takes time (hours to days) + - Some providers don't respond + - Attackers can quickly create new sites + - Jurisdiction and legal challenges + + **Best for:** + - Long-term threat elimination + - Persistent campaigns + - High-profile impersonation + + + + **Immediate protection at point of access** + + **Advantages:** + - Instant protection (15-30 minutes) + - Works regardless of hosting provider + - Protects even if content stays online + - Universal coverage across platforms + + **Disadvantages:** + - Content remains online + - Requires integration with security tools + - May not prevent all access methods + + **Best for:** + - Immediate threat mitigation + - Rapid response scenarios + - Protecting users before takedown completes + + + + +**ChainPatrol's approach:** "Blocklist-first, takedown-second" provides immediate protection while working toward permanent removal. + + +## Takedown Lifecycle + + + + Takedown has been created and is waiting to be processed + + + + ChainPatrol is actively working on the takedown: + - Submitting to appropriate provider + - Monitoring the request + - Following up as needed + + + + The provider removed the harmful content + + + +### Alternative Outcomes + + + + Takedown stopped (e.g., content invalid or unnecessary) + + + + Identified as false positive, marked for retraction + + + + Formal retraction request submitted to provider + + + + Provider confirmed retraction—takedown reversed + + + +## What Makes Takedowns Effective + + + + **Proper authorization and evidence** + + Effective takedowns require: + - Power of Attorney (POA) authorizing action + - Trademark registration documents + - Clear evidence of abuse or impersonation + - Authorized representative details + + + ChainPatrol handles all legal documentation and submission on your behalf. + + + + + **Established communication channels** + + We maintain relationships with 100+ providers: + - Known abuse contact information + - Established reporting procedures + - Track record of successful takedowns + - Understanding of each provider's requirements + + + + **Continuous monitoring and escalation** + + We don't just submit and forget: + - Regular status checks + - Follow-up communications + - Escalation when needed + - Alternative approaches if initial request fails + + + + **Comprehensive documentation** + + Each takedown includes: + - Screenshots of malicious content + - Technical metadata (hosting, DNS, etc.) + - Timeline of activity + - User reports and impact evidence + + + +## Takedown Workflow + +```mermaid +flowchart TD + Asset[Asset Blocked] --> Check{Takedown
Service
Enabled?} + + Check -->|No| End1[No Takedown] + Check -->|Yes| Create[Create Takedown] + + Create --> TODO[Status: TODO] + TODO --> Assign[Assign Provider] + Assign --> Submit[Submit Request] + + Submit --> InProgress[Status: IN PROGRESS] + InProgress --> Monitor[Monitor & Follow Up] + + Monitor --> Response{Provider
Response?} + + Response -->|Content Removed| Complete[Status: COMPLETED] + Response -->|Invalid Request| Cancel[Status: CANCELED] + Response -->|False Positive| Retract[Retraction Process] + Response -->|No Response| Escalate[Escalate] + + Escalate --> Monitor + Retract --> Retracted[Status: RETRACTED] + + style Create fill:#3b82f6 + style InProgress fill:#8b5cf6 + style Monitor fill:#f59e0b + style Complete fill:#10b981 + style Cancel fill:#ef4444 + style Retracted fill:#10b981 +``` + +--- + +## Key Takeaways + + + + Takedowns are official requests to remove content + + + + Sent to hosting, social media, app stores, and more + + + + Removes impersonation, scams, and trademark abuse + + + + From TODO to COMPLETED with full visibility + + + + Works alongside blocklists for comprehensive protection + + + + Requires proper authorization and evidence + + + + Established channels with 100+ providers + + + + Continuous monitoring until completion + + + +--- + + + Access your dashboard to monitor active and completed takedown requests + diff --git a/concepts/watchlist.mdx b/concepts/watchlist.mdx new file mode 100644 index 0000000..77b504d --- /dev/null +++ b/concepts/watchlist.mdx @@ -0,0 +1,393 @@ +--- +title: "Watchlist" +description: "Understanding how ChainPatrol monitors assets for future action" +--- + +## What is the Watchlist? + +The watchlist is a set of assets that we monitor to see if we can action on them further in the future. + + +Think of the watchlist as a "middle ground" between blocking and allowing—assets that need continued observation before a final decision can be made. + + +## Why Would We Need to Watchlist Something? + +Assets are added to the watchlist for two primary reasons: + + + + **When we can't make a clear determination** + + Sometimes when we process an asset to see if it's malicious, we don't find enough red flags to block the asset, but we also don't find enough green flags to allow the asset. + + ### The Gray Area + + + + - Insufficient evidence of malicious intent + - Weak or ambiguous threat indicators + - Could be legitimate but suspicious + + + + - Asset isn't clearly official or trusted + - Some concerning patterns detected + - Uncertainty about legitimacy + + + + ### What We Do + + In this situation, if we suspect that the asset may become malicious in the future, we keep tabs on the asset to see if it changes. + + **We can act and remove the asset from the watchlist when:** + + + + Asset starts showing definitive malicious behavior or content + + + + Asset is confirmed as official or safe + + + + Asset goes offline, gets suspended, or undergoes significant changes + + + + ### Common Scenarios + + + + **Scenario:** Domain is registered but shows only a parking page + + **Why watchlist:** + - Domain name is suspicious (contains brand name + "airdrop") + - No active content to analyze yet + - May become malicious when content is added + + **What we monitor:** + - When content appears + - What type of content is added + - Whether it becomes a phishing site + + + + **Scenario:** Website or profile is currently offline + + **Why watchlist:** + - URL structure suggests brand impersonation + - Can't analyze content that doesn't exist + - May come online with malicious content + + **What we monitor:** + - When it comes back online + - What content appears + - Whether it impersonates your brand + + + + **Scenario:** Asset has some concerning elements but unclear intent + + **Why watchlist:** + - Uses brand-related keywords but purpose is unclear + - Design has some similarities but not exact copy + - Could be legitimate or could be preparing for scam + + **What we monitor:** + - Content changes over time + - Addition of phishing forms or wallet drainers + - Clarification of intent + + + + + + **Tracking takedown progress** + + When we start the takedown process, we want to make sure that we keep tabs on the asset in order to determine when the takedown has been completed. + + ### Automatic Watchlisting + + + We place every asset onto the watchlist when the takedown is in progress. + + + **Why this matters:** + + + + Continuous scanning to detect when asset goes offline + + + + Automatically mark takedown as complete when asset is inaccessible + + + + No manual checking required for takedown status + + + + Immediate notification when takedown succeeds + + + + ### The Takedown Monitoring Flow + + + + Takedown request submitted to hosting provider or platform + + + + Asset automatically added to watchlist for monitoring + + + + Asset is scanned periodically to check liveness status + + + + Asset goes offline, gets suspended, or becomes inaccessible + + + + Takedown marked as complete, asset removed from watchlist + + + + ### What We Monitor + + + + - Is the asset still accessible? + - HTTP status codes (404, 403, etc.) + - DNS resolution failures + - Server responses + + + + - "Suspended by provider" messages + - Account termination notices + - Content removal confirmations + - Domain suspension indicators + + + + - Malicious content removed + - Page replaced with error message + - Redirect to different content + - Complete site removal + + + + + This allows us to monitor the asset and see if it goes offline, at which point we can take the asset off of the watchlist. + + + + +## Who Would Watchlist Something? + +Watchlisting can be done either manually or automatically: + + + + **By analysts during review** + + + When an analyst reviews a reported asset and encounters inconclusive evidence, they can manually add it to the watchlist. + + + **Decision factors:** + - Threat indicators present but not conclusive + - Asset appears suspicious but needs more time to develop + - Waiting for asset to become accessible + - Need to observe behavior over time + + **Who can do this:** + - ChainPatrol security analysts + - Customer administrators (for their organization) + - Trusted reviewers + + + + **During takedown process** + + + Every asset is automatically added to the watchlist when a takedown is initiated. + + + **Triggers:** + - Takedown request submitted + - Takedown status changes to "IN_PROGRESS" + - Asset needs monitoring for completion + + **No manual intervention required:** + - System automatically adds to watchlist + - Monitoring begins immediately + - Removal happens automatically when offline + + + +## How the Watchlist Works + +### Monitoring Frequency + +Assets on the watchlist are scanned at different frequencies based on how long they've been monitored and their current status: + + + + **More frequent monitoring for uncertain assets** + + | Time on Watchlist | Scan Frequency | + |-------------------|----------------| + | < 6 hours | Hourly | + | < 24 hours | Every 2 hours | + | < 2 days | Every 4 hours | + | < 7 days | Every 6 hours | + | < 2 weeks | Every 12 hours | + | < 1 month | Daily | + | < 2 months | Every 2 days | + | > 2 months | Every 4 days | + + + Frequent early scans catch rapid changes; frequency decreases if asset remains stable. + + + + + **Less frequent monitoring for blocked assets** + + | Time on Watchlist | Scan Frequency | + |-------------------|----------------| + | < 6 hours | Every 3 hours | + | < 24 hours | Every 6 hours | + | < 2 days | Every 12 hours | + | < 7 days | Every 18 hours | + | < 2 weeks | Every 36 hours | + | < 1 month | Every 3 days | + | < 2 months | Every 6 days | + | > 2 months | Every 12 days | + + + Blocked assets are already protected, so monitoring focuses on confirming takedown success. + + + + +### Removal from Watchlist + +Assets are automatically removed from the watchlist when: + + + + Asset confirmed as legitimate + + + + Dead asset becomes accessible (pushed to review queue) + + + + Decay factor removes long-term uncertain assets + + + + Asset goes offline during takedown + + + + Hosting provider suspends the asset + + + + Analyst decides monitoring is no longer needed + + + +## Watchlist Workflow + +```mermaid +flowchart TD + Review[Asset Review] --> Decision{Clear
Decision?} + Takedown[Takedown Initiated] --> AutoWatch[Auto-Add to Watchlist] + + Decision -->|Yes - Block| Block[Block Asset] + Decision -->|Yes - Allow| Allow[Allow Asset] + Decision -->|No - Unclear| ManualWatch[Add to Watchlist] + + ManualWatch --> Monitor[Periodic Monitoring] + AutoWatch --> Monitor + + Monitor --> Check{Status
Change?} + + Check -->|Becomes Malicious| Block + Check -->|Becomes Legitimate| Allow + Check -->|Goes Offline| Complete[Takedown Complete] + Check -->|30 Days UNKNOWN| Remove[Remove from Watchlist] + Check -->|No Change| Monitor + + Block --> RemoveWatch[Remove from Watchlist] + Allow --> RemoveWatch + Complete --> RemoveWatch + Remove --> RemoveWatch + + style Review fill:#3b82f6 + style Takedown fill:#8b5cf6 + style Monitor fill:#f59e0b + style Block fill:#ef4444 + style Allow fill:#10b981 + style Complete fill:#10b981 +``` + +--- + +## Key Takeaways + + + + Watchlist is for assets between blocking and allowing + + + + Inconclusive evidence and takedown monitoring + + + + Scan frequency adjusts based on time and status + + + + All takedown assets are automatically watchlisted + + + + Analysts can watchlist during inconclusive reviews + + + + Assets leave watchlist when status becomes clear + + + + Long-term uncertain assets are eventually removed + + + + Regular checks detect changes and completion + + + +--- + + + Access your dashboard to see assets currently on your watchlist + diff --git a/getting-started/how-it-works/asset-scans.mdx b/getting-started/how-it-works/asset-scans.mdx new file mode 100644 index 0000000..6f5afd2 --- /dev/null +++ b/getting-started/how-it-works/asset-scans.mdx @@ -0,0 +1,224 @@ +--- +title: "Asset Scans" +description: "How ChainPatrol automatically evaluates and monitors potential threats across the web" +--- + +## What is an Asset Scan + +An **asset scan** is an automated security check ChainPatrol runs on an online surface that could be used in a scam, like a website, a social profile, an app-store listing, or a crypto address. Each scan records what we observed at a specific moment in time and evaluates risk using a mix of detection rules and AI signals. + + +Asset scans solve a simple problem: the internet changes constantly, attackers iterate fast, and manual review doesn't scale. Scans let us monitor large volumes of assets, catch newly emerging threats, and track whether risky content is still live. + + +## What We Scan + +ChainPatrol supports many asset types across the digital landscape: + + + + URLs and hosted pages (including redirect chains and landing pages) + + + + Twitter/X, Telegram, YouTube, Reddit, Medium, Farcaster, and more + + + + Google Play, Apple App Store, Mozilla Add-ons, and other marketplaces + + + + Normalized contract/address identifiers (e.g., CAIP-2 style) with chain context + + + +## Asset vs. Asset Scan + +Understanding the difference is key to how our monitoring works: + + + + An **asset** is the thing itself—a URL, handle, listing, or address. + + Example: `https://fake-metamask.com` + + + + An **asset scan** is a **time-stamped snapshot** of that asset. The same asset may be scanned many times, and scans form a timeline of changes. + + Example: Scan #1 (Jan 1), Scan #2 (Jan 3), Scan #3 (Jan 5) + + + + +Multiple scans of the same asset create a historical timeline, allowing us to track changes, detect when threats go live or are taken down, and monitor asset behavior over time. + + +## When Scans Run + +Scans are triggered in three main ways: + + + + Scans run automatically in several scenarios: + + - When ChainPatrol detection sources surface something relevant + - When an asset is added (e.g., via report, onboarding, or API ingestion) + - During **watchlist monitoring**, where assets are rescanned on a schedule that adapts over time: + - More frequent early on + - Less frequent as an asset stays stable + - Blocked assets may be scanned less often to reduce noise + + + + Manual or API-triggered scans: + + - When a team member triggers a rescan from the UI + - When your systems submit assets via API + + + + For certain platform-hosted assets (e.g., specific site builders or marketplaces), ChainPatrol periodically re-checks whether a previously-blocked asset is still reachable. + + + +## How Scans Work + +Our scanning process follows a systematic approach to evaluate threats efficiently and accurately: + + + + We normalize the input (e.g., resolve canonical URLs or identifiers), create a scan record, and run a first pass of checks that don't require external enrichment. + + + + Depending on asset type, we collect relevant data: + + **Web URL / Page Enrichments:** + - HTTP fetch results (status, redirects, extracted links, basic metadata like title/description) + - Optional browser capture (screenshot/DOM signals when available) + - Network and registration context (e.g., DNS, TLS, WHOIS/RDAP when enabled) + + **Platform/API Enrichments:** + - Profile/listing details (descriptions, author/publisher fields, follower/engagement signals, etc.) + + + Some enrichments run only when earlier signals suggest elevated risk to keep scans efficient. + + + + + We evaluate the asset using rules and AI/ML signals for patterns like phishing, impersonation, and scam mechanics. This includes both content-based and visual/behavioral indicators when available. + + + + Each scan is tagged with **labels** and produces **scores** for prioritization: + + **Common Labels:** + - Captcha detected + - Parked domain + - Provider suspended + - Brand impersonation + - Wallet drainer detected + + **Liveness Status:** + - **ALIVE** - Asset is active and accessible + - **DEAD** - Asset is no longer reachable + - **UNKNOWN** - Inconclusive (not "safe") + + + + For supported web and social surfaces, scans can extract outbound links and redirects to help you trace related infrastructure and uncover threat networks. + + + +## How Scan Results Are Used + + + + Scans provide evidence (metadata, redirects, links, screenshots) so reviewers can decide to block, allow, investigate further, or initiate takedowns + + + + High-risk scans feed detection workflows and monitoring pipelines; actions vary by configuration and policy + + + + Watchlist and liveness workflows keep your monitoring set current and highlight meaningful changes over time + + + +## What You See in the Product + +Our platform provides comprehensive visibility into scan results and asset history: + + + + A complete history of scans for each asset, including: + - Liveness status changes + - Notable changes in content or behavior + - Risk score evolution + - Label additions/removals + + + + Deep dive into individual scans with: + - Evidence artifacts (screenshots, metadata) + - Applied labels and their sources + - Scoring signals and rule matches + - Enrichment data (redirects, links, network info) + + + + High-level overview showing: + - Recent activity and new threats + - Top-risk assets requiring attention + - Monitoring coverage across platforms + - Trend analysis over time + + + + Actionable insights including: + - Scan volume and frequency + - Detection speed metrics + - Number of risky assets still live + - Takedown success rates + + + +--- + +## Scan Efficiency & Scale + + + + Adaptive scan frequency based on asset risk and stability + + + + Deep analysis triggered only when risk signals warrant it + + + + Multiple assets scanned simultaneously for faster coverage + + + + Timeline-based analysis to detect behavioral changes + + + + +Our scanning infrastructure processes thousands of assets daily, providing real-time threat intelligence while maintaining accuracy and minimizing false positives. + + +--- + + + Access detailed scan results and asset timelines in your ChainPatrol dashboard + diff --git a/getting-started/how-it-works/blocklist.mdx b/getting-started/how-it-works/blocklist.mdx new file mode 100644 index 0000000..f12e76e --- /dev/null +++ b/getting-started/how-it-works/blocklist.mdx @@ -0,0 +1,357 @@ +--- +title: "Blocklist" +description: "Real-time, community-powered database of confirmed phishing sites and malicious assets" +--- + +ChainPatrol's Blocklist is a real-time, community-powered database of confirmed phishing sites, scams, and malicious assets that protects users across the web3 ecosystem. + +## What is the ChainPatrol Blocklist? + +The ChainPatrol Blocklist is a continuously updated list of **350,000+ malicious websites**, social media accounts, and blockchain addresses that have been confirmed as threats through our expert review process. When an asset is added to the blocklist, it's automatically distributed to our network of security integrations to protect users in real-time. + +### Key Features + + + + Combines threat intelligence from 100+ organizations using ChainPatrol + + + + Assets blocklisted and distributed in 15-30 minutes after confirmation + + + + Available via public API to maximize distribution and protection + + + + Automatically distributed to wallets, browsers, and security tools + + + + +Traditional takedown processes take hours or days. ChainPatrol provides protection in **15-30 minutes**. + + +## How Assets Get Blocklisted + +Assets are added to the blocklist through a rigorous review process: + + + + Potential threats are identified through automated detection, community reports, or partner submissions + + + + Our AI-powered scanning engine analyzes assets using 50+ detection rules + + + + A BLOCK proposal is created and reviewed by our security team + + + + After review approval, the asset status changes to BLOCKED + + + + The blocked asset is automatically submitted to our integration partners + + + + +Only assets that pass through this review and approval process are added to the blocklist. + + +## Blocklist Integrations + +ChainPatrol's blocklist is integrated with 20+ wallets, browsers, and security platforms: + + + + + + Protects Chrome, Safari, Edge, and Firefox users + + + + Network-level protection for enterprises + + + + + + **Major Integrations:** + + + + Direct integration via Eth-Phishing-Detect + + + + Real-time API integration + + + + Via multiple blocklist sources + + + + Via WalletConnect and direct APIs + + + + Via multiple blocklist sources + + + + Via blocklist APIs + + + + Real-time API protecting 20+ wallets + + + + + And 15+ additional wallet providers + + + + + + + Security Alliance's information sharing network + + + + Cryptocurrency industry threat sharing + + + + Ethereum ecosystem blocklist (ChainPatrol is a core contributor) + + + + Cross-chain with Polkadot ecosystem + + + + + + + + Content moderation API + + + + Governance platform protection + + + + Custom integrations for enterprise customers + + + + + +## Accessing the Blocklist + + + + Your organization's blocklist page shows all assets that have been added to the blocklist by your team: + + + + Access the **Blocklist** section in your organization dashboard + + + + View assets filtered by type, date, and status + + + + Search for specific assets or domains + + + + Export blocklist data as a CSV file for reporting purposes + + + + + + The blocklist is publicly accessible via our API and SDK. + + + + Learn how to access the blocklist via REST API + + + + Use our JavaScript SDK for easy integration + + + + + +## False Positives + +We take false positives seriously. If you believe an asset has been incorrectly blocklisted: + + + + If your legitimate website or asset has been blocklisted: + + + + Visit [chainpatrol.com/dispute](https://chainpatrol.com/dispute) to submit a dispute + + + + Include documentation proving your asset is legitimate: + - Business registration + - Domain age and history + - Verified social media accounts + - SSL certificates + - Other legitimacy indicators + + + + Our team will review your dispute within 24 hours + + + + If approved, your asset will be removed from the blocklist and marked as ALLOWED + + + + + + If you've reported an asset that turns out to be legitimate: + + + + Find the asset's report in your dashboard + + + + Create an ALLOW proposal with your reasoning + + + + Our team will review and update the status if appropriate + + + + + + +When an asset is removed from the blocklist, the update is distributed to all integration partners within the same **15-30 minute timeframe**. + + +## Blocklist Distribution + +When an asset is blocklisted, it's automatically distributed to multiple platforms: + + + + All asset types eligible for browser protection + + + + URLs hosted on 50+ hosting providers (Vercel, Cloudflare, AWS, etc.) + + + + All URL and domain assets + + + + Ethereum-related phishing sites + + + + Cross-network phishing domains + + + + Real-time API updates to wallet providers + + + + +Distribution happens automatically through our integration workflows. There's no manual step required. + + + +In the case of a false positive, we will submit retraction requests for ChainPatrol's submissions to these partners. + + +## Why Distribution Matters + +Traditional cybersecurity relies on **takedowns** — requesting hosting providers or domain registrars to remove malicious content. + +### Traditional Takedown Timeline + + + + 4-48 hours for takedown + + + + 24-72 hours for takedown + + + + Some providers never respond + + + +### ChainPatrol's Blocklist Approach + +ChainPatrol provides **immediate protection** by: + + + + Block access at the browser and wallet level + + + + Protect users even if the site remains online + + + + Works across all hosting providers and jurisdictions + + + + Users protected in minutes, not days + + + + +This **"blocklist-first, takedown-second"** approach means users are protected within minutes, not days. + + +--- + +## Blocklist vs. Takedown Comparison + +| Aspect | ChainPatrol Blocklist | Traditional Takedown | +|--------|----------------------|---------------------| +| **Response Time** | 15-30 minutes | 4-72 hours (or never) | +| **Coverage** | 20+ integrations | Single hosting provider | +| **User Protection** | Immediate | Delayed until removal | +| **Jurisdiction** | Global | Provider-dependent | +| **Success Rate** | 100% distribution | Varies by provider | + +--- + + + Access your blocklist dashboard to view and manage blocked assets + diff --git a/getting-started/how-it-works/detection-sources.mdx b/getting-started/how-it-works/detection-sources.mdx new file mode 100644 index 0000000..2e1372b --- /dev/null +++ b/getting-started/how-it-works/detection-sources.mdx @@ -0,0 +1,323 @@ +--- +title: "Detection Sources" +description: "Automated monitoring systems that continuously scan the internet for threats to your brand" +--- + +Detection sources are automated monitoring systems that continuously scan the internet for potential threats to your brand. Each source monitors a specific platform or data stream, searching for suspicious assets that may be impersonating your organization or attempting to defraud your users. + +## How Detection Sources Work + +Detection sources operate on automated schedules, running searches across various platforms using your organization's **included terms** (brand names, products, keywords you want to monitor) and **excluded terms** (legitimate domains you want to filter out). When a source finds a potential threat, it automatically submits the asset for analysis through ChainPatrol's threat detection pipeline. + +### The Detection Flow + + + + Each detection source runs on a predefined schedule (e.g., every 15 minutes, hourly, daily) + + + + The source searches its platform (ex. Twitter, Google Ads, Reddit) using your organization's keywords and monitoring rules + + + + Matching results are collected as potential threats + + + + Discovered assets are automatically submitted to the threat detection system + + + + Assets are scanned, enriched with additional data, and evaluated by the rules engine + + + + A threat score is calculated based on multiple detection rules + + + + If the score exceeds your organization's detection thresholds, the threat can be automatically reported or flagged for review + + + +## Available Detection Sources + + +ChainPatrol supports **28 different detection sources** across multiple categories + + + + + Monitor search results for phishing sites and scam pages. + + + + Scans Google search results + + + + Monitors Bing search results + + + + Tracks Yahoo search results + + + + Monitors DuckDuckGo search results + + + + Monitors Google Ads for malicious content + + + + + + Track social media for impersonation accounts and fraudulent posts. + + + + - **Twitter Post Search** - Searches Twitter posts for threats + - **Twitter User Search** - Monitors Twitter user profiles + - **Twitter Profile Monitoring** - Tracks replies on posts from specific Twitter profiles + + + + - **Reddit Subreddit Search** - Searches for Reddit communities by name + + + + - **YouTube Search** - Searches YouTube videos and channels + + + + - **Medium Tag RSS** - Monitors Medium articles by tags + + + + - **Telegram Channels Search** - Searches for Telegram channels + - **Telegram User Search** - Searches for Telegram user accounts + + + + - **TikTok Video Search** - Searches TikTok videos + - **TikTok User Search** - Searches TikTok user profiles + + + + + + Monitor mobile app stores and browser extension marketplaces. + + + + Monitors Google Play Store apps + + + + Tracks iOS App Store applications + + + + Monitors Firefox browser extensions + + + + + + Specialized sources for cryptocurrency and blockchain threats. + + + Monitors DeFi protocols and tokens for impersonation + + + + + Additional monitoring capabilities for comprehensive protection. + + + + Leverages URLScan.io's database to find threats + + + + Detects typosquatting domains using homoglyph analysis + + + + Monitors certificate transparency logs for newly issued TLS/SSL certificates + + + + Monitors community guestbook submissions + + + + Scans for assets hosted on known malicious IPs + + + + Re-checks existing assets for status changes + + + + Handles external threat submissions via API + + + + + +## Source Configuration + +Each detection source can be customized with: + + + + Enable or disable sources + + + + Organization or global level + + + + Custom timing and frequency + + + +### Status Options + +- **Enabled** - Source runs automatically on schedule +- **Disabled** - Source does not run + +### Scope Settings + +Detection sources can operate at two levels: + + + + Uses your specific keywords and monitoring settings + + + + Runs system-wide monitoring for all organizations + + + +### Schedule Configuration + +Sources run on automated schedules that vary by: + +- **Organization Priority** - Higher priority organizations get more frequent scans +- **Source Type** - Different sources have different default intervals based on their data freshness and rate limits + + +**Custom Schedules:** You can override default schedules with custom cron expressions for fine-tuned control over when each source runs. + + +## Best Practices + +### Setting Up Detection Sources + + + + Enable search engines and social media sources first + + + + Add all your brand names, product names, and common misspellings + + + + Add your legitimate domains to reduce false positives + + + + Set appropriate auto-reporting thresholds based on your risk tolerance + + + + Review initial detections to fine-tune your configuration + + + +### Optimizing Detection Coverage + + + + Different sources catch different types of threats + + + + Essential if you have mobile applications + + + + Add official Twitter assets to monitor replies + + + + Periodically review and adjust your configuration + + + +### Managing False Positives + + + + Add legitimate mentions to your excluded terms list to filter out false positives + + + + Fine-tune keyword similarity thresholds for token monitoring + + + + Manually review results before enabling automatic actions + + + + Identify rules that generate false positives and adjust accordingly + + + +## Performance Considerations + + + + Each detection source respects platform-specific rate limits. The system automatically handles rate limiting by: + + - Adjusting request timing + - Batching operations where possible + - Logging when limits are reached + + + Rate limiting ensures compliance with platform APIs while maintaining consistent monitoring coverage. + + + + + Detection sources are optimized for efficiency: + + - Results are processed in batches to avoid overwhelming the system + - Duplicate assets are automatically filtered out + - Sources run in parallel when possible + - Failed detections are logged but don't block other sources + + + Our infrastructure is designed to handle high-volume monitoring without impacting detection speed or accuracy. + + + + +--- + + + Log in to your dashboard to customize detection sources for your organization + diff --git a/getting-started/how-it-works/how-we-use-ai.mdx b/getting-started/how-it-works/how-we-use-ai.mdx new file mode 100644 index 0000000..05516d9 --- /dev/null +++ b/getting-started/how-it-works/how-we-use-ai.mdx @@ -0,0 +1,246 @@ +--- +title: "How We Use AI" +description: "Learn how ChainPatrol's AI-powered detection engine protects your brand from Web3 threats in real-time" +--- + +## Why AI-Powered Protection Matters + +In Web3, threats move fast. Phishing sites can be spun up in minutes, targeting your community before traditional security measures can respond. That's why we built an AI-first detection engine—one that identifies and neutralizes threats **within seconds**, not hours. + + +Our approach combines the speed of automation with the precision of human expertise, ensuring your brand stays protected around the clock. + + +## The ChainPatrol Detection Mix + +We've engineered the optimal balance between speed and accuracy: + +| Detection Type | How It Works | +| --- | --- | +| **Fully Automated** (44.74%) | Threats that meet all AI confidence thresholds are blocked instantly | +| **AI + Human Review** (55.26%) | Edge cases are flagged for immediate analyst review | + + +**Why this matters:** Multiple AI and rule-based thresholds must pass before any action is taken. This layered approach prevents false positives while ensuring legitimate threats are caught quickly. + + +## Our AI Technology Stack + +ChainPatrol uses a multi-model approach, combining the best AI technologies for comprehensive threat detection. + + + + Advanced text and content analysis + + + + Screenshot comparison and DOM analysis + + + + Specialized Web3 threat detection + + + + Multi-model score aggregation + + + +### 1. Large Language Models + +We leverage state-of-the-art LLMs for content analysis: + + + + Analyzes text content, social media posts, and communications to identify phishing language patterns and scam indicators + + + + Enables multi-modal analysis, processing both text and visual content simultaneously for faster, more accurate detection + + + +### 2. Visual & Structural Analysis + +Phishing sites often look identical to legitimate ones. Our visual AI catches them: + + + + Compares screenshots against your legitimate sites to catch pixel-perfect impersonation attempts + + + + Examines DOM structure, code patterns, and page layouts to identify known phishing templates—even when visuals differ + + + + Real-time visual and structural scanning of suspicious URLs + + + +### 3. Custom-Trained Models + +Our models are tuned specifically for Web3 threats: + +- Trained on **500,000+ real threat examples** from across the ecosystem +- Continuously updated with new attack patterns +- Fine-tuned for Web3-specific threats like wallet drainers, fake airdrops, and impersonation scams + +## How Detection Works + +Here's what happens when a potential threat is identified: + + + + Our engine monitors 50+ platforms 24/7 + + + + Multiple AI models analyze the threat independently + + + + Our decision engine aggregates confidence scores + + + + High-confidence threats are blocked; edge cases go to analysts + + + + Confirmed threats are pushed to all integrated platforms + + + +### The Decision Engine + +At the core of our system is a proprietary decision engine that: + + + + Aggregates outputs from all AI models + + + + Applies confidence-based scoring + + + + Checks against known threat databases + + + + Makes final disposition in milliseconds + + + + +**No single point of failure:** A threat must pass multiple independent checks before being actioned, ensuring accuracy while maintaining speed. + + +## Platform Coverage + +Our AI monitors threats across **50+ platforms**—and we can add new integrations within days. + + + + - URLs & Domains + - Web Pages + - Wallet Addresses + - Phone Numbers + - Email Addresses + - Forms & Surveys + + + + Discord • Twitter/X • Telegram • LinkedIn • YouTube • Reddit • TikTok • Instagram • Threads • Medium • WhatsApp • Facebook • Snapchat • Substack + + + + Google Play • Apple App Store • Chrome Web Store • Firefox Add-ons • ChatGPT Plugins • Microsoft Store • Opera Extensions + + + + OpenSea • ENS • IPFS • Farcaster • Blur • Magic Eden • DeBank • Bluesky • Primal • DeSo + + + + +**Need coverage for a platform we don't list?** Contact us—new integrations can be added within days. + + +## Real-Time Threat Distribution + +When our AI detects a threat, it doesn't just sit in a database. We push it directly to the platforms your users rely on: + +### Browser Protection + + + Integration means threats are blocked in Chrome, Edge, and Safari—reaching billions of users. We maintain a **68.32% acceptance rate**, among the highest in the industry. + + +### Wallet Protection + +Direct API integrations with leading wallets provide real-time warnings: + + + + Core integration partner + + + + Direct API for Solana ecosystem + + + + Real-time threat API + + + + Ecosystem-wide protection + + + +### Infrastructure Partners + + + + Direct threat reporting for faster takedowns + + + + Moderation API integration + + + + +**The result:** Threats detected by ChainPatrol can be blocked across the entire Web3 ecosystem within seconds. + + +## Continuous Learning & Improvement + +Our AI gets smarter every day through: + + + + Every analyst decision feeds back into our models. When our team reviews edge cases, that knowledge improves future detection accuracy. + + + + We're **core contributors to Eth-Phishing-Detect** with elevated permissions, and active members of **SEAL-ISAC**. This gives us early access to emerging threats and allows us to share our detections with the broader security community. + + + + Our threat database grows daily with new examples, ensuring our models stay ahead of evolving attack techniques. + + + +--- + + + Schedule a demo to see how our AI-powered detection protects leading Web3 brands + diff --git a/getting-started/how-it-works/review.mdx b/getting-started/how-it-works/review.mdx new file mode 100644 index 0000000..a364d39 --- /dev/null +++ b/getting-started/how-it-works/review.mdx @@ -0,0 +1,264 @@ +--- +title: "Review" +description: "How ChainPatrol evaluates and approves threat status changes through automated and human review" +--- + +## Overview + +In order to block malicious threats or allow official assets, we use the Review process. To change an Asset's status (from `UNKNOWN` to `BLOCKED`/`ALLOWED`, or in special cases between `BLOCKED` and `ALLOWED`), we create a **Proposal**. + + +Each Proposal is evaluated by either human reviewers or our automation, who can make one of four decisions: **Approve**, **Reject**, **Skip**, or **Escalate**. + + +### Proposal Decisions + + + + Accepts the Asset's status change and closes the Proposal + + + + Denies the status change and closes the Proposal + + + + Keeps Proposal pending when there's insufficient evidence + + + + Sends to senior team members or customer for additional review + + + + +Only **Approve** and **Reject** decisions close out the Proposal. **Skip** and **Escalate** keep the Proposal in `PENDING` status for further evaluation. + + +## Automation + +Our automated review system handles high-confidence threat detections, allowing human analysts to focus on edge cases and complex decisions. + +### When Do We Perform Automated Review? + +Automated review is enabled when specific conditions are met: + + + + Reviewing automation only activates for organizations with an active subscription status: + - **Active** - Fully subscribed organization + - **Trial** - Organization in trial period + - **Prospect** - Prospective customer with evaluation access + + + + Automation requires sufficient data about the Asset. Some platforms currently lack adequate information gathering capabilities: + + **Platforms requiring human review:** + - Facebook + - Instagram + - TikTok + + These asset types always require manual evaluation due to limited automated data collection. + + + + Automated review **only** handles Proposals to set an Asset to `BLOCKED` status. + + **Not automated:** + - Proposals to set Assets to `ALLOWED` status + - Proposals to set Assets to `UNKNOWN` status + + + +### How Does Automated Review Make a Decision? + +Our automated review system calculates a **risk score** to determine whether an asset should be approved as malicious. + + + + During an Asset Scan, multiple detection rules are executed against the asset + + + + The risk score is a weighted sum of all individual scores from each successful rule execution + + + + The final risk score is compared against our approval threshold (1.0) + + + + Assets meeting the threshold are automatically approved; others are escalated + + + +#### Risk Score Example + + + + **Scenario:** Asset has 10 rules executed + - 6 rules contribute a score of 0.2 each = 1.2 total + - 4 rules contribute a score of 0.1 each = 0.4 total + - **Total Risk Score: 1.6** + + ✅ Since 1.6 ≥ 1.0, the Proposal is **automatically approved** + + + + **Scenario:** Asset has 10 rules executed + - 4 rules contribute a score of 0.1 each = 0.4 total + - 2 rules contribute a score of 0.2 each = 0.4 total + - **Total Risk Score: 0.8** + + ⚠️ Since 0.8 < 1.0, the Proposal is **escalated for human review** + + + +### Legitimacy Rules + + +**Special Case:** Legitimacy Rules can override automatic approval, even with high risk scores. + + +Legitimacy Rules are special detection rules that identify when an asset is **not malicious**. If a Legitimacy Rule with "Very High" confidence passes, automation will **not** automatically approve the Proposal, regardless of the Risk Score. + +**Example:** An asset might have a risk score of 1.5, but if it matches a Very High confidence Legitimacy Rule (e.g., verified official domain), the Proposal will be escalated for human review instead of being auto-blocked. + +### Automatically Approving the Proposal + +For a Proposal to be automatically approved, **all** of the following must be true: + + + + ✅ Asset must not already be `ALLOWED` + + ✅ Organization must have Reviewing enabled and not be inactive + + ✅ Proposal must be for blocking the Asset (not for allowing) + + ✅ No Legitimacy Rules of "Very High" confidence have passed + + + + At least **one** of the following must be true: + + **Option 1:** Risk Score ≥ 1.0 + - The overall Risk Score of the Asset is at or above 1.0 + + **Option 2:** Trusted Reporter + - The Asset was part of a Report created by a Trusted Reporter + + + +## Human Review + +Humans are essential for making decisions about Proposals that fall outside automated approval criteria. + + +Since automation only handles Proposals to block Assets with a Risk Score ≥ 1.0, human analysts evaluate all other cases. + + +### When Humans Are Involved + + + + Proposals to Block an Asset with a Risk Score < 1.0 + + + + All Proposals to Allow an Asset + + + + Proposals to set an Asset to Unknown + + + +### Human Review Process + + + + Proposals are routed to appropriate analysts based on expertise and workload + + + + Analysts examine scan results, screenshots, metadata, and context + + + + Using established criteria and guidelines, analysts make Approve/Reject/Skip/Escalate decisions + + + + Decisions feed back into our AI models to improve future automation accuracy + + + +### What Analysts Use to Make Decisions + +Our analysts leverage comprehensive data to make informed decisions: + + + + - Screenshots and visual evidence + - Page content and metadata + - Network and infrastructure data + - Historical scan timeline + + + + - Which rules triggered and their confidence levels + - Rule weights and scoring breakdown + - Legitimacy rule results + + + + - Related assets and infrastructure + - Reporter information and history + - Brand-specific guidelines + - Recent threat patterns + + + + - Custom detection thresholds + - Allowlist and blocklist entries + - Brand protection priorities + + + +## Review Workflow Summary + +```mermaid +flowchart TD + Start[Asset Detected] --> Proposal[Create Proposal] + Proposal --> Check{Eligible for
Automation?} + + Check -->|No| Human[Human Review] + Check -->|Yes| Score{Risk Score
≥ 1.0?} + + Score -->|No| Human + Score -->|Yes| Legit{Legitimacy
Rule Passed?} + + Legit -->|Yes| Human + Legit -->|No| AutoApprove[Auto-Approve] + + Human --> Decision{Analyst
Decision} + Decision -->|Approve| Blocked[Asset Blocked] + Decision -->|Reject| Remain[Status Unchanged] + Decision -->|Skip| Pending[Remains Pending] + Decision -->|Escalate| Senior[Senior Review] + + AutoApprove --> Blocked + Senior --> Decision +``` + +--- + + + Access pending proposals and review decisions in your ChainPatrol dashboard + diff --git a/getting-started/how-it-works/takedown.mdx b/getting-started/how-it-works/takedown.mdx new file mode 100644 index 0000000..eea7eea --- /dev/null +++ b/getting-started/how-it-works/takedown.mdx @@ -0,0 +1,370 @@ +--- +title: "Takedown" +description: "How ChainPatrol removes malicious content through coordinated takedown requests" +--- + +## Takedown Lifecycle + +Every takedown follows a clear lifecycle inside ChainPatrol: + + + + A takedown has been created and is waiting to be processed + + + + ChainPatrol is actively working on the takedown (submitting it to the appropriate provider and monitoring the request) + + + + The provider removed the harmful content + + + +### Alternative Outcomes + + + + The takedown was stopped (e.g., content turned out to be invalid or unnecessary) + + + + Identified as false positive, marked for retraction but not yet sent to provider + + + + Formal retraction request submitted to provider to halt or reverse the takedown + + + + Provider confirmed retraction—takedown fully stopped or reversed + + + +## How ChainPatrol Processes a Takedown + +### Creation of a Takedown + + +A takedown is automatically created for every asset that is blocked, provided that the organization has the **Takedowns service enabled**. + + +Each takedown is directly linked to the blocked asset and contains all essential context required for further action: + + + + URL, social profile, IPFS hash, or app listing + + + + Explanation of why the asset was classified as harmful + + + + Platform or host responsible for the content + + + +After creation, the takedown is placed into the **TODO** state, indicating that it has been generated and is ready to be reviewed and processed. + +### Assigning a Provider + +ChainPatrol determines which platform, hosting company, registrar, or channel is responsible for the content. + + + + - Hosting providers (AWS, Cloudflare, Vercel, etc.) + - Domain registrars (GoDaddy, Namecheap, etc.) + - **TLD registrars** (for top-level domains like `.com`, `.xyz`, etc.) + + + + - Twitter/X + - Facebook + - Instagram + - YouTube + - **Telegram** + - Discord + - Reddit + + + + - Google Play Store + - Apple App Store + - Browser extension marketplaces + + + + - **IPFS** gateways and pinning services + - Decentralized hosting platforms + + + + +We maintain an up-to-date record of **100+ abuse contacts** for both submission of takedowns and retraction of requests made in error. + + +### Submitting the Takedown + +ChainPatrol prepares and submits the takedown request to the appropriate provider responsible for hosting or distributing the malicious content. + +**What's Included in a Submission:** + + + + Detailed description of why the content is considered harmful, including evidence and context + + + + Supporting legal documents required to justify the removal (when applicable) + + + + Submissions use each provider's preferred reporting channel to ensure highest likelihood of success + + + +Once submitted, the takedown transitions into the **IN PROGRESS** state. + + +**Full Transparency:** Customers have real-time visibility including status updates and provider responses. Copies of provider communications are surfaced directly in the takedown events timeline. + + +### Monitoring + +After submission, ChainPatrol continuously monitors the takedown to track its progress and outcome: + + + + Verifying whether targeted content has been removed + + + + Reviewing and interpreting responses from the provider + + + + Automatically retrying or escalating when needed + + + + +The takedown remains active until a final outcome is reached. Continuous monitoring ensures takedowns are not prematurely closed. + + +### Final Outcome + +A takedown ends in one of the following states: + + + + **The provider removed the content.** + + Examples include: + - Websites becoming inaccessible + - Social media profiles or messages being removed + - Telegram channels being shut down + - IPFS content becoming unavailable via gateways + - Scam apps being delisted + + + + **The takedown request cannot proceed.** + + Reasons include: + - Invalid content + - Missing required documentation + - Asset no longer meets takedown criteria + + + + **The takedown was formally withdrawn after submission.** + + Typically because: + - Asset identified as false positive + - Content determined to be legitimate + - Organization requested retraction + + + + +All outcomes are logged clearly and shown to customers for transparency. + + +## Takedown Retraction + +A **takedown retraction** is the formal process of stopping or reversing a takedown request after it has already been submitted to a provider. + + +Retractions ensure that legitimate content is not removed incorrectly and that providers are notified as quickly as possible when an issue is identified. + + +### When Retractions Occur + +A retraction is typically initiated when ChainPatrol determines that the original takedown was created in error: + +- **False Positive** - Asset was incorrectly classified as harmful +- **Legitimate Content** - Further investigation shows content is authorized +- **Customer Request** - Organization identifies the asset as legitimate + +### Retraction Process + + + + Asset is identified as legitimate or false positive + + + + Takedown marked for retraction but request not yet sent + + + + Formal request submitted to provider to halt or reverse the takedown + + + + Provider confirms—takedown stopped or reversed + + + + +Takedown retractions are handled with the same level of care, structure, and transparency as takedown submissions. + + +## Types of Takedowns + +ChainPatrol supports multiple takedown categories, each with a clear expected outcome: + + + + **Targets:** Hosting providers, domain registrars, and TLD registries + + **Outcome:** The website becomes inaccessible or the domain is suspended + + **Examples:** + - Phishing sites hosted on cloud providers + - Malicious domains registered through registrars + - Typosquatting domains + + + + **Platforms:** X/Twitter, Facebook, Instagram, YouTube, Telegram, Discord, Reddit + + **Outcome:** The impersonating profile, channel, post, or video is removed or suspended + + **Examples:** + - Fake brand accounts + - Impersonation profiles + - Scam posts and videos + - Malicious Telegram channels + + + + **Targets:** Mobile app platforms and extension marketplaces + + **Outcome:** Fraudulent apps are removed from the marketplace + + **Examples:** + - Fake wallet apps + - Malicious browser extensions + - Impersonation applications + + + + **Targets:** IPFS gateway operators or pinning services + + **Outcome:** The malicious IPFS content is unpinned or becomes inaccessible through common gateways + + **Examples:** + - Phishing sites hosted on IPFS + - Malicious content distributed via decentralized storage + + + +## Customer Visibility & Status Updates + +Inside ChainPatrol, customers have clear visibility into each takedown: + + + + Real-time status: TODO, IN PROGRESS, COMPLETED, CANCELED, or retraction states + + + + Complete timeline of all major actions and state changes + + + + Full copies of emails and communications from providers + + + + Confirmation when content has been successfully removed + + + + +This gives customers a full understanding of progress and outcomes throughout the entire takedown lifecycle. + + +## Security & Compliance + +ChainPatrol ensures that all takedown-related data is handled securely and responsibly: + + + + Legal documents stored using secure systems and access controls + + + + Data only shared with providers when explicitly required + + + + Following best practices to protect customer data + + + + Maintaining strict confidentiality throughout the process + + + +## Frequently Asked Questions + + + + The takedown will move to the **COMPLETED** state, and you'll see confirmation from the provider in the takedown timeline. + + + + Response times vary across platforms. Some act quickly, while others require legal documentation or take several days to respond. Hosting providers typically respond within 4-48 hours, while domain registrars may take 24-72 hours or longer. + + + + If previously removed content reappears, the existing takedown is **reactivated** by returning to the **TODO** state. ChainPatrol will then act on it again, re-filing requests until the content is completely taken down. + + + + No provider guarantees removal in all cases, but ChainPatrol works to maximize success through consistent, accurate submissions and continuous monitoring. Our success rates vary by provider but are typically very high for legitimate threats. + + + + Most takedowns require legal documents such as: + - Letter of Authorization + - Power of Attorney + - Trademark registration + - Business registration documents + + Requirements vary by provider and will be communicated during onboarding. + + + +--- + + + Access your takedown dashboard to monitor all active and completed takedown requests + diff --git a/getting-started/how-it-works/watchlist.mdx b/getting-started/how-it-works/watchlist.mdx new file mode 100644 index 0000000..6a82b2a --- /dev/null +++ b/getting-started/how-it-works/watchlist.mdx @@ -0,0 +1,288 @@ +--- +title: "Watchlist" +description: "How ChainPatrol monitors assets to detect when they become malicious or go offline" +--- + +## Overview + +The watchlist is a set of assets that are not blocked or allowed, but are **actively monitored**. We watchlist assets for two main reasons: + + + + Monitoring assets to determine if they become malicious + + + + Monitoring assets to determine if they go offline + + + +### When Assets Leave the Watchlist + +We remove assets from the watchlist for three reasons: + + + + Asset status changed to ALLOWED + + + + Previously dead asset becomes accessible again + + + + Asset has been offline for more than 30 days + + + + +For more details about the watchlist concept, see our [Concepts documentation](/concepts/watchlist). + + +## Placing Assets onto the Watchlist + +### Review Process + +During the review flow, an analyst can choose to put an asset onto the watchlist. This is typically done for two scenarios: + + + + **What it is:** The domain is reserved but has no active content + + **Why we watchlist:** The URL indicates potential brand impersonation, but there's not enough evidence yet to perform a takedown. We monitor to see if malicious content appears. + + **Example:** `metamask-airdrop.com` shows a domain parking page, but the name suggests future malicious use. + + + + **What it is:** The asset is currently offline or inaccessible + + **Why we watchlist:** The URL structure suggests brand impersonation, but we can't analyze content that doesn't exist yet. We monitor to detect when it comes online. + + **Example:** `uniswap-claim.xyz` returns a 404 error, but the domain name is suspicious. + + + +### Takedown Process + +When we file a takedown, we automatically place the asset being taken down onto the watchlist. + + + + Takedown request submitted to the appropriate provider + + + + Asset automatically added to watchlist for monitoring + + + + Regular scans check if the asset goes offline + + + + If asset goes offline, takedown is marked as complete automatically + + + + +This automation allows us to confirm successful takedowns without manual verification, speeding up the entire process. + + +### Watchlist Eligibility + +Only specific asset types can be placed on the watchlist due to our ability to monitor them consistently in an automated fashion: + + + + Web addresses and domains + + + + Specific web pages + + + + Email addresses + + + + Twitter/X accounts + + + + Telegram channels and users + + + + +Asset types not on this list are monitored by our human staff for takedown confirmation instead of automated watchlist monitoring. + + +## What Happens When Assets Are on the Watchlist + +When an asset is on the watchlist, we monitor it by running asset scans periodically to determine if there is any change in behavior: + + + + Monitoring HTTP status codes and accessibility + + + + Detecting modifications to page content + + + + Tracking DNS record and hosting changes + + + +We also run checks to determine if we should keep the asset on the watchlist or remove it because it's unlikely to become malicious. + + +**Adaptive Frequency:** Assets recently added to the watchlist are scanned more frequently. As time passes without changes, scan frequency decreases to optimize resources. + + +## Scan Frequency + +We cycle through the watchlist each minute, checking about **150 assets at a time**. Scan frequency depends on how long the asset has been on the watchlist and its current status. + +### UNKNOWN / ALLOWED Assets + +Assets that are not yet blocked are scanned more frequently: + +| Time on Watchlist | Scan Frequency | +|-------------------|----------------| +| < 6 hours | Hourly | +| < 24 hours | Every 2 hours | +| < 2 days | Every 4 hours | +| < 7 days | Every 6 hours | +| < 2 weeks | Every 12 hours | +| < 1 month | Daily | +| < 2 months | Every 2 days | +| > 2 months | Every 4 days | + +### BLOCKED Assets + +Blocked assets are scanned less frequently since they're already protected: + +| Time on Watchlist | Scan Frequency | +|-------------------|----------------| +| < 6 hours | Every 3 hours | +| < 24 hours | Every 6 hours | +| < 2 days | Every 12 hours | +| < 7 days | Every 18 hours | +| < 2 weeks | Every 36 hours | +| < 1 month | Every 3 days | +| < 2 months | Every 6 days | +| > 2 months | Every 12 days | + + +**Why the difference?** UNKNOWN/ALLOWED assets need closer monitoring to catch when they become malicious. BLOCKED assets are already protected, so we primarily monitor to confirm takedown success. + + +## Removing Assets from the Watchlist + +Assets are automatically removed from the watchlist under specific conditions: + +### Asset Becomes ALLOWED + + + If an asset's status changes from `BLOCKED` or `UNKNOWN` to `ALLOWED`, we immediately remove it from the watchlist. + + **Reason:** Allowed assets are verified as legitimate and don't require monitoring. + + +### Asset Comes Online + + + If an asset's liveness status changes from `DEAD` to `ALIVE` or `UNKNOWN`, we remove it from the watchlist. + + **What happens next:** The asset is pushed back into the review queue where a human analyst will evaluate whether it's malicious. + + +### Decay Factor + +Assets are removed from the watchlist when they've been there too long without changes: + + + + If an asset is in `UNKNOWN` status, we remove it from the watchlist after **30 days**. + + **Reason:** If an asset hasn't become malicious after a month, it's unlikely to pose a threat. + + + + If the asset was watchlisted during the takedown process and the takedown is in `IN_PROGRESS` state: + + - Asset goes offline → Removed from watchlist + - Takedown provider suspends the asset → Removed from watchlist + + **Reason:** The takedown was successful, so continued monitoring is unnecessary. + + + + An analyst can manually remove an asset from the watchlist if they determine it's no longer necessary to monitor. + + **Reason:** Human judgment may identify cases where automated rules don't apply. + + + +## Watchlist Workflow + +```mermaid +flowchart TD + Start[Asset Detected] --> Decision{Add to
Watchlist?} + + Decision -->|Parking Page| Watchlist[Add to Watchlist] + Decision -->|Dead Asset| Watchlist + Decision -->|Takedown Filed| Watchlist + Decision -->|No| End[Normal Processing] + + Watchlist --> Monitor[Periodic Scanning] + + Monitor --> Check{Status
Change?} + + Check -->|Becomes ALLOWED| Remove1[Remove from Watchlist] + Check -->|Comes Online| Review[Push to Review Queue] + Check -->|30 Days UNKNOWN| Remove2[Remove from Watchlist] + Check -->|Takedown Success| Remove3[Remove from Watchlist] + Check -->|No Change| Monitor + + Review --> Remove4[Remove from Watchlist] + + Remove1 --> End + Remove2 --> End + Remove3 --> End + Remove4 --> End +``` + +## Best Practices + + + + Watchlist domains with suspicious names but no active content yet + + + + Let the watchlist automatically confirm takedown success + + + + Periodically review long-term watchlist items to ensure they're still relevant + + + + The adaptive scan frequency optimizes monitoring without manual intervention + + + +--- + + + Access your watchlist dashboard to see all monitored assets and their status + diff --git a/getting-started/what-we-do/brand-impersonation.mdx b/getting-started/what-we-do/brand-impersonation.mdx new file mode 100644 index 0000000..5c1ec6b --- /dev/null +++ b/getting-started/what-we-do/brand-impersonation.mdx @@ -0,0 +1,137 @@ +--- +title: "Brand Impersonation" +description: "Understanding brand impersonation attacks and how to protect against them" +--- + +## What Is Brand Impersonation? + +Brand impersonation is a broad category of abuse where malicious actors **pretend to be a legitimate brand or someone associated with it** in order to deceive users, steal assets, spread disinformation, or damage trust. + + +Brand impersonation is commonly used to steal money, credentials, or sensitive information, distribute malware, manipulate public perception, or damage a brand's reputation. + + +These attacks often span multiple platforms and combine technical methods with social engineering. Brand impersonation can occur across: + +- Websites +- Social media platforms +- Advertising networks +- Search engines +- Email and messaging apps +- Web3 and blockchain ecosystems + +## Types of Impersonation + + + + Attackers pose directly as the official company or product + + + + Pretending to be employees, executives, or founders + + + + Fake customer support agents exploiting users seeking help + + + + False claims of collaboration or endorsement + + + +### 1. Brand Impersonation + +In brand impersonation, attackers pose directly as the official company or product. This usually involves copying branding elements such as logos, names, visual identity, and messaging to create fake websites, social media profiles, advertisements, or applications. + +**Impact:** Because these assets are designed to look authentic, users often cannot distinguish them from legitimate channels. This type of impersonation directly undermines brand trust and frequently leads to financial fraud or credential theft. + +### 2. Employee Impersonation + +Employee impersonation occurs when attackers pretend to be real employees, executives, founders, or other public representatives of a company. These impersonators often leverage the perceived authority of the role to pressure victims or bypass skepticism. + +**Impact:** This form of impersonation is particularly dangerous because it can be used for targeted social engineering attacks, internal fraud, or high-value scams where credibility is critical. + +### 3. Customer Support Impersonation + +Customer support impersonation focuses on exploiting users who are already seeking help. Attackers present themselves as official support agents and engage victims through replies, direct messages, or emails. + +**Impact:** This technique is commonly used to steal login credentials, recovery phrases, or wallet access, especially in crypto and fintech environments where support interactions are frequent and time-sensitive. + +### 4. Partnership Impersonation + +Partnership impersonation involves false claims of collaboration, endorsement, or integration with another trusted brand or organization. Attackers rely on the perceived legitimacy of a partnership to gain credibility. + +**Impact:** This type of impersonation is often used in scam announcements, fake landing pages, or social media campaigns and can damage both the impersonated brand and the falsely claimed partner. + +## Common Technologies & Techniques Used + + +Brand impersonation campaigns typically rely on a combination of technical and behavioral techniques rather than a single method. + + + + + Deepfake technology is increasingly used to generate convincing audio, video, or images of executives or public figures, enabling fake announcements, investment scams, or social engineering attacks that appear highly authentic. + + + + Bot-driven attacks are commonly used to create and manage large numbers of fake accounts, amplify malicious content, and artificially boost engagement. This makes impersonation campaigns appear legitimate and widely supported. + + + + Reply and comment hijacking is another frequent technique, where attackers post malicious replies under legitimate brand content. These replies often pose as support or official guidance and exploit the visibility and trust of the original post. + + + + Typosquatting remains a foundational method, involving the registration of domains that closely resemble official brand domains. These domains are typically used for phishing, malware delivery, or credential harvesting. + + + + Advertising abuse, particularly through search ads, allows attackers to place impersonation content above legitimate results. Users often assume ads are verified, which makes this channel especially effective for deception. + + + + In Web3 ecosystems, fake NFT mints and blockchain-related scams are prevalent. These attacks often combine impersonated announcements, cloned websites, and malicious smart contracts designed to drain wallets. + + + + Disinformation campaigns may not always involve direct scams but are still a form of impersonation when false information is attributed to a brand or its representatives. These campaigns aim to manipulate perception, create confusion, or erode trust. + + + + SEO spam involves generating large volumes of low-quality pages optimized for brand-related keywords. These pages redirect users to malicious destinations and are difficult to combat due to their scale. + + + + Account compromise occurs when legitimate brand or employee accounts are taken over and then used to distribute scams or malicious content. Because the account was originally authentic, detection is significantly harder. + + In more advanced cases, attackers may compromise DNS or hosting infrastructure, allowing them to redirect traffic from legitimate domains to malicious content without altering the visible URL. + + + +## What Can You Do About Brand Impersonation? + +While brand impersonation cannot be fully eliminated, its impact can be significantly reduced through proactive measures. + + + + Clearly define and publicly communicate which assets are official. This includes domains, social media accounts, communication channels, applications, and, where applicable, blockchain addresses or smart contracts. Making this information easy to find helps users verify authenticity. + + + + Community involvement plays a critical role in early detection. Users often encounter impersonation before internal teams do, so providing clear reporting paths and responding visibly to reports helps shorten the damage window and builds trust. + + + + Education is equally important. By teaching users what official representatives will and will not do, and by highlighting common scam patterns, organizations can reduce the effectiveness of impersonation even when attacks occur. + + + + For brands with a large digital footprint or high-risk exposure, working with specialized security vendors is often necessary. These vendors provide continuous monitoring, automated detection, coordinated takedowns, and cross-platform visibility that is difficult to achieve internally. + + + + +**Ready to protect your brand?** ChainPatrol provides comprehensive monitoring, detection, and takedown services for Web3 organizations. [Schedule a demo](https://cal.com/chainpatrol) to learn more. + diff --git a/getting-started/what-we-do/general-phishing.mdx b/getting-started/what-we-do/general-phishing.mdx new file mode 100644 index 0000000..59e8c56 --- /dev/null +++ b/getting-started/what-we-do/general-phishing.mdx @@ -0,0 +1,92 @@ +--- +title: "General Phishing" +description: "Understanding phishing attacks and common attack vectors in Web3" +--- + +## What is Phishing? + +Phishing is a malicious attack that involves someone pretending to be a legitimate actor. Phishing comes in many attack vectors, but the ultimate goal is to gain the trust of the end user and steal their information. + +This includes passwords, credit card numbers, or even a user's two factor authentication codes. In the context of Web3, common attack vectors aim to steal a user's seed phrase for their wallet, or simply all of the contents of their wallets. + +## Types of Phishing Attack Vectors + +### Wallet Drainers + +Wallet drainers are a tool that scammers use to quickly steal all of the funds from a user's wallet without them knowing. + +**How it works:** + +1. A scammer sets up a fake site that looks very similar to a legitimate one, like the homepage of a wallet, or a fake airdrop that looks like it's advertising a legitimate token +2. The user is prompted to connect their wallet to the website +3. Once connected, the user is prompted to sign a transaction that is described in vague terms or lies about its intentions +4. By agreeing, the user signs a broad smart contract that gives the scammer permission for unlimited token withdrawal on the victim's wallet +5. The scammer scans the user's wallet to find any tokens, NFTs, or other valuable assets, and transfers them to their wallet +6. The stolen assets are disseminated to multiple wallets to make tracking more difficult + +### Seed Recovery Phrase Theft + +Seed recovery phrase theft is when a scammer tries to get the seed recovery phrase of a user by pretending to need it for a legitimate purpose. + +**Important:** Users should never share their seed recovery phrase with anyone, as it will grant complete access to their wallet and all of their tokens to any actor who has it. + +**Common tactics:** + +- Fake airdrops that promise large rewards +- "Doubling" scams that claim to multiply the amount of a specific token +- Requests to type in the full seed recovery phrase to claim rewards + +Once the user types in their seed recovery phrase, the attacker will use it to lock the victim out of their assets, and disseminate them to multiple other wallets to make tracking the stolen assets more difficult. + +### Social Engineering + +Social engineering involves gaining a user's trust so that they voluntarily provide confidential details to an attacker. + +**In the context of Web3:** + +Social engineering may involve fake tech support for a wallet responding to requests about being unable to access funds. Attackers gain trust by seeming legitimate through conversations over email or phone. Once sufficient trust is built, they will ask for seed phrases or request the user to connect their wallet to a wallet drainer. + +**Warning signs:** + +- Unsolicited contact from "support" representatives +- Requests for sensitive information like seed phrases +- Pressure to act quickly or urgently +- Communication through unofficial channels + +### Malware Distribution + +Malware distribution involves a user downloading or otherwise obtaining a malicious program on their system. + +**Common disguises:** + +These programs often masquerade as legitimate software. For example: +- A browser extension that looks like an official wallet extension +- Fake wallet applications +- Compromised software updates + +Once installed, the malware will use one of the aforementioned techniques to steal a user's information, including seed phrases, private keys, or direct wallet access. + +### Developer Key Compromise + +Developer key compromise occurs when a developer's private keys for accessing sensitive information are obtained by attackers. + +**The danger:** + +This allows the attacker to: +- Impersonate the developer +- Access systems the developer works on +- Inject malicious code into legitimate programs + +This is particularly dangerous because it allows attackers to infiltrate legitimate services and have a widespread impact across an entire user base. Users trust the legitimate application, making them more vulnerable to attacks that originate from compromised developer accounts. + +## Protecting Yourself from Phishing + + +**Key principle:** Legitimate projects will never ask for your seed phrase, private keys, or request you to sign suspicious transactions. + + +Always verify: +- Website URLs carefully before connecting your wallet +- The authenticity of support representatives +- Browser extensions and applications before installation +- Transaction details before signing anything diff --git a/getting-started/what-we-do/introduction.mdx b/getting-started/what-we-do/introduction.mdx new file mode 100644 index 0000000..f28e99d --- /dev/null +++ b/getting-started/what-we-do/introduction.mdx @@ -0,0 +1,116 @@ +--- +title: "Introduction" +description: "Protecting Web3 Communities from Phishing and Impersonation Attacks" +--- + +## The Threat Landscape + +In the rapidly evolving Web3 landscape, malicious actors are constantly targeting crypto users through sophisticated phishing attacks, fake domains, and social media impersonation. These threats not only put your community's assets at risk but can also severely damage your brand's reputation and erode user trust. + +## Enterprise-Grade Protection for Leading Web3 Organizations + +Today, ChainPatrol serves as the trusted security partner for some of the most prominent names in the blockchain industry. + + + + + + + + + + + +These organizations rely on us to safeguard their communities from online impersonation and phishing attacks 24/7. + +## Real-Time Protection Through Wallet Integration + +At the core of our solution is a **continuously updated blocklist** of malicious domains, directly integrated into over 20 leading crypto wallets. + + +**Protected Wallets:** MetaMask, Coinbase Wallet, Phantom, and 17+ more leading wallets + + +When users attempt to interact with a flagged malicious site, they receive an immediate warning, preventing potential losses before they happen. This proactive approach provides an essential layer of security that protects users at the point of transaction. + +## Comprehensive Detection and Rapid Response + +Our advanced detection system continuously monitors the digital landscape to identify scams impersonating your company across multiple channels: + + + + We scan for lookalike domains and phishing sites using your brand + + + + Automated monitoring for fake accounts impersonating your official channels + + + + Detection of malicious servers and impersonator accounts targeting your community + + + + Comprehensive coverage across the social media ecosystem + + + +### Our Three-Step Response Process + +When a threat is detected, our response is swift and decisive: + + + + Malicious sites are blocked across our Wallet Network within minutes of detection, preventing your users from interacting with them + + + + We don't stop at blocking—our team proceeds with full takedown procedures, working to permanently remove fraudulent domains and social media accounts + + + + Continuous surveillance ensures new threats are identified and neutralized as they emerge + + + +## The Cost of Inaction + + +Every day that phishing attacks go unaddressed, your community members are at risk of losing funds, and your brand reputation suffers. + + +Traditional security measures often react too slowly, allowing scammers to victimize multiple users before threats are contained. + +## See ChainPatrol in Action + +We'd love to show you how ChainPatrol can protect your organization and community. In a brief demo, we'll walk you through: + + + + See our detection capabilities in action + + + + How we protect users at the point of interaction + + + + Our takedown process and response times + + + + Stay informed of threats targeting your brand + + + +## Schedule Your Demo Today + + + Choose a time that works best for you + + +Don't let phishing attacks compromise your community's security and your brand's reputation. Let's discuss how ChainPatrol can provide the protection your organization deserves. diff --git a/guides/api-keys.mdx b/guides/api-keys.mdx new file mode 100644 index 0000000..fa66e37 --- /dev/null +++ b/guides/api-keys.mdx @@ -0,0 +1,8 @@ +--- +title: "API Keys" +description: "How to generate and manage API keys" +--- + +# API Keys + +[Content to be added] diff --git a/guides/communicating-with-chainpatrol.mdx b/guides/communicating-with-chainpatrol.mdx new file mode 100644 index 0000000..a53b73f --- /dev/null +++ b/guides/communicating-with-chainpatrol.mdx @@ -0,0 +1,8 @@ +--- +title: "Communicating With ChainPatrol" +description: "Best practices for communicating with the ChainPatrol team" +--- + +# Communicating With ChainPatrol + +[Content to be added] diff --git a/guides/enabling-disabling-services.mdx b/guides/enabling-disabling-services.mdx new file mode 100644 index 0000000..05c6e3b --- /dev/null +++ b/guides/enabling-disabling-services.mdx @@ -0,0 +1,8 @@ +--- +title: "Enabling/Disabling Services" +description: "How to enable and disable ChainPatrol services" +--- + +# Enabling/Disabling Services + +[Content to be added] diff --git a/guides/false-positives.mdx b/guides/false-positives.mdx new file mode 100644 index 0000000..cc6582d --- /dev/null +++ b/guides/false-positives.mdx @@ -0,0 +1,8 @@ +--- +title: "False Positives" +description: "How to handle and report false positives" +--- + +# False Positives + +[Content to be added] diff --git a/guides/gathering-allowlist.mdx b/guides/gathering-allowlist.mdx new file mode 100644 index 0000000..34ed6bb --- /dev/null +++ b/guides/gathering-allowlist.mdx @@ -0,0 +1,8 @@ +--- +title: "Gathering Allowlist" +description: "How to build and maintain your allowlist" +--- + +# Gathering Allowlist + +[Content to be added] diff --git a/guides/public-reports.mdx b/guides/public-reports.mdx new file mode 100644 index 0000000..9ca52e4 --- /dev/null +++ b/guides/public-reports.mdx @@ -0,0 +1,8 @@ +--- +title: "Public Reports" +description: "How to work with public reports" +--- + +# Public Reports + +[Content to be added] diff --git a/guides/setting-up-brands.mdx b/guides/setting-up-brands.mdx new file mode 100644 index 0000000..7c6053e --- /dev/null +++ b/guides/setting-up-brands.mdx @@ -0,0 +1,8 @@ +--- +title: "Setting Up Brands" +description: "How to configure brands in ChainPatrol" +--- + +# Setting Up Brands + +[Content to be added] diff --git a/guides/sso.mdx b/guides/sso.mdx new file mode 100644 index 0000000..96369fb --- /dev/null +++ b/guides/sso.mdx @@ -0,0 +1,8 @@ +--- +title: "SSO" +description: "How to set up Single Sign-On" +--- + +# SSO + +[Content to be added] diff --git a/guides/unflagging-your-assets.mdx b/guides/unflagging-your-assets.mdx new file mode 100644 index 0000000..72df2b5 --- /dev/null +++ b/guides/unflagging-your-assets.mdx @@ -0,0 +1,8 @@ +--- +title: "Unflagging Your Assets" +description: "How to unflag incorrectly flagged assets" +--- + +# Unflagging Your Assets + +[Content to be added] diff --git a/mint.json b/mint.json index f6b88c6..0f95e6d 100644 --- a/mint.json +++ b/mint.json @@ -74,40 +74,83 @@ "navigation": [ { "group": "Getting Started", - "pages": ["introduction"] + "pages": [ + { + "group": "What do we do?", + "pages": [ + "getting-started/what-we-do/introduction", + "getting-started/what-we-do/brand-impersonation", + "getting-started/what-we-do/general-phishing" + ] + }, + { + "group": "How it works", + "pages": [ + "getting-started/how-it-works/how-we-use-ai", + "getting-started/how-it-works/detection-sources", + "getting-started/how-it-works/asset-scans", + "getting-started/how-it-works/review", + "getting-started/how-it-works/blocklist", + "getting-started/how-it-works/takedown", + "getting-started/how-it-works/watchlist" + ] + } + ] }, - { - "group": "General", + "group": "Protect Your Brand", "pages": [ - "general/how-it-works", - "general/api-key", - "general/concepts", - "general/false-positives" + "protect-your-brand/onboarding-requirements", + "protect-your-brand/who-should-be-involved", + "protect-your-brand/services-setup", + "protect-your-brand/ongoing-communication" ] }, { - "group": "Integration", + "group": "Concepts", "pages": [ - "integration/guide", - "integration/check-vs-list", - "integration/proxy", - "integration/webhooks", - "integration/zapier", + "concepts/organizations", + "concepts/brands", + "concepts/reports", + "concepts/reviews", + "concepts/detections", + "concepts/asset-scans", + "concepts/blocklist", + "concepts/allowlist", + "concepts/watchlist", + "concepts/takedowns", + "concepts/legal-docs", + "concepts/metrics", + "concepts/security-portal" + ] + }, + { + "group": "Integrations", + "pages": [ + "bots/discord-bot", + "bots/telegram-bot", + "bots/slack-bot", "integration/vercel", "integration/intercom", "integration/github", "security-integration/canary-tokens", - "security-integration/submit-assets-for-scanning" + "integration/webhooks", + "integration/zapier" ] }, { - "group": "Bots", - "pages": ["bots/discord-bot", "bots/slack-bot", "bots/telegram-bot"] - }, - { - "group": "Extensions", - "pages": ["extensions/chrome-extension"] + "group": "Guides", + "pages": [ + "guides/api-keys", + "guides/enabling-disabling-services", + "guides/gathering-allowlist", + "guides/setting-up-brands", + "guides/false-positives", + "guides/public-reports", + "guides/sso", + "guides/unflagging-your-assets", + "guides/communicating-with-chainpatrol" + ] }, { "group": "External API", diff --git a/protect-your-brand/onboarding-requirements.mdx b/protect-your-brand/onboarding-requirements.mdx new file mode 100644 index 0000000..c86d17a --- /dev/null +++ b/protect-your-brand/onboarding-requirements.mdx @@ -0,0 +1,410 @@ +--- +title: "Onboarding Requirements" +description: "Information ChainPatrol needs to protect your organization from threats" +--- + +This guide explains the information ChainPatrol needs during onboarding and how to keep your organization's data up to date for effective threat protection. + +## Overview + +ChainPatrol protects your organization by monitoring for threats impersonating your brands, assets, and employees. To do this effectively, we need accurate and comprehensive information about: + + + + All digital properties you own or manage + + + + Logos, trademarks, and brand terms + + + + Documents that allow us to take action on your behalf + + + + +Keeping this information current ensures we can quickly identify and respond to threats while avoiding false positives. + + +## What Information We Collect + +### Assets + +We need to know about all digital properties associated with your organization: + + + + - Websites and web applications + - Subdomains and development environments + - Landing pages and marketing sites + - Documentation and support portals + + + + - Twitter/X handles + - Discord servers + - Telegram channels and groups + - LinkedIn company pages + - YouTube channels + - Other platform accounts + + + + - Official company email addresses + - Employee email addresses + - Support and contact emails + - Newsletter addresses + + + + - Wallet addresses + - Smart contracts + - ENS names + - On-chain identities + - Token contracts + + + + - iOS applications + - Android applications + - Chrome extensions + - Firefox add-ons + - Safari extensions + + + + - GitHub repositories + - Documentation sites + - Community forums + - Developer portals + - API endpoints + + + + +**Important:** When something is added to your organization, we **automatically allowlist it** so it doesn't get accidentally blocked or taken down by our systems. + + +### Brand Images and Visual Identity + +We collect visual assets to help identify brand impersonation attempts: + + + + - Primary logo (all formats) + - Secondary logo variations + - Wordmarks and text-only versions + - Monochrome versions + - Icon-only versions + + + + - Primary color palette + - Secondary colors + - Hex codes and RGB values + - Color usage guidelines + + + + - Icons and symbols + - Patterns and textures + - Typography and fonts + - Other brand elements + + + +### Brand Terms and Trademarks + +We monitor for unauthorized use of your: + + + + All marks registered with trademark offices + + + + Official names of your products and services + + + + Marketing phrases associated with your brand + + + + Variations that scammers might use + + + +### Legal Documents + +Before we can perform takedowns on your behalf, we need: + + + + Authorizes ChainPatrol to perform takedowns in a narrow, specific capacity + + + + Required specifically for Twitter/X takedowns + + + + Trademark certificates and business registration documents + + + + +These documents are **required before we can enable takedown services** for your organization. + + +## Managing Your Organization's Assets + +### Organization Assets Settings Page + +You can add, remove, or modify assets directly from your organization's settings: + + + + Go to **Settings** > **Organization Assets** + + + + Click **Add Asset** to include new properties + + + + Select assets and click **Remove** to delete outdated entries + + + + Use the search and filter tools to find specific assets + + + + Group assets to help organize by priority or type + + + +### API Management + +For organizations with many assets or frequent updates, you can manage assets programmatically using our API: + + + + Complete endpoint documentation + + + + Create keys in Settings > API Keys + + + + Add or remove multiple assets in a single request + + + + +See our [API Integration Guide](/integration/guide) for detailed instructions on programmatic asset management. + + +## The Onboarding Process + +### Customer Information Sheet (CIS) + +During onboarding, you'll receive a **Customer Information Sheet** to fill out. This comprehensive form captures all the information listed above. + + +**Best Practice:** Don't fill out the CIS alone. Share it with teams across your organization. + + +#### Teams to Involve + + + + - Brand campaigns and initiatives + - Social media accounts + - Creative assets and materials + - Marketing domains and landing pages + + + + - Infrastructure domains + - GitHub repositories + - Developer tools and APIs + - Staging and testing environments + + + + - Product names and features + - Beta programs + - Feature launches + - Product documentation + + + + - Trademark registrations + - Official documentation + - Power of Attorney + - Business registration + + + + - Discord servers + - Telegram groups + - Community forums + - Ambassador programs + + + + +Sometimes teams "squat" domains or social media handles for future use that leadership may not know about. A comprehensive internal review prevents these assets from being misidentified as threats. + + +### Ongoing Allowlist Updates + +We don't just collect information once. ChainPatrol conducts **frequent allowlist gathering throughout the year** to: + + + + New assets as your organization grows + + + + Outdated or retired properties + + + + Brand materials after refreshes + + + + New employees and team members + + + + +You'll be notified when it's time for an allowlist review, typically quarterly or after major organizational changes. + + +## Document Security and Privacy + +Your legal documents and sensitive information are handled with strict security measures: + + + + All documents stored in encrypted, access-controlled cloud storage + + + + Only authorized takedown staff and support can retrieve documents + + + + All document access is logged and monitored + + + + Following industry-standard security practices + + + +## Frequently Asked Questions + + + + You should remove their email address and any personal accounts from your organization's asset list. This can be done through the Settings page or API. + + + We recommend integrating asset management with your employee offboarding process. + + + + + Contact us immediately when planning a rebrand. We'll work with you to: + + 1. Add new brand assets to your allowlist + 2. Update visual identity materials + 3. Keep old brand assets protected during the transition period + 4. Eventually remove outdated assets after the transition is complete + + + Rebrand transitions typically require 30-90 days where both old and new assets are protected. + + + + + **For acquisitions you make:** + - Add the acquired brand as a sub-brand in your organization + - Include all their assets in your allowlist + - Keep existing POA/LOA documents for the acquired entity + + **For being acquired:** + - Work with your new parent company to transfer ChainPatrol services + - Legal documents may need to be updated to reflect the new ownership structure + - Contact [support@chainpatrol.io](mailto:support@chainpatrol.io) to coordinate the transition + + + + If an asset you own is compromised (hacked, stolen credentials, etc.): + + + + Email [support@chainpatrol.io](mailto:support@chainpatrol.io) or use your dedicated Slack channel + + + + Remove the compromised asset so we can take action against it + + + + Report through our platform so we can track and monitor the threat + + + + Re-add the asset once you've regained control and secured it + + + + + We can respond quickly to compromised assets once notified, often taking them down within hours. + + + + + Yes! Organizations can have multiple brands, each with their own: + + - Asset lists + - Brand identity materials + - Protected terms + + This is common for holding companies, investment firms, or organizations with multiple product lines. + + + + We recommend reviewing your assets: + + - **Quarterly**: Regular check-ins to catch gradual changes + - **After launches**: New products, campaigns, or initiatives + - **After reorganizations**: Mergers, acquisitions, or restructuring + - **When prompted**: We'll notify you when it's time for a scheduled review + + + + **When in doubt, include it.** It's better to have too many assets in your allowlist than to miss something. + + + Our team can help you refine your list during onboarding and ongoing reviews. + + + + +--- + + + Schedule an onboarding call to begin protecting your organization + diff --git a/protect-your-brand/ongoing-communication.mdx b/protect-your-brand/ongoing-communication.mdx new file mode 100644 index 0000000..92e4645 --- /dev/null +++ b/protect-your-brand/ongoing-communication.mdx @@ -0,0 +1,400 @@ +--- +title: "Ongoing Communication" +description: "How to stay connected with ChainPatrol for effective brand protection" +--- + +Effective brand protection requires clear, ongoing communication between your organization and ChainPatrol. This guide outlines the channels, processes, and best practices for staying connected. + +## Communication Channels + +We use multiple channels to stay in touch with our customers: + + + + Direct group messaging for quick updates and discussions + + + + Dedicated channels for enterprise customers + + + + Formal communications via support@chainpatrol.io and dispute@chainpatrol.io + + + + +Each channel serves different purposes. Use Telegram/Slack for quick questions and real-time updates, and email for formal requests or documentation. + + +## Reporting Threats + +### Can customers report threats directly to us? + +Yes! Customers can report threats through multiple channels: + + + + **Direct Group Reporting** + + Share threats directly in your dedicated Telegram group for immediate visibility. + + **Best for:** + - Quick threat reports + - Screenshots and URLs + - Real-time discussions + - Urgent threats requiring immediate attention + + + + **Slack Connect Channel** + + Post threats in your Slack Connect channel for team collaboration. + + **Best for:** + - Enterprise workflows + - Team coordination + - Documented threat history + - Integration with internal tools + + + + **Automated Bot Reporting** + + Use our automated bot integrations to streamline reporting without leaving your workflow. + + **Benefits:** + - Automated threat submission + - Consistent formatting + - Faster processing + - Reduced manual work + + + Ask your point of contact for setup instructions to enable bot integrations. + + + + +## Major Events + +If your organization has upcoming launches, announcements, or major events, communication is critical: + + + + Notify us as soon as you have event details to share + + + + This allows us to dedicate extra monitoring resources and prepare response plans + + + + We can detect and take action on threats faster during your critical moments + + + + +**Why this matters:** Phishing attacks are often timed to coincide with your activities. Product launches, token sales, airdrops, and major announcements are prime targets for scammers. + + +### What to Share + + + + - Product launches + - Token sales or airdrops + - Partnership announcements + - Rebrands or major updates + - Conference appearances + + + + - Anticipated traffic volume + - Social media campaign details + - Press coverage expectations + - Community engagement plans + + + + - Landing pages or microsites + - New social media accounts + - Campaign-specific domains + - Promotional materials + + + + - Event start and end dates + - Peak activity windows + - Geographic focus areas + + + + +**Better prepared, better protected:** The earlier we know, the faster we can detect and take action on threats. + + +## Organization Assets + +### Keeping Your Asset List Current + +We need an up-to-date list of your organization's assets to protect them effectively. + + + + Review and update your asset list periodically (at least quarterly) + + + + Notify us immediately when you launch new domains, social accounts, or other assets + + + + Contact your point of contact or use the ChainPatrol dashboard + + + + +The more complete your asset list, the better we can protect your brand and avoid false positives. + + +### When to Update Your Assets + + + + **Notify us immediately for:** + - New domain registrations + - New social media accounts + - New mobile applications + - New blockchain addresses + - New team member accounts + - Acquired brands or companies + + + + **Schedule quarterly reviews for:** + - Deprecated assets to remove + - Temporary campaign assets + - Employee turnover updates + - Rebranded assets + - Changed contact information + + + + **Update before major events:** + - Product launches + - Marketing campaigns + - Partnership announcements + - Organizational changes + + + +## Threat Snapshots + +### What are threat snapshots? + +Threat snapshots are point-in-time records of detected threats targeting your organization. + + + + A comprehensive record of the threat at the moment of detection + + + + Screenshots and archived content + + + + Domains, IPs, and hosting information + + + + When detected and when action was taken + + + +### What data do they contain? + +Each snapshot includes comprehensive information: + + + + - Screenshots of the malicious content + - Archived copies of web pages + - Social media post captures + - Visual similarity analysis + + + + - Domain information (WHOIS, DNS records) + - Hosting details (provider, IP addresses) + - Infrastructure data (CDN, nameservers) + - SSL certificate information + + + + - When the threat was first detected + - Which detection rules triggered + - Confidence scores and risk levels + - AI analysis results + + + + - Takedown requests submitted + - Provider responses received + - Status updates and timeline + - Final resolution outcome + + + + +Threat snapshots are available in your ChainPatrol dashboard and can be exported for internal reporting or compliance purposes. + + +## Customer Feedback Meetings + +We schedule regular feedback sessions to ensure we're meeting your needs. + +### What We Discuss + + + + **Review recent threats:** + - Volume and trends + - Attack patterns + - High-severity incidents + - Response effectiveness + + + + **Evaluate performance:** + - False positive rates + - Missed threats + - Detection speed + - Coverage gaps + + + + **Share your experience:** + - What's working well + - Pain points or challenges + - Communication effectiveness + - Documentation needs + + + + **Discuss improvements:** + - New integrations + - Custom workflows + - Reporting enhancements + - Platform features + + + + +Your ChainPatrol representative will coordinate scheduling for these meetings, typically held quarterly or as needed. + + +## Your Points of Contact + +### Dedicated Support Team + +Meet your ChainPatrol team members and their areas of expertise: + + + + **Areas of expertise:** + - Bot integrations and technical support + - Day-to-day customer inquiries + - Automated reporting setup + - Integration troubleshooting + + **When to contact Michael:** + - Setting up bot integrations + - Technical support questions + - General customer inquiries + - Integration issues + + + + **Areas of expertise:** + - Strategic partnership and account management + - Service optimization and feedback + - Onboarding and training + - Long-term success planning + + **When to contact Dave:** + - Strategic discussions + - Service optimization + - Feedback and feature requests + - Account management questions + + + + **Areas of expertise:** + - Technical concerns about application stability + - Canary tokens integration support + - Advanced technical implementations + - Platform architecture questions + + **When to contact Maksym:** + - Application stability issues + - Canary token integrations + - Complex technical implementations + - Platform architecture discussions + + + + +Reach out to your designated contact for any questions or concerns. If you're unsure who to contact, start with your primary point of contact and they'll route you appropriately. + + +## Best Practices for Communication + + + + Don't wait for issues to escalate—reach out early and often + + + + Include relevant details, screenshots, and URLs when reporting threats + + + + Match urgency to channel (Telegram for urgent, email for formal) + + + + Regularly review and update your organization's asset list + + + + Give advance notice of launches and major announcements + + + + Participate in regular check-ins to optimize service + + + +--- + +## Quick Reference + +| Need | Channel | Contact | +|------|---------|---------| +| **Urgent threat report** | Telegram/Slack | Your dedicated group/channel | +| **Bot integration setup** | Email/Telegram | Michael | +| **Strategic discussion** | Email/Slack | Dave | +| **Technical issue** | Email/Telegram | Maksym | +| **Formal request** | Email | support@chainpatrol.io | +| **Dispute submission** | Email | dispute@chainpatrol.io | + +--- + + + Contact us at support@chainpatrol.io or reach out through your dedicated communication channel + diff --git a/protect-your-brand/services-setup.mdx b/protect-your-brand/services-setup.mdx new file mode 100644 index 0000000..67126e9 --- /dev/null +++ b/protect-your-brand/services-setup.mdx @@ -0,0 +1,478 @@ +--- +title: "Services Setup" +description: "Configure ChainPatrol security services for your organization" +--- + +ChainPatrol offers multiple security services that can be configured based on your organization's needs. Each service can be enabled independently and requires specific permissions and approvals before activation. + + +**Where to find Services:** Navigate to your organization settings → Services + + +## Available Services + + + + Automated scanning for threats + + + + Continuous threat intelligence + + + + Expert threat validation + + + + Internal approval workflow + + + + Real-time wallet protection + + + + Professional threat removal + + + + Instant takedown submission + + + +## Detection + + + + The Detection service automatically scans various sources across the internet to identify potentially malicious assets targeting your brand or organization. This includes monitoring domain registrations, social media platforms, and other channels where threats commonly appear. + + + + **Ideal for:** + - Organizations that want proactive monitoring for brand impersonation + - Teams looking to identify threats before they reach end users + - Companies with significant online presence susceptible to phishing attacks + + + + **Prerequisites:** + - Complete your organization profile + - Define your tracked assets (domains, social media handles, brand identifiers) + - Ensure your team is ready to receive detection alerts + + + + **Required Approvals:** + - Organization Owner approval (if requested by a member) + - ChainPatrol staff review for initial setup + + **Required Legal Docs:** + - None + + + +--- + +## Monitoring & Reporting + + + + This service continuously monitors the web for new threats to your brand, including phishing sites, scams, and impersonation attempts. When potential threats are detected, they're automatically reported to ChainPatrol's review system for validation and action. + + + + **Ideal for:** + - Organizations requiring comprehensive brand protection + - Security teams needing continuous threat intelligence + - Companies that want to stay ahead of emerging scams and phishing campaigns + + + + **Prerequisites:** + - Enable the Detection service first + - Have dedicated resources to handle threat notifications + - Establish your organization's threat response workflow + + + + **Required Approvals:** + - Organization Owner approval (if requested by a member) + + **Required Legal Docs:** + - None + + + +--- + +## Reviewing + + + + The Reviewing service ensures that ChainPatrol's security experts manually review all detected threats for your organization. This adds a layer of human validation to confirm threats are genuine and not false positives. + + + + **Ideal for:** + - Organizations that prioritize accuracy over speed + - Companies concerned about false positives + - Teams new to threat detection who want expert validation + + + + **Prerequisites:** + - Can be enabled immediately, alongside Detection and Monitoring services + - Enable when you want ChainPatrol experts to validate all threats before action + + + + **Required Approvals:** + - Organization Owner approval (if requested by a member) + + **Required Legal Docs:** + - None + + + +--- + +## Obligatory Organization Admin Approval + + + + This service requires your organization's administrators to review and approve all threats validated by ChainPatrol staff before they're added to your organization's blocklist. You can configure which types of assets (social media, domains, wallets, etc.) require this approval. + + + + **Ideal for:** + - Organizations with strict internal compliance requirements + - Companies that want final oversight on all blocked content + - Teams with industry-specific regulations requiring manual approval + - Organizations that prefer to have control over what gets blocked + + + + **Prerequisites:** + - Enable after Reviewing service + - Have designated administrators available to review proposals regularly + - Enable before Wallet Blocking if you want approval control + + + + **Required Approvals:** + - None (can be configured directly by organization admins) + + **Required Legal Docs:** + - None + + + + **Configuration Options:** + - Enable/disable the approval requirement + - Select specific asset types that require approval: + - Domains + - Social media accounts + - Messaging apps + - Crypto addresses + - And more + + + If no specific types are selected, all asset types will require approval + + + + +--- + +## Wallet Blocking + + + + Approved threats are added to ChainPatrol's global blocklist, which is consumed by major cryptocurrency wallets and platforms, including Coinbase, MetaMask, and others. This prevents users from interacting with malicious addresses, domains, or contracts in real-time. + + + + **Ideal for:** + - Cryptocurrency projects and protocols + - DeFi platforms + - NFT projects + - Web3 organizations + - Any company whose users interact with blockchain wallets + + + + **Prerequisites:** + + + Ensure all organization details are accurate + + + + Set up all assets you want to protect + + + + Detection, Monitoring, and Reviewing must be active + + + + Confirm organization assets and tracked asset scans are correct + + + + + + **Required Approvals:** + - Organization Owner approval (required) + - Acknowledgment that organization assets and tracked assets are correctly configured + + **Required Legal Docs:** + - None + + + **Important:** Enabling Wallet Blocking has immediate impact on end-users. Organizations must verify their asset configuration is accurate before enabling this service. + + + + +--- + +## Takedowns + + + + For approved threats, ChainPatrol submits professional takedown requests to hosting providers, domain registrars, and platform administrators on your behalf. Our team handles the entire takedown process, including follow-ups and documentation. + + + + **Ideal for:** + - Organizations that want active threat removal, not just detection + - Companies lacking in-house expertise for filing takedown requests + - Teams that need to enforce intellectual property and trademark protection + - Brands experiencing high volumes of impersonation or phishing + + + + **Prerequisites:** + - Enable Detection, Monitoring, and Reviewing services + - Verify your organization has proper brand protection policies in place + - Be ready for ChainPatrol to represent your organization in takedown communications + + + + **Required Approvals:** + - Organization Owner approval (if requested by a member) + - ChainPatrol legal review + + **Required Legal Docs:** + - Proof of trademark or brand ownership + - Organization contact information + - Authorized representative details + + + +--- + +## Automated Takedowns + + + + Takedown requests are submitted automatically to hosting providers immediately after a threat is approved by ChainPatrol staff (and your organization, if Obligatory Organization Admin Approval is enabled). This provides the fastest possible response time for threat removal. + + + + **Ideal for:** + - Organizations experiencing high volumes of threats requiring rapid response + - Companies with mature threat detection processes + - Teams that trust ChainPatrol's review process completely + - Brands in high-risk industries (cryptocurrency, finance, e-commerce) + + + + **Prerequisites:** + + + All services must be enabled and functioning properly + + + + Valid POA document must be uploaded + + + + Organization's main website URL must be set + + + + Have confidence in the accuracy of your threat detection + + + + + + **Required Approvals:** + - Organization Owner approval (required) + - ChainPatrol legal team approval + + **Required Legal Docs:** + - **Power of Attorney (POA) document** - Authorizes ChainPatrol to submit takedown requests on your behalf + - Main website URL for your organization + - Trademark registration documents + - Authorized signatory information + + + **Important:** Automated Takedowns cannot be enabled without these prerequisites. The service will remain disabled until both the POA document and website URL are provided. + + + + +--- + +## Approval Process + +### Service Enable Request Flow + + + + **Organization Members and Staff:** + - Submit a request to enable the service + - Organization Owners receive an email notification + - Request appears as "Pending" in the Services page + - No changes take effect until approved + + + + **Organization Owners:** + - Can enable services immediately without approval + - Can approve pending requests from team members + - Receive email notifications for all service change requests + + + + **For certain services:** + - Some services require ChainPatrol staff verification + - Legal team reviews documentation for Takedowns and Automated Takedowns + - Security team validates configuration for Wallet Blocking + + + +### Disabling Services + + + + Organization Owners can disable any service at any time + + + + Members with OrganizationServices:update permission can request to disable services + + + + Disabling services takes effect immediately for the requesting owner + + + + Service data and history are preserved when disabled + + + +--- + +## Legal Requirements + +### Required Documentation by Service + +| Service | Documents Required | When Needed | +|---------|-------------------|-------------| +| Detection | None | - | +| Monitoring & Reporting | None | - | +| Reviewing | None | - | +| Obligatory Organization Admin Approval | None | - | +| Wallet Blocking | None (but verification required) | - | +| Takedowns | Trademark proof, Authorized representative details | Before enabling | +| Automated Takedowns | Power of Attorney, Trademark registration, Main website URL | Before enabling | + +### Power of Attorney Requirements + +For Automated Takedowns, your Power of Attorney document must: + + + + Specifically authorize ChainPatrol to submit takedown requests on your organization's behalf + + + + Be signed by an authorized representative of your organization + + + + Include your organization's legal name and contact information + + + + Be dated within the last 12 months (recommended) + + + + Be uploaded in PDF format to your organization settings + + + + +**How to upload:** Navigate to Organization Settings → Documents → Upload Power of Attorney + + +### Trademark Documentation + +For both Takedowns and Automated Takedowns: + + + + Provide trademark registration numbers or pending applications + + + + Include jurisdictions where trademarks are registered + + + + Demonstrate clear ownership of brand assets + + + + Provide evidence of legitimate use in commerce + + + +--- + +## Service Dependencies + +```mermaid +flowchart TD + Detection[Detection] --> Monitoring[Monitoring & Reporting] + Monitoring --> Reviewing[Reviewing] + Reviewing --> AdminApproval[Admin Approval
Optional] + Reviewing --> WalletBlocking[Wallet Blocking] + Reviewing --> Takedowns[Takedowns] + Takedowns --> AutoTakedowns[Automated Takedowns] + + style Detection fill:#3b82f6 + style Monitoring fill:#8b5cf6 + style Reviewing fill:#10b981 + style AdminApproval fill:#f59e0b + style WalletBlocking fill:#ef4444 + style Takedowns fill:#ec4899 + style AutoTakedowns fill:#dc2626 +``` + +--- + + + Log in to your dashboard to enable and configure services for your organization + diff --git a/protect-your-brand/who-should-be-involved.mdx b/protect-your-brand/who-should-be-involved.mdx new file mode 100644 index 0000000..8e588cf --- /dev/null +++ b/protect-your-brand/who-should-be-involved.mdx @@ -0,0 +1,418 @@ +--- +title: "Who Should Be Involved in Brand Protection" +description: "Key stakeholders and team members essential for effective brand protection" +--- + +Effective brand protection requires collaboration across your organization. This guide identifies the key stakeholders who should be involved and explains their unique contributions to your security program. + +## Key Stakeholders + +### Knowledge Owners + +These team members have the most profound understanding of your brand, its legitimate presence, and authorized activities. + + + + **Why they're critical:** Founders and executives have the complete picture of your company's strategic direction, partnerships, and official communications. + + **What they contribute:** + - Know all official company accounts across platforms + - Understand authorized partnerships and affiliate relationships + - Can quickly identify unauthorized use of company branding + - Make final decisions on brand protection policies and budgets + - Approve official responses to brand impersonation incidents + + **When to involve them:** + + + Initial brand protection program setup + + + + Incidents affecting company reputation + + + + Brand protection investments and policies + + + + CEO fraud or executive social media impersonation + + + + + + **Why they're critical:** Marketing teams create and manage most of your brand's public-facing presence. + + **What they contribute:** + - Maintain comprehensive lists of all official social media accounts + - Know current and past marketing campaigns that scammers might impersonate + - Understand your brand's visual identity, messaging, and voice + - Track influencers, ambassadors, and partners authorized to represent your brand + - Identify subtle brand guideline violations that others might miss + + **When to involve them:** + + + Setting up brand monitoring configurations + + + + Reviewing potential impersonation threats + + + + Determining if promotional content is legitimate + + + + Creating response templates for brand abuse cases + + + + Training other teams on brand guidelines + + + + + + **Why they're critical:** Security teams bring technical expertise and incident response capabilities. + + **What they contribute:** + - Understand phishing tactics and social engineering techniques + - Can assess technical sophistication of threats + - Know your organization's security tools and infrastructure + - Have established incident response procedures + - Connect brand protection to broader security strategy + + **When to involve them:** + - Initial system setup and security configuration + - Evaluating high-risk threats + - Incidents involving credential theft or data breaches + - Integration with existing security tools and workflows + - Security awareness training programs + + + + **Why they're critical:** Developers understand your technical infrastructure and can help identify technical impersonation. + + **What they contribute:** + - Know all legitimate domains, subdomains, and APIs + - Understand your application's technical fingerprint + - Can identify fake apps, cloned websites, and API abuse + - Implement technical integrations with brand protection tools + - Develop custom detection rules or automation + + **When to involve them:** + + + Identifying all legitimate technical assets + + + + Setting up API integrations and webhooks + + + + Creating custom detection rules for technical threats + + + + Reviewing threats targeting developer communities + + + + + +## Threat Reporters + +These team members are your eyes and ears, often the first to spot brand abuse in the wild. + + + + **Why they're critical:** Your community often encounters scams before your internal teams do. + + **What they contribute:** + - First-hand experience with phishing attempts targeting your users + - Real-time visibility into social media impersonation + - Ground-level perspective on what threats actually affect users + - Authentic feedback on potential false positives + + **How to enable them:** + + + Provide easy reporting mechanisms (dedicated email, web form, Discord channel) + + + + Create clear guidelines for what to report + + + + Acknowledge and thank community reporters + + + + Share general updates about brand protection efforts (without sensitive details) + + + + Consider a bug bounty or reward program for security reports + + + + + + **Why they're critical:** Ambassadors have large followings and are frequent impersonation targets. + + **What they contribute:** + - Report impersonation of their own accounts that reference your brand + - Identify scams targeting your community through their channels + - Help educate their followers about legitimate brand communications + - Amplify official security warnings + + **How to enable them:** + + + Brief them on common scam patterns targeting your community + + + + Give them a direct contact for urgent reports + + + + Provide them with official statements they can share + + + + Monitor for impersonation of their accounts related to your brand + + + + + + **Why they're critical:** If you have a Security Operations Center (SOC), analysts monitor threats 24/7. + + **What they contribute:** + - Continuous monitoring of security alerts and threat feeds + - Triage and prioritize brand protection alerts + - First-line analysis of potential threats + - Escalate high-priority incidents to appropriate teams + - Document and track incident patterns + + **How to enable them:** + - Integrate ChainPatrol alerts into existing SOC tools (SIEM, ticketing systems) + - Provide clear escalation procedures and runbooks + - Define severity levels and response SLAs + - Give access to brand protection dashboards + - Include brand protection metrics in SOC reporting + + + + **Why they're critical:** Support teams interact directly with customers who may have fallen victim to scams. + + **What they contribute:** + - Receive direct reports from users who encountered scams + - Identify patterns in customer complaints about suspicious communications + - Gather detailed information about scam tactics from victims + - Provide immediate assistance to affected customers + - Reduce impact by quickly identifying and escalating threats + + **How to enable them:** + + + Train them to recognize and document phishing reports + + + + Create templates for customer responses about security incidents + + + + Give them a clear process to escalate brand abuse reports + + + + Include them in post-incident reviews to improve response + + + + Provide regular updates on active threats to watch for + + + + + + **Why they're critical:** Comms teams manage public messaging during and after security incidents. + + **What they contribute:** + - Craft official statements about brand impersonation incidents + - Coordinate public warnings about active scams + - Monitor social media and news for brand mentions related to scams + - Manage reputation during high-profile incidents + - Interface with media during major security events + + **When to involve them:** + - Widespread scams affecting many users + - Incidents gaining media attention + - Coordinated takedown efforts that should be publicized + - Creating proactive security awareness campaigns + - Responding to public questions about brand security + + + +## Technical Implementation + +These team members handle the integration and technical setup of brand protection tools. + + + + Handle infrastructure and access + + + + Build custom integrations + + + + Manage support tool workflows + + + + + + **Why they're critical:** IT teams manage your organization's technology infrastructure and access controls. + + **What they contribute:** + - Provision access to brand protection tools for appropriate staff + - Integrate tools with existing IT infrastructure + - Manage SSO and authentication for security platforms + - Ensure compliance with IT security policies + - Handle technical troubleshooting and vendor coordination + + **When to involve them:** + + + - Initial tool procurement and setup + - User access management and permissions + - SSO configuration and integration + + + + - Network and firewall configuration for tool access + - Regular access reviews and audits + - Technical troubleshooting + + + + + + **Why they're critical:** Engineers can build custom integrations and automation. + + **What they contribute:** + - Develop custom integrations using brand protection APIs + - Build internal dashboards combining multiple data sources + - Create automated workflows for threat response + - Develop custom detection logic for your specific use case + - Implement webhook handlers for real-time alerts + + **When to involve them:** + + + Building integrations with internal tools + + + + Automating repetitive brand protection tasks + + + + Creating custom reporting or dashboards + + + + Developing organization-specific detection rules + + + + + + **Why they're critical:** Support operations teams manage support tools and workflows. + + **What they contribute:** + - Integrate brand protection alerts into support ticketing systems + - Configure routing rules for security-related support tickets + - Build custom views and reports for support teams + - Train support staff on new tools and processes + - Optimize support workflows for efficiency + + **When to involve them:** + - Integrating with support platforms (Zendesk, Intercom, etc.) + - Creating macros and templates for common responses + - Setting up automated ticket routing and tagging + - Building support team dashboards + - Training support staff on technical tools + + + +## Building Your Brand Protection Team + + +You don't need all of these roles to get started. Start with the knowledge owners and threat reporters, then expand to technical implementation as your program matures. + + +### Minimum Viable Team + +For most organizations, start with: + + + + One C-suite or senior leader to champion the program + + + + Someone who knows all official brand assets + + + + A security team member to handle technical threats + + + + Someone to coordinate community reporting + + + +### Scaling Your Team + +As your program grows, add: + + + + Full-time role for threat monitoring and response + + + + Developer time for custom integrations + + + + Train support team on security reporting + + + + Communications team for public incidents + + + +--- + + + Schedule a consultation to discuss the right team structure for your organization + From a99fc47d4240a93ab787ff9d4691cc23ebc2b071 Mon Sep 17 00:00:00 2001 From: Mustafa Siddiqui Date: Thu, 18 Dec 2025 09:05:27 -0500 Subject: [PATCH 2/5] wip: fixed structure --- concepts/allowlist.mdx | 369 ++--------- concepts/asset-scans.mdx | 499 +++------------ concepts/blocklist.mdx | 582 +++--------------- concepts/brands.mdx | 402 ++---------- concepts/detections.mdx | 464 ++------------ concepts/legal-docs.mdx | 495 +++++---------- concepts/metrics.mdx | 493 +++------------ concepts/organizations.mdx | 336 ++-------- concepts/reports.mdx | 382 ++---------- concepts/reviews.mdx | 513 +++------------ concepts/security-portal.mdx | 487 +++------------ concepts/takedowns.mdx | 408 ++---------- concepts/watchlist.mdx | 438 +++---------- getting-started/how-it-works/asset-scans.mdx | 228 ++----- getting-started/how-it-works/blocklist.mdx | 361 +++-------- .../how-it-works/detection-sources.mdx | 349 +++-------- .../how-it-works/how-we-use-ai.mdx | 183 ++---- getting-started/how-it-works/review.mdx | 233 ++----- getting-started/how-it-works/takedown.mdx | 333 +++------- getting-started/how-it-works/watchlist.mdx | 211 +------ .../what-we-do/brand-impersonation.mdx | 109 +--- getting-started/what-we-do/introduction.mdx | 70 +-- integration/canary-tokens.mdx | 88 +++ integration/discord.mdx | 196 ++++++ integration/github.mdx | 2 +- integration/intercom.mdx | 2 +- integration/slack.mdx | 198 ++++++ integration/telegram.mdx | 102 +++ integration/vercel.mdx | 2 +- mint.json | 54 +- 30 files changed, 2096 insertions(+), 6493 deletions(-) create mode 100644 integration/canary-tokens.mdx create mode 100644 integration/discord.mdx create mode 100644 integration/slack.mdx create mode 100644 integration/telegram.mdx diff --git a/concepts/allowlist.mdx b/concepts/allowlist.mdx index 2d6fbc1..95cc7d5 100644 --- a/concepts/allowlist.mdx +++ b/concepts/allowlist.mdx @@ -13,9 +13,7 @@ Assets added to the allowlist are considered **official or approved** and are tr Allowlisting helps ChainPatrol distinguish between genuine brand-owned content and potential impersonation or abuse. - Unlike blocklists, which focus on malicious content, allowlists define what is **known to be safe**. - ## Why We Use an Allowlist at ChainPatrol @@ -23,88 +21,26 @@ Allowlists play a critical role in improving both **detection accuracy** and **s ### Dual Purpose - - - **Preventing false positives** - - When an asset is allowlisted, it is excluded from automatic threat detection. - - **Benefits:** - - Prevents legitimate brand-owned assets from being mistakenly flagged as impersonation - - Reduces false positives - - Eliminates unnecessary investigations - - Improves team efficiency - - **Example:** - Your official website `example.com` is allowlisted, so it will never be flagged as a phishing site, even if detection rules would normally trigger on brand-related keywords. - - - - **Comparison for threat analysis** - - Allowlisted assets are used as **reference points** when analyzing potentially malicious content. - - **How it works:** - ChainPatrol can compare a suspected phishing page against an allowlisted official website to determine whether: - - Branding is being copied - - Layout is being imitated - - Content is being duplicated - - Visual elements are being stolen - - **Example:** - A suspicious site `examp1e.com` is detected. ChainPatrol compares it against your allowlisted `example.com` and identifies: - - 95% visual similarity - - Identical logo usage - - Copied page structure - - **Result:** High-confidence brand impersonation detection - - - - +**Exclusion from Detection** - When an asset is allowlisted, it is excluded from automatic threat detection. This prevents legitimate brand-owned assets from being mistakenly flagged as impersonation, reduces false positives, eliminates unnecessary investigations, and improves team efficiency. For example, your official website `example.com` is allowlisted, so it will never be flagged as a phishing site, even if detection rules would normally trigger on brand-related keywords. + +**Reference Baseline** - Allowlisted assets are used as reference points when analyzing potentially malicious content. ChainPatrol can compare a suspected phishing page against an allowlisted official website to determine whether branding is being copied, layout is being imitated, content is being duplicated, and visual elements are being stolen. For example, a suspicious site `examp1e.com` is detected. ChainPatrol compares it against your allowlisted `example.com` and identifies 95% visual similarity, identical logo usage, and copied page structure, resulting in high-confidence brand impersonation detection. + This dual role—exclusion from detection and use as a trusted baseline—makes allowlists essential for reliable brand impersonation analysis. - ## What Can Be Allowlisted? -In ChainPatrol, **any asset type can be allowlisted**. - - - - Official websites and web applications - - - - Verified brand and employee accounts - - - - App store listings and hosted content - - - - Testing, staging, and QA environments - - - - Vercel, Netlify, and other preview URLs - - - - Official smart contracts and wallets - - - - Official company and team emails - - - - Any asset legitimately controlled by your organization - - +In ChainPatrol, **any asset type can be allowlisted**: + +- **Domains and URLs** - Official websites and web applications +- **Social Media Accounts** - Verified brand and employee accounts +- **Application Pages** - App store listings and hosted content +- **Development Environments** - Testing, staging, and QA environments +- **Preview Deployments** - Vercel, Netlify, and other preview URLs +- **Blockchain Addresses** - Official smart contracts and wallets +- **Email Addresses** - Official company and team emails +- **Other Assets** - Any asset legitimately controlled by your organization - Allowlisting is not limited by platform or asset category, as long as the asset is known to be legitimately controlled by the organization or brand. - ## What Should and Shouldn't Be Allowlisted? @@ -112,96 +48,23 @@ Allowlisting is not limited by platform or asset category, as long as the asset Assets that are **owned, controlled, or intentionally operated** by the organization or its brands: - - - - Primary company website - - Product websites - - Documentation sites - - Support portals - - Marketing landing pages - - **Example:** `company.com`, `docs.company.com`, `support.company.com` - - - - - Official Twitter/X accounts - - Official Discord servers - - Official Telegram channels - - Official YouTube channels - - Verified employee accounts - - **Example:** `@CompanyOfficial`, `discord.gg/company-official` - - - - - QA environments - - Staging servers - - Internal testing sites - - Employee development environments - - **Example:** `staging.company.com`, `qa-env.company.com` - - - - - Vercel deployments owned by the company - - Netlify preview URLs - - GitHub Pages for official repositories - - CI/CD preview environments - - **Example:** `company-app.vercel.app`, `preview-123.netlify.app` - - - - - Official smart contracts - - Treasury wallets - - Multisig addresses - - Token contracts - - **Example:** `0x1234...` (official token contract) - - +**Official Websites** - Primary company website, product websites, documentation sites, support portals, marketing landing pages. Example: `company.com`, `docs.company.com`, `support.company.com` + +**Verified Social Media Accounts** - Official Twitter/X accounts, official Discord servers, official Telegram channels, official YouTube channels, verified employee accounts. Example: `@CompanyOfficial`, `discord.gg/company-official` + +**Internal Testing Environments** - QA environments, staging servers, internal testing sites, employee development environments. Example: `staging.company.com`, `qa-env.company.com` + +**Development and Preview Pages** - Vercel deployments owned by the company, Netlify preview URLs, GitHub Pages for official repositories, CI/CD preview environments. Example: `company-app.vercel.app`, `preview-123.netlify.app` + +**Official Blockchain Assets** - Official smart contracts, treasury wallets, multisig addresses, token contracts. Example: `0x1234...` (official token contract) ### Should NOT Be Allowlisted ❌ - - - Content that is merely tolerated but not controlled by your organization. - - **Examples:** - - Partner websites mentioning your brand - - News articles about your company - - Third-party reviews or comparisons - - Affiliate or reseller sites - - - Even if the content is positive or authorized, if you don't control it, don't allowlist it. - - - - - Content created by users, even on your platforms. - - **Examples:** - - User profiles on your platform - - Community-submitted content - - User comments or posts - - Customer testimonials on external sites - - - - Assets where you don't have complete control or ownership. - - **Examples:** - - Shared hosting environments - - Third-party integrations - - External widgets or embeds - - Temporary or borrowed infrastructure - - - If there's any doubt about control or ownership, err on the side of caution and don't allowlist. - - - +**Third-Party Content** - Content that is merely tolerated but not controlled by your organization, including partner websites mentioning your brand, news articles about your company, third-party reviews or comparisons, and affiliate or reseller sites. Even if the content is positive or authorized, if you don't control it, don't allowlist it. + +**User-Generated Content** - Content created by users, even on your platforms, including user profiles on your platform, community-submitted content, user comments or posts, and customer testimonials on external sites. + +**Assets Not Fully Controlled** - Assets where you don't have complete control or ownership, including shared hosting environments, third-party integrations, external widgets or embeds, and temporary or borrowed infrastructure. If there's any doubt about control or ownership, err on the side of caution and don't allowlist. **Important:** Allowlisting an asset implicitly signals trust. Because allowlisted assets are excluded from automatic detection, incorrectly allowlisting an asset can reduce visibility into real threats. @@ -211,93 +74,27 @@ Assets that are **owned, controlled, or intentionally operated** by the organiza Allowlisting does not permanently exempt an asset from scrutiny. - If an allowlisted asset shows suspicious behavior or is believed to be compromised, it can still be escalated, investigated, and acted upon. - ### Compromise Scenarios - - - **Scenario:** Your official Twitter account is hacked - - **What happens:** - 1. Asset is allowlisted, so automatic detection doesn't flag it - 2. Community reports suspicious activity - 3. Manual investigation reveals compromise - 4. Asset is temporarily removed from allowlist - 5. Threat is blocked and reported - 6. After recovery, asset is re-allowlisted - - - - **Scenario:** Your domain is hijacked or DNS is compromised - - **What happens:** - 1. Asset is allowlisted, so automatic detection doesn't flag it - 2. Monitoring detects unusual behavior or content changes - 3. Security team investigates - 4. Asset is removed from allowlist during incident - 5. Malicious content is blocked - 6. After resolution, asset is re-allowlisted - - - - **Scenario:** Your hosting infrastructure is compromised - - **What happens:** - 1. Allowlisted assets start serving malicious content - 2. User reports or automated monitoring detect anomalies - 3. Incident response is triggered - 4. Affected assets are removed from allowlist - 5. Threats are contained and remediated - 6. Assets are re-allowlisted after verification - - - - +**Account Compromise** - If your official Twitter account is hacked: Asset is allowlisted so automatic detection doesn't flag it, community reports suspicious activity, manual investigation reveals compromise, asset is temporarily removed from allowlist, threat is blocked and reported, after recovery asset is re-allowlisted. + +**Domain Hijacking** - If your domain is hijacked or DNS is compromised: Asset is allowlisted so automatic detection doesn't flag it, monitoring detects unusual behavior or content changes, security team investigates, asset is removed from allowlist during incident, malicious content is blocked, after resolution asset is re-allowlisted. + +**Infrastructure Breach** - If your hosting infrastructure is compromised: Allowlisted assets start serving malicious content, user reports or automated monitoring detect anomalies, incident response is triggered, affected assets are removed from allowlist, threats are contained and remediated, assets are re-allowlisted after verification. + This ensures that trust is not absolute and that compromised official assets do not become blind spots. - ## Granularity of Allowlists -Allowlists in ChainPatrol can be configured at different levels. - - - - **Applies across all brands** - - Assets allowlisted at the organization level are trusted for the entire organization, regardless of which brand they're associated with. - - **Use cases:** - - Corporate websites - - Shared infrastructure - - Company-wide social accounts - - Central authentication systems - - **Example:** - `company.com` is allowlisted at the organization level, protecting it for all brands under the organization. - - - - **Applies only to a specific brand** - - Assets allowlisted at the brand level are trusted only for that specific brand within the organization. - - **Use cases:** - - Product-specific websites - - Brand-specific social accounts - - Individual product infrastructure - - Brand-specific campaigns - - **Example:** - `product-a.com` is allowlisted for "Product A" brand but not for "Product B" brand. - - +Allowlists in ChainPatrol can be configured at different levels: + +**Organization Level** - Assets allowlisted at the organization level are trusted for the entire organization, regardless of which brand they're associated with. Use cases include corporate websites, shared infrastructure, company-wide social accounts, and central authentication systems. Example: `company.com` is allowlisted at the organization level, protecting it for all brands under the organization. + +**Brand Level** - Assets allowlisted at the brand level are trusted only for that specific brand within the organization. Use cases include product-specific websites, brand-specific social accounts, individual product infrastructure, and brand-specific campaigns. Example: `product-a.com` is allowlisted for "Product A" brand but not for "Product B" brand. - This flexibility allows teams managing multiple brands to tailor trust appropriately. - ### Hierarchy Example @@ -319,23 +116,10 @@ Organization: Acme Corp Allowlist management is restricted to **organization administrators and authorized staff members**. - - - Full control over organization-level and brand-level allowlists - - - - ChainPatrol staff can assist with allowlist management - - - - Standard users cannot modify allowlists - - - - All allowlist changes are logged and tracked - - +- **Organization Administrators** - Full control over organization-level and brand-level allowlists +- **Authorized Staff** - ChainPatrol staff can assist with allowlist management +- **Limited Access** - Standard users cannot modify allowlists +- **Audit Trail** - All allowlist changes are logged and tracked Limiting access helps ensure that allowlists remain accurate, intentional, and aligned with security best practices. @@ -343,65 +127,24 @@ Limiting access helps ensure that allowlists remain accurate, intentional, and a ### Best Practices for Allowlist Management - - - Only allowlist assets you definitively control and trust - - - - Periodically review your allowlist (quarterly recommended) to remove outdated or deprecated assets - - - - Maintain internal documentation of why assets were allowlisted - - - - Immediately remove any asset suspected of being compromised - - - - Only re-allowlist assets after confirming they're secure and under your control - - +1. **Be Conservative** - Only allowlist assets you definitively control and trust +2. **Regular Reviews** - Periodically review your allowlist (quarterly recommended) to remove outdated or deprecated assets +3. **Document Decisions** - Maintain internal documentation of why assets were allowlisted +4. **Remove Compromised Assets** - Immediately remove any asset suspected of being compromised +5. **Re-add After Verification** - Only re-allowlist assets after confirming they're secure and under your control --- ## Key Takeaways - - - Allowlists define what is explicitly trusted - - - - Excludes from detection and serves as reference baseline - - - - Domains, social accounts, apps, blockchain addresses, and more - - - - Only allowlist assets you definitively control - - - - Compromised assets can still be investigated and blocked - - - - Organization-level or brand-level allowlisting - - - - Only administrators can modify allowlists - - - - Periodic reviews keep allowlists accurate and current - - +- **Known Safe Assets** - Allowlists define what is explicitly trusted +- **Dual Purpose** - Excludes from detection and serves as reference baseline +- **Any Asset Type** - Domains, social accounts, apps, blockchain addresses, and more +- **Conservative Approach** - Only allowlist assets you definitively control +- **Not Permanent Immunity** - Compromised assets can still be investigated and blocked +- **Flexible Granularity** - Organization-level or brand-level allowlisting +- **Restricted Access** - Only administrators can modify allowlists +- **Regular Maintenance** - Periodic reviews keep allowlists accurate and current --- diff --git a/concepts/asset-scans.mdx b/concepts/asset-scans.mdx index 5c3c215..4f86c46 100644 --- a/concepts/asset-scans.mdx +++ b/concepts/asset-scans.mdx @@ -11,98 +11,45 @@ An **asset scan** is a single security check ChainPatrol performs on an asset (l ### What It Captures - - - Visual and content snapshot - - - - Enrichment data collected - - - - Risk assessment and scores - - +- **What We Saw** - Visual and content snapshot +- **Extra Context** - Enrichment data collected +- **Risk Conclusion** - Risk assessment and scores ### Why It Matters -Asset scans are the building blocks ChainPatrol uses to: - -- Understand threats over time -- Update asset status -- Support reviews and takedowns -- Power reporting and analytics +Asset scans are the building blocks ChainPatrol uses to understand threats over time, update asset status, support reviews and takedowns, and power reporting and analytics. ## Key Characteristics - - - **One scan, one asset** - - Every asset scan belongs to exactly one asset and, through that asset, to an organization and optionally a brand. - - **Hierarchy:** - ``` - Organization - └── Brand (optional) - └── Asset - └── Asset Scan - ``` - - - - **Point-in-time record** - - Each scan has a timestamp and stands on its own. Later scans might see different: - - Content - - Liveness status - - Risk indicators - - Infrastructure - - - This allows ChainPatrol to track how threats evolve over time. - - - - - **Scan lifecycle states** - - A scan has a simple status reflecting where it is in the checking process: - - - - Scan queued but not yet started - - - - Actively collecting data and running checks - - - - Scan finished successfully with results - - - - Scan encountered errors and couldn't complete - - - - - - **What each scan contains** - - **Inputs:** - - What we were asked to scan (URL, address, profile) - - Related context (organization, brand, detection source) - - **Outputs:** - - Enrichments (extra data we fetched) - - Labels (risk tags) - - Liveness status - - Overall risk score for that point in time - - +### Tied to Specific Asset + +Every asset scan belongs to exactly one asset and, through that asset, to an organization and optionally a brand. + +``` +Organization + └── Brand (optional) + └── Asset + └── Asset Scan +``` + +### Time-Bound Snapshot + +Each scan has a timestamp and stands on its own. Later scans might see different content, liveness status, risk indicators, and infrastructure. This allows ChainPatrol to track how threats evolve over time. + +### Status Tracking + +A scan has a simple status reflecting where it is in the checking process: + +1. **Pending** - Scan queued but not yet started +2. **In Progress** - Actively collecting data and running checks +3. **Completed** - Scan finished successfully with results +4. **Failed** - Scan encountered errors and couldn't complete + +### Contents + +**Inputs:** What we were asked to scan (URL, address, profile) and related context (organization, brand, detection source). + +**Outputs:** Enrichments (extra data we fetched), labels (risk tags), liveness status, and overall risk score for that point in time. ## What Lives Inside a Scan @@ -110,352 +57,88 @@ Asset scans are the building blocks ChainPatrol uses to: Structured information gathered during the scan: - - - - Page HTML and text content - - Title, description, keywords - - Meta tags and structured data - - Screenshots and visual captures - - Form fields and input elements - - - - - Outbound links from the page - - Redirect chains - - External resources loaded - - Related infrastructure - - - - - DNS records and resolution - - TLS/SSL certificate information - - IP addresses and hosting - - Server headers and responses - - Network infrastructure - - - - - Social profile attributes (followers, posts, bio) - - App store listing information (ratings, reviews, permissions) - - Blockchain data (contract code, transactions) - - Email validation results - - +**Web Content & Metadata** - Page HTML and text content, title, description, keywords, meta tags and structured data, screenshots and visual captures, form fields and input elements. + +**Links Discovered** - Outbound links from the page, redirect chains, external resources loaded, related infrastructure. + +**Technical Details** - DNS records and resolution, TLS/SSL certificate information, IP addresses and hosting, server headers and responses, network infrastructure. + +**Platform-Specific Details** - Social profile attributes (followers, posts, bio), app store listing information (ratings, reviews, permissions), blockchain data (contract code, transactions), email validation results. - Each enrichment knows where it came from (e.g., "page content", "network", or an external scanner) and whether it succeeded or failed. - ### Labels (Findings) Human-readable tags with scores that categorize risk: - - - Visual or textual mimicry of your brand - - - - Credential harvesting or scam patterns - - - - Suspended or blocked by hosting provider - - - - Malicious wallet connection code - - - - Domain reserved but not in use - - - - Domain closely resembling legitimate one - - - - -These labels are used to group risk into categories like **general phishing**, **brand impersonation**, or **wallet-related risk**. - +- **Brand Impersonation** - Visual or textual mimicry of your brand +- **General Phishing** - Credential harvesting or scam patterns +- **Provider Blocked** - Suspended or blocked by hosting provider +- **Wallet Drainer** - Malicious wallet connection code +- **Parked Domain** - Domain reserved but not in use +- **Typosquatting** - Domain closely resembling legitimate one + +These labels are used to group risk into categories like general phishing, brand impersonation, or wallet-related risk. ### Scores and Liveness A scan tracks two key metrics: - - - **Combined risk assessment** - - A numerical score (typically 0-1) representing the overall risk level at that point in time. - - **Calculated from:** - - Label scores - - Rule evaluations - - Confidence levels - - Historical patterns - - - - **Asset accessibility** - - Indicates whether the asset is currently accessible: - - - - Asset is accessible and active - - - - Asset is inaccessible or removed - - - - Status cannot be determined - - - - **Reasons tracked:** - - DNS failed - - Parked domain detected - - Suspended by provider - - 404 not found - - Connection timeout - - +**Risk Score** - A numerical score (typically 0-1) representing the overall risk level at that point in time. Calculated from label scores, rule evaluations, confidence levels, and historical patterns. + +**Liveness Status** - Indicates whether the asset is currently accessible: +- **ALIVE** - Asset is accessible and active +- **DEAD** - Asset is inaccessible or removed +- **UNKNOWN** - Status cannot be determined + +Reasons tracked include DNS failed, parked domain detected, suspended by provider, 404 not found, and connection timeout. ## How Asset Scans Relate to Other Concepts - - - **The foundation** - - The asset is the "thing" (URL, profile, listing, address); scans are the history of what we have seen about that thing. - - **Relationship:** - - One asset → Many scans over time - - Scans build a timeline of the asset's behavior - - Most recent scan typically used for current status - - - - **Input for threat identification** - - Threat records (detections) use scan labels and scores as key inputs to decide whether something should be treated as an active threat for your organization. - - **How they connect:** - - Detection triggers → Asset scan - - Scan results → Threat score - - Threat score → Detection confidence - - - - **Evidence for decision-making** - - When your team reviews a reported asset, they see the most relevant scan results to understand why it was flagged and whether it should be allowed, blocked, or escalated. - - **What reviewers see:** - - Screenshots from scans - - Labels and scores - - Enrichment data - - Historical scan timeline - - - - **Status determination** - - Repeated scan results help decide: - - - **Blocked** - Assets that consistently look malicious - - **Allowed** - Assets that can be treated as safe - - **Watchlisted** - Assets that are sensitive or change frequently - - **Decision factors:** - - Consistent risk scores across scans - - Liveness changes over time - - Pattern stability - - - - **Evidence for removal** - - For assets that need to be taken down, scan data provides evidence to support outreach to hosting providers, registrars, and platforms. - - **What's provided:** - - Screenshots showing malicious content - - Metadata and technical details - - Liveness history - - Timeline of activity - - - - **Campaign mapping** - - When scans find links and redirects, they can be connected together to show clusters of related pages or infrastructure. - - **Benefits:** - - Identify broader campaigns - - Map attacker infrastructure - - Understand threat networks - - Coordinate takedowns - - +**Asset** - The asset is the "thing" (URL, profile, listing, address); scans are the history of what we have seen about that thing. One asset has many scans over time, and scans build a timeline of the asset's behavior. The most recent scan is typically used for current status. + +**Threats / Detections** - Threat records (detections) use scan labels and scores as key inputs to decide whether something should be treated as an active threat for your organization. + +**Reviews** - When your team reviews a reported asset, they see the most relevant scan results including screenshots, labels and scores, enrichment data, and historical scan timeline to understand why it was flagged and whether it should be allowed, blocked, or escalated. + +**Blocklist, Allowlist, Watchlist** - Repeated scan results help decide status: Blocked (assets that consistently look malicious), Allowed (assets that can be treated as safe), and Watchlisted (assets that are sensitive or change frequently). + +**Takedowns** - For assets that need to be taken down, scan data provides evidence including screenshots showing malicious content, metadata and technical details, liveness history, and timeline of activity to support outreach to hosting providers, registrars, and platforms. + +**Relationships Between Assets** - When scans find links and redirects, they can be connected together to show clusters of related pages or infrastructure, helping identify broader campaigns, map attacker infrastructure, understand threat networks, and coordinate takedowns. ## Examples - - - **Scenario:** - A new login page is found in search results. - - **Scan Process:** - 1. ChainPatrol scans the page - 2. Sees it closely imitates your brand - 3. Detects wallet connection requests - 4. Assigns strong phishing and brand-impersonation labels - - **Result:** - - Scan feeds into a threat record for your organization - - Appears in your triage queue - - High-priority review recommended - - - High-confidence scans like this often trigger automatic blocking. - - - - - **Scenario:** - Your official website is added as an asset and monitored. - - **Scan Process:** - 1. Regular scans performed (daily or weekly) - 2. Shows asset is alive and consistent - 3. Does not trigger risky labels - 4. Maintains stable risk score near zero - - **Result:** - - Remains allowed - - Serves as a "known good" reference - - Used for comparison against suspicious assets - - - Regular scanning of official assets helps establish baselines for comparison. - - - - - **Scenario:** - A social profile claiming to be one of your employees is discovered. - - **Scan Process:** - 1. Profile scanned for attributes - 2. Shows overlapping branding - 3. Detects suspicious outreach behavior - 4. Increases impersonation scores - - **Result:** - - Scan supports team decision-making - - Evidence for escalation - - Basis for pursuing takedown - - Documented proof of impersonation - - - Social profile scans capture bio, images, posts, and engagement patterns. - - - +### Example 1: Suspicious Login Page + +A new login page is found in search results. ChainPatrol scans the page, sees it closely imitates your brand, detects wallet connection requests, and assigns strong phishing and brand-impersonation labels. The scan feeds into a threat record for your organization and appears in your triage queue with high-priority review recommended. High-confidence scans like this often trigger automatic blocking. + +### Example 2: Official Site Staying Healthy + +Your official website is added as an asset and monitored. Regular scans (daily or weekly) show the asset is alive and consistent, does not trigger risky labels, and maintains a stable risk score near zero. It remains allowed and serves as a "known good" reference used for comparison against suspicious assets. + +### Example 3: Impersonating Social Profile + +A social profile claiming to be one of your employees is discovered. The profile is scanned for attributes, shows overlapping branding, detects suspicious outreach behavior, and increases impersonation scores. The scan supports team decision-making, provides evidence for escalation, and forms the basis for pursuing takedown with documented proof of impersonation. ## What Asset Scans Are Not - - - Asset scans are system-generated. **Reports** are created by users or external systems raising issues. - - - - A scan can be clean or suspicious. A threat or incident record is created only when risk crosses thresholds or a human escalates it. - - - - Scans use your **rules**, **thresholds**, and **service settings**, but they are not where you configure behavior—they are the evidence those settings produce. - - - -## Scan Workflow - -```mermaid -flowchart TD - Trigger[Scan Trigger] --> Pending[Status: Pending] - Pending --> InProgress[Status: In Progress] - - InProgress --> Enrich[Collect Enrichments] - Enrich --> Web[Web Content] - Enrich --> Network[Network Data] - Enrich --> Platform[Platform Data] - - Web --> Evaluate[Evaluate Rules] - Network --> Evaluate - Platform --> Evaluate - - Evaluate --> Labels[Generate Labels] - Evaluate --> Score[Calculate Risk Score] - Evaluate --> Liveness[Determine Liveness] - - Labels --> Complete[Status: Completed] - Score --> Complete - Liveness --> Complete - - InProgress -->|Error| Failed[Status: Failed] - - Complete --> Decision{Risk Level?} - Decision -->|High| Block[Block Asset] - Decision -->|Medium| Review[Manual Review] - Decision -->|Low| Monitor[Continue Monitoring] - - style Trigger fill:#3b82f6 - style InProgress fill:#8b5cf6 - style Evaluate fill:#f59e0b - style Complete fill:#10b981 - style Failed fill:#ef4444 -``` +- **Not a Human Report** - Asset scans are system-generated. Reports are created by users or external systems raising issues. +- **Not a Case** - A scan can be clean or suspicious. A threat or incident record is created only when risk crosses thresholds or a human escalates it. +- **Not a Configuration** - Scans use your rules, thresholds, and service settings, but they are not where you configure behavior—they are the evidence those settings produce. + +--- ## Key Takeaways - - - Each scan captures asset state at a specific moment - - - - Scans are fundamental to threat understanding - - - - Enrichments provide comprehensive asset intelligence - - - - Human-readable categorization of threats - - - - Multiple scans show asset evolution over time - - - - Provides proof for reviews and takedowns - - - - Links between assets reveal campaigns - - - - Consistent, repeatable security checks - - +- **Point-in-Time Snapshot** - Each scan captures asset state at a specific moment +- **Building Blocks** - Scans are fundamental to threat understanding +- **Rich Context** - Enrichments provide comprehensive asset intelligence +- **Risk Labels** - Human-readable categorization of threats +- **Timeline History** - Multiple scans show asset evolution over time +- **Evidence Base** - Provides proof for reviews and takedowns +- **Relationship Mapping** - Links between assets reveal campaigns +- **Automated & Systematic** - Consistent, repeatable security checks --- diff --git a/concepts/blocklist.mdx b/concepts/blocklist.mdx index c7125cf..c73a877 100644 --- a/concepts/blocklist.mdx +++ b/concepts/blocklist.mdx @@ -11,13 +11,9 @@ A blocklist (also known as a denylist) is a database of confirmed malicious enti ChainPatrol's blocklist functions as a **threat intelligence database** that's continuously updated and distributed in real-time. -### Real-Time Protection - Unlike traditional security databases that may update daily or weekly, our blocklist provides immediate updates as threats are confirmed, ensuring protection is deployed within **15-30 minutes** rather than hours or days. - The blocklist serves as the foundation of proactive security—instead of waiting for users to encounter threats, we identify, verify, and distribute threat intelligence to prevent exposure before it happens. - ## Why Do We Use a Blocklist and Why Is It Effective? @@ -25,45 +21,19 @@ The blocklist serves as the foundation of proactive security—instead of waitin Traditional cybersecurity approaches rely heavily on **takedowns**—requesting hosting providers or domain registrars to remove malicious content. However, this approach has critical limitations: - - - 4-48 hours for hosting providers, 24-72 hours for domain takedowns - - - - Some providers never respond or operate in non-cooperative jurisdictions - - - - Scammers can steal funds within minutes of launching a phishing site - - - - Attackers quickly spin up new domains or move to different providers - - +- **Slow Response Times** - 4-48 hours for hosting providers, 24-72 hours for domain takedowns +- **Incomplete Coverage** - Some providers never respond or operate in non-cooperative jurisdictions +- **Attack Window** - Scammers can steal funds within minutes of launching a phishing site +- **Whack-a-Mole** - Attackers quickly spin up new domains or move to different providers ### The Blocklist Advantage ChainPatrol's blocklist provides **immediate protection** through a "blocklist-first, takedown-second" approach: - - - Assets are blocklisted and distributed in **15-30 minutes** after confirmation - - - - Protection works regardless of hosting provider, jurisdiction, or whether the malicious content remains online - - - - Blocks are enforced at the browser, wallet, and network level—where users actually interact with threats - - - - Even if a scammer sets up 100 copycat sites, each one gets blocklisted as soon as it's detected - - +1. **Speed** - Assets are blocklisted and distributed in 15-30 minutes after confirmation +2. **Universal Coverage** - Protection works regardless of hosting provider, jurisdiction, or whether the malicious content remains online +3. **Point-of-Access Protection** - Blocks are enforced at the browser, wallet, and network level—where users actually interact with threats +4. **Persistent Protection** - Even if a scammer sets up 100 copycat sites, each one gets blocklisted as soon as it's detected In web3, where transactions are irreversible and scams can drain wallets in seconds, **prevention at the point of interaction is critical**. @@ -71,116 +41,27 @@ In web3, where transactions are irreversible and scams can drain wallets in seco ### Network Effects -The effectiveness of our blocklist increases exponentially with distribution: - -```mermaid -flowchart TD - Detection[Threat Detected] --> Confirmation[ChainPatrol Confirms] - Confirmation --> Blocklist[Added to Blocklist] - - Blocklist --> Browsers[Browser Security] - Blocklist --> Wallets[20+ Wallets] - Blocklist --> Enterprise[Enterprise Networks] - Blocklist --> Partners[Partner Organizations] - - Browsers --> Users1[Millions of Users Protected] - Wallets --> Users1 - Enterprise --> Users1 - Partners --> Users1 - - style Detection fill:#f59e0b - style Confirmation fill:#3b82f6 - style Blocklist fill:#6622DC - style Users1 fill:#10b981 -``` - - -**One confirmation protects millions of users** across the entire web3 ecosystem. - +The effectiveness of our blocklist increases exponentially with distribution. One confirmation protects millions of users across browsers, 20+ wallets, enterprise networks, and partner organizations. ## Who Contributes to the Blocklist? ChainPatrol's blocklist is powered by a diverse network of contributors: - - - **Grassroots threat intelligence** - - - - Anyone can report suspicious assets through our public reporting interface - - - - Discord moderators, Twitter users, and Reddit communities actively report scams targeting their communities - - - - Users who've encountered or fallen victim to scams help us identify active threats - - - - - - **Collaborative threat sharing** - - - - Companies using ChainPatrol for brand protection contribute threat intelligence - - - - MetaMask, Phantom, Coinbase Wallet, and others share detected threats - - - - SEAL-ISAC, Crypto-ISAC, and other information sharing networks - - - - Web3 protocols and DAOs monitoring for impersonation attacks - - - - - - **AI-powered threat discovery** - - - - Detection engine continuously monitors using 50+ detection rules - - - - Real-time monitoring of newly registered domains - - - - Automated detection of impersonation accounts and scam posts - - - - Intentional traps that identify and track attacker infrastructure - - - - - - **Human verification layer** - - While many sources contribute **detections**, all blocklist entries are verified by ChainPatrol's security team before being added. - - **Why this matters:** - - Ensures accuracy - - Minimizes false positives - - Maintains blocklist quality - - Provides human judgment for edge cases - - - This human-in-the-loop review process is critical for maintaining trust in the blocklist. - - - +### Community Reports + +Anyone can report suspicious assets through our public reporting interface. Web3 communities including Discord moderators, Twitter users, and Reddit communities actively report scams targeting their communities. Users who've encountered or fallen victim to scams help us identify active threats. + +### Partner Organizations + +100+ organizations using ChainPatrol for brand protection contribute threat intelligence. Wallet providers like MetaMask, Phantom, and Coinbase Wallet share detected threats. Security alliances including SEAL-ISAC, Crypto-ISAC, and other information sharing networks contribute, as do blockchain projects and DAOs monitoring for impersonation attacks. + +### Automated Detection + +Our AI-powered scanning detection engine continuously monitors using 50+ detection rules. We perform real-time monitoring of newly registered domains through Certificate Transparency, automated detection of impersonation accounts and scam posts through social media monitoring, and use honeypots—intentional traps that identify and track attacker infrastructure. + +### Expert Review Team + +While many sources contribute detections, all blocklist entries are verified by ChainPatrol's security team before being added. This ensures accuracy, minimizes false positives, maintains blocklist quality, and provides human judgment for edge cases. This human-in-the-loop review process is critical for maintaining trust in the blocklist. ## What Is In Scope for Being Added to the Blocklist? @@ -190,385 +71,102 @@ Assets are added to the blocklist when they meet two criteria: **intent** and ** Assets must demonstrate clear malicious intent: - - - Sites designed to steal credentials, seed phrases, or private keys - - - - Fraudulent schemes (fake airdrops, rug pulls, Ponzi schemes) - - - - Content falsely claiming to represent legitimate brands - - - - Sites or links that distribute malicious software - - - - Content designed to manipulate users into compromising security - - +- **Phishing** - Sites designed to steal credentials, seed phrases, or private keys +- **Scams** - Fraudulent schemes (fake airdrops, rug pulls, Ponzi schemes) +- **Impersonation** - Content falsely claiming to represent legitimate brands +- **Malware Distribution** - Sites or links that distribute malicious software +- **Social Engineering** - Content designed to manipulate users into compromising security ### Confirmation: Evidence-Based Verification Assets must be confirmed as malicious through: - - - Independent sources reporting the same threat - - - - Proof of successful attacks or victim reports - - - - Malicious code or behavior detected - - - - Clear alignment with known attack techniques - - - - Verification of unauthorized use (when applicable) - - +1. Multiple credible reports from independent sources +2. Evidence of attacks or proof of successful attacks and victim reports +3. Technical analysis showing malicious code or behavior detected +4. Pattern matching with clear alignment with known attack techniques +5. Brand owner confirmation verifying unauthorized use (when applicable) ### Out of Scope The following are **not** added to the blocklist: - - - Negative reviews, critical commentary, or parody (protected speech) - - - - Content from legitimate competitors, even if unfavorable - - - - Projects accused of being scams without concrete evidence of malicious activity - - - - Trademark disputes, contract disagreements, or business conflicts (handle through legal channels) - - - - Suspicious but unconfirmed assets (may be monitored, but not blocklisted) - - +- **Legitimate Criticism** - Negative reviews, critical commentary, or parody (protected speech) +- **Competitor Content** - Content from legitimate competitors, even if unfavorable +- **Alleged Scams** - Projects accused of being scams without concrete evidence of malicious activity +- **Civil Disputes** - Trademark disputes, contract disagreements, or business conflicts (handle through legal channels) +- **Low-Confidence Detections** - Suspicious but unconfirmed assets (may be monitored, but not blocklisted) - This scope ensures our blocklist maintains high accuracy and focuses on clear, immediate threats to user security. - ## What Type of Data Is In Our Blocklist? ChainPatrol's blocklist includes multiple asset types, each with specific attributes: - - - **Web-based threats** - - - **Full URLs**: Specific phishing pages (e.g., `https://metamask-security-verify.com/connect`) - - **Domains**: Root domains and subdomains (e.g., `phishing-site.com`, `scam.evil-host.net`) - - **Status**: Current blocklist status and distribution state - - **First Seen**: When the asset was first detected or reported - - **Blocklist Date**: When it was added to the blocklist - - **Associated Data**: Screenshots, detection rules triggered, related assets - - - - **Platform impersonation** - - - - Impersonation and scam accounts - - - - Fake support channels and scam groups - - - - Phishing servers and fake community servers - - - - Scam livestreams and fake giveaways - - - - Impersonation pages and scam groups - - - - **Platform-Specific Identifiers**: Account handles, user IDs, channel links - - - - **On-chain threats** - - - **Ethereum Addresses**: Scam contracts, phishing wallets, rug pull contracts - - **Multi-Chain Support**: Addresses across multiple blockchain networks - - **Contract Metadata**: Contract code analysis, transaction patterns - - **Labels**: Scam type (fake airdrop, phishing, Ponzi scheme) - - - - **Email-based threats** - - - **Phishing Emails**: Addresses used in phishing campaigns - - **Scam Support**: Fake customer support email addresses - - **Associated Domains**: Email domains linked to scam operations - - - - **Additional threat vectors** - - - - Fake wallet apps, scam applications - - - - Malicious extensions that steal credentials - - - - Decentralized content hosting phishing pages - - - - Scam NFT projects and counterfeit collections - - - - +### URLs and Domains + +Full URLs (specific phishing pages), domains (root domains and subdomains), status (current blocklist status and distribution state), first seen date, blocklist date, and associated data including screenshots, detection rules triggered, and related assets. + +### Social Media Accounts + +Twitter/X accounts, Telegram groups and channels, Discord servers, YouTube channels, and Facebook pages and groups. Each includes platform-specific identifiers like account handles, user IDs, and channel links. + +### Blockchain Addresses + +Ethereum addresses (scam contracts, phishing wallets, rug pull contracts), multi-chain support across multiple blockchain networks, contract metadata including code analysis and transaction patterns, and labels indicating scam type (fake airdrop, phishing, Ponzi scheme). + +### Email Addresses + +Phishing emails used in campaigns, fake customer support email addresses, and associated domains linked to scam operations. + +### Other Digital Assets + +Mobile apps (fake wallet apps, scam applications), browser extensions (malicious extensions that steal credentials), IPFS hashes (decentralized content hosting phishing pages), and NFT collections (scam NFT projects and counterfeit collections). ### Metadata for All Assets -Every blocklisted asset includes comprehensive metadata: - - - - Category of the malicious asset - - - - Current state (BLOCKED, ALLOWED, PENDING) - - - - Risk level assessment - - - - Connected infrastructure (same scam campaign) - - - - Which rules or sources identified the threat - - - - Which partners have received the update - - - - Timeline of status changes and reviews - - +Every blocklisted asset includes comprehensive metadata: asset type, status (BLOCKED, ALLOWED, PENDING), severity, related assets, detection methods, distribution status, and update history. ## Who Uses Our Blocklist? ChainPatrol's blocklist protects users across the web3 ecosystem through multiple integration types: - - - **Universal web protection** - - - - Powers protection in Chrome, Safari, Edge, Firefox, and other browsers - - - - Network-level protection for enterprises and organizations - - - - Custom integrations for web3-focused browsers - - - - **Impact**: Blocklisted URLs are prevented from loading or show warning pages, protecting users regardless of which website they're visiting. - - - - **Transaction-level protection** - - - - Direct integration via Eth-Phishing-Detect - - - - Real-time API integration - - - - Via multiple blocklist sources - - - - Integration through WalletConnect and other channels - - - - Real-time API protection - - - - Various integration methods - - - - **Impact**: Wallets warn users before connecting to malicious sites or interacting with scam contracts, preventing fund loss at the point of transaction. - - - - **Platform-specific protection** - - - - Content moderation and user protection - - - - Governance platform security - - - - Filtering scam collections and malicious listings - - - - Protecting users from fake interfaces and phishing sites - - - - **Impact**: Applications can automatically filter malicious content and warn users about threats specific to their platform. - - - - **Ecosystem-wide sharing** - - - - Security Alliance's information sharing network (600+ members) - - - - Cryptocurrency industry threat intelligence - - - - Ethereum ecosystem blocklist (ChainPatrol is a core contributor) - - - - Cross-chain threat sharing - - - - **Impact**: Our blocklist feeds into the broader security ecosystem, creating a network effect where threats are shared across organizations and platforms. - - - - **Organizational protection** - - - - Protect employees and users - - - - Monitor and block impersonation attempts - - - - API access for internal security tools and workflows - - - - **Impact**: Organizations can integrate ChainPatrol's threat intelligence into their existing security infrastructure for comprehensive protection. - - - - **Open threat intelligence** - - - - Freely accessible blocklist API for developers and security researchers - - - - Developer tools for easy integration - - - - Search and lookup interface for manual checks - - - - **Impact**: Anyone can access our blocklist data to build security tools, perform research, or check suspicious assets. - - +### Browser Security + +Google Safe Browsing powers protection in Chrome, Safari, Edge, Firefox, and other browsers. Cloudflare Gateway provides network-level protection for enterprises. Direct integrations support web3-focused browsers. Blocklisted URLs are prevented from loading or show warning pages, protecting users regardless of which website they're visiting. + +### Wallet Providers + +MetaMask (direct integration via Eth-Phishing-Detect), Phantom (real-time API integration), Coinbase Wallet, Trust Wallet, Rainbow, Ledger, WalletConnect, and 15+ additional wallets. Wallets warn users before connecting to malicious sites or interacting with scam contracts, preventing fund loss at the point of transaction. + +### Web3 Applications + +Polymarket (content moderation and user protection), Snapshot (governance platform security), NFT marketplaces (filtering scam collections and malicious listings), and DeFi protocols (protecting users from fake interfaces and phishing sites). Applications can automatically filter malicious content and warn users about threats specific to their platform. + +### Threat Intelligence + +SEAL-ISAC (600+ members), Crypto-ISAC, Eth-Phishing-Detect (ChainPatrol is a core contributor), and Polkadot Phishing List for cross-chain threat sharing. Our blocklist feeds into the broader security ecosystem, creating a network effect where threats are shared across organizations and platforms. + +### Enterprise Security + +Security teams protect employees and users, brand protection teams monitor and block impersonation attempts, and custom integrations provide API access for internal security tools and workflows. Organizations can integrate ChainPatrol's threat intelligence into their existing security infrastructure for comprehensive protection. + +### Public Access + +A public API provides freely accessible blocklist data for developers and security researchers, an SDK offers developer tools for easy integration, and a web dashboard provides a search and lookup interface for manual checks. Anyone can access our blocklist data to build security tools, perform research, or check suspicious assets. --- ## Key Takeaways - - - 15-30 minute response time vs. hours or days for takedowns - - - - Works regardless of hosting provider or jurisdiction - - - - One confirmation protects millions of users - - - - Community, partners, automation, and expert review - - - - Requires both malicious intent and confirmation - - - - URLs, social accounts, blockchain addresses, and more - - - - Browsers, wallets, applications, and enterprises - - - - Open API and SDK for developers and researchers - - +- **Real-Time Protection** - 15-30 minute response time vs. hours or days for takedowns +- **Universal Coverage** - Works regardless of hosting provider or jurisdiction +- **Network Effects** - One confirmation protects millions of users +- **Diverse Contributors** - Community, partners, automation, and expert review +- **Evidence-Based** - Requires both malicious intent and confirmation +- **Multi-Asset Support** - URLs, social accounts, blockchain addresses, and more +- **Broad Distribution** - Browsers, wallets, applications, and enterprises +- **Publicly Accessible** - Open API and SDK for developers and researchers --- diff --git a/concepts/brands.mdx b/concepts/brands.mdx index 077035f..a392d50 100644 --- a/concepts/brands.mdx +++ b/concepts/brands.mdx @@ -15,240 +15,73 @@ Brands belong to an **organization**, and a single organization can have **multi ChainPatrol supports two types of brands: - - - **What they represent:** - - These represent the organization itself or its products. - - **Examples:** - - "ChainPatrol" (primary brand) - - Product lines or services - - Sub-brands created for specific business units - - Regional or market-specific brands - - - A Web3 company protecting their main protocol name, their governance token, and their NFT marketplace brand - - - - - **What they represent:** - - These represent key people associated with the organization. - - **Examples:** - - CEO - - Executives - - Public-facing employees - - Founders - - Brand ambassadors - - - Protecting a CEO who is frequently impersonated on Twitter/X and Telegram by scammers offering fake investment opportunities - - - - - +### Company Brands + +These represent the organization itself or its products. Examples include your primary brand (e.g., "ChainPatrol"), product lines or services, sub-brands created for specific business units, and regional or market-specific brands. + +**Use Case:** A Web3 company protecting their main protocol name, their governance token, and their NFT marketplace brand. + +### Individual Brands + +These represent key people associated with the organization. Examples include CEO, executives, public-facing employees, founders, and brand ambassadors. + +**Use Case:** Protecting a CEO who is frequently impersonated on Twitter/X and Telegram by scammers offering fake investment opportunities. + Both company and individual brands can be targeted by impersonation, scams, or fraud, and ChainPatrol protects both. - ## What Information Is Stored in a Brand? Each brand includes several components that help ChainPatrol understand what legitimate content looks like and identify potential threats. - - - Keywords and variations - - - - Logos and visual elements - - - - Official properties - - - ### Brand Terms - - Brand terms are **keywords associated with a brand** that describe how the brand is commonly referenced online. - - **They include:** - - Official brand names - - Variations and abbreviations - - Product names - - Nicknames or widely used informal names - - Individual names (for personal brands) - - **Examples for "ChainPatrol":** - - ChainPatrol - - Chain Patrol - - CP - - @chainpatrol - - chainpatrol.io - +Keywords associated with a brand that describe how the brand is commonly referenced online. They include official brand names, variations and abbreviations, product names, nicknames or widely used informal names, and individual names (for personal brands). + +Examples for "ChainPatrol": ChainPatrol, Chain Patrol, CP, @chainpatrol, chainpatrol.io - By defining brand terms, ChainPatrol is able to recognize when content is likely related to a specific brand and assess whether that content may be legitimate or potentially impersonating the brand. - ### Brand Images - - Brand images include visual elements that represent the brand. - - **They include:** - - Logos (all variations) - - Official graphics and design elements - - Profile photos for individuals - - Brand marks and symbols - - Visual identity assets - - **How they're used:** - - These images are used during detection to help identify potential impersonation, for example by matching logos or profile photos against suspicious content that may be attempting to mimic the brand. - +Visual elements that represent the brand, including logos (all variations), official graphics and design elements, profile photos for individuals, brand marks and symbols, and visual identity assets. + +These images are used during detection to help identify potential impersonation, for example by matching logos or profile photos against suspicious content that may be attempting to mimic the brand. ### Brand Assets - - Brand assets represent **known, legitimate assets owned by the brand**. - - These are used to distinguish between real content and potentially harmful impersonation. - - **A brand asset can be any asset type supported by ChainPatrol:** - - - - Official websites and domains - - - - Twitter, Discord, Telegram profiles - - - - App store and extension listings - - - - GitHub and code repositories - - - - Telegram channels and groups - - - - Any verified online property - - - - - -Brand assets serve as a **whitelist** of what is considered authentic. - +Known, legitimate assets owned by the brand. These are used to distinguish between real content and potentially harmful impersonation. + +A brand asset can be any asset type supported by ChainPatrol: websites (official websites and domains), social media (Twitter, Discord, Telegram profiles), app listings (app store and extension listings), repositories (GitHub and code repositories), channels (Telegram channels and groups), and other properties (any verified online property). + +Brand assets serve as a whitelist of what is considered authentic. ## How Brand Information Is Used -ChainPatrol combines **brand terms**, **brand images**, and **brand assets** to understand a brand's identity and accurately assign threats to the correct brand. +ChainPatrol combines brand terms, brand images, and brand assets to understand a brand's identity and accurately assign threats to the correct brand. ### The Attribution Process - - - Suspicious content is detected across the internet - - - - ChainPatrol analyzes the content for: - - Brand terms (name, keywords) - - Brand images (logos, visuals) - - Similarity to brand assets (mimicking official properties) - - - - The threat is automatically associated with the relevant brand - - - - The threat is properly evaluated and acted upon in the context of that brand - - +1. **Threat Detection** - Suspicious content is detected across the internet +2. **Brand Matching** - ChainPatrol analyzes the content for brand terms (name, keywords), brand images (logos, visuals), and similarity to brand assets (mimicking official properties) +3. **Automatic Attribution** - The threat is automatically associated with the relevant brand +4. **Evaluation & Action** - The threat is properly evaluated and acted upon in the context of that brand - This attribution process happens automatically and at a high level, allowing threats to be categorized without requiring manual intervention in most cases. - -### Example Attribution - - - - **Detected Threat:** - - Domain: `chainpatr0l-airdrop.com` - - Uses ChainPatrol logo - - Mimics official website design - - **Attribution:** - - Matches brand term: "chainpatrol" (with typo) - - Matches brand image: Official logo detected - - Mimics brand asset: Official website structure - - **Result:** Automatically attributed to "ChainPatrol" brand - - - - **Detected Threat:** - - Twitter account: `@chainpatrol_support` - - Profile photo: ChainPatrol logo - - Bio mentions: "Official ChainPatrol Support" - - **Attribution:** - - Matches brand term: "chainpatrol" - - Matches brand image: Logo in profile photo - - Impersonates brand asset: Claims to be official support - - **Result:** Automatically attributed to "ChainPatrol" brand - - - - **Detected Threat:** - - Telegram account: Claims to be CEO - - Profile photo: CEO's headshot - - Messages: Offering investment opportunities - - **Attribution:** - - Matches brand term: CEO's name - - Matches brand image: CEO's photo - - Impersonates individual brand - - **Result:** Automatically attributed to CEO's individual brand - - +### Example Attributions + +**Domain Impersonation:** Domain `chainpatr0l-airdrop.com` uses ChainPatrol logo and mimics official website design. It matches brand term "chainpatrol" (with typo), matches brand image (official logo detected), and mimics brand asset (official website structure). Result: Automatically attributed to "ChainPatrol" brand. + +**Social Media Impersonation:** Twitter account `@chainpatrol_support` with profile photo using ChainPatrol logo and bio mentioning "Official ChainPatrol Support". Matches brand term, matches brand image, impersonates brand asset. Result: Automatically attributed to "ChainPatrol" brand. + +**Executive Impersonation:** Telegram account claims to be CEO with profile photo using CEO's headshot and messages offering investment opportunities. Matches brand term (CEO's name), matches brand image (CEO's photo), impersonates individual brand. Result: Automatically attributed to CEO's individual brand. ### Benefits of Accurate Attribution - - - Organizations have clear visibility into which brands are being impersonated - - - - Understand how frequently each brand is targeted - - - - See which takedowns or mitigation actions are associated with each brand - - - - Identify patterns and emerging threats per brand - - +- **Clear Visibility** - Organizations have clear visibility into which brands are being impersonated +- **Frequency Tracking** - Understand how frequently each brand is targeted +- **Action Association** - See which takedowns or mitigation actions are associated with each brand +- **Trend Analysis** - Identify patterns and emerging threats per brand ## Brands and Organizations @@ -256,157 +89,34 @@ A single organization may be responsible for managing and protecting multiple br ### Common Multi-Brand Scenarios - - - A company safeguarding both its corporate identity and several product lines. - - **Example:** - - Main brand: "Acme Protocol" - - Product brand: "Acme Swap" - - Product brand: "Acme Wallet" - - Product brand: "Acme DAO" - - - - Protecting individual executives or other public-facing staff members. - - **Example:** - - Main brand: "Acme Protocol" - - Individual brand: "Jane Smith (CEO)" - - Individual brand: "John Doe (CTO)" - - Individual brand: "Sarah Johnson (CMO)" - - - - Maintaining distinct brands used across different markets, languages, or regions. - - **Example:** - - Main brand: "Acme Protocol" - - Regional brand: "Acme Asia" - - Regional brand: "Acme Europe" - - Regional brand: "Acme LATAM" - - - - Managing brands from acquired companies while maintaining their separate identities. - - **Example:** - - Parent brand: "Acme Holdings" - - Acquired brand: "Beta Protocol" - - Acquired brand: "Gamma Finance" - - - - +**Corporate + Product Brands** - A company safeguarding both its corporate identity and several product lines. Example: Main brand "Acme Protocol" plus product brands "Acme Swap", "Acme Wallet", and "Acme DAO". + +**Executive Protection** - Protecting individual executives or other public-facing staff members. Example: Main brand "Acme Protocol" plus individual brands "Jane Smith (CEO)", "John Doe (CTO)", and "Sarah Johnson (CMO)". + +**Regional or Market Brands** - Maintaining distinct brands used across different markets, languages, or regions. Example: Main brand "Acme Protocol" plus regional brands "Acme Asia", "Acme Europe", and "Acme LATAM". + +**Acquired Companies** - Managing brands from acquired companies while maintaining their separate identities. Example: Parent brand "Acme Holdings" plus acquired brands "Beta Protocol" and "Gamma Finance". + ChainPatrol keeps brand information structured and separate to ensure that each brand can be protected individually while still remaining clearly associated with the same organization. - ### Organizational Benefits - - - **Brand-Level Management** - - - Configure protection settings per brand - - Track metrics for each brand independently - - Assign different team members to different brands - - Customize detection rules by brand - - - - **Organization-Level Oversight** - - - See all brands in one dashboard - - Compare threat volumes across brands - - Aggregate metrics for reporting - - Maintain consistent policies across brands - - - - **Scalable Architecture** - - - Add new brands as you grow - - Reorganize brands as needed - - Merge or split brands - - Maintain historical data - - +**Granular Control** - Configure protection settings per brand, track metrics for each brand independently, assign different team members to different brands, customize detection rules by brand. ---- +**Unified View** - See all brands in one dashboard, compare threat volumes across brands, aggregate metrics for reporting, maintain consistent policies across brands. -## Brand Protection Workflow - -```mermaid -flowchart TD - Org[Organization] --> Brand1[Brand: Company] - Org --> Brand2[Brand: Product A] - Org --> Brand3[Brand: CEO] - - Brand1 --> Terms1[Brand Terms] - Brand1 --> Images1[Brand Images] - Brand1 --> Assets1[Brand Assets] - - Brand2 --> Terms2[Brand Terms] - Brand2 --> Images2[Brand Images] - Brand2 --> Assets2[Brand Assets] - - Brand3 --> Terms3[Brand Terms] - Brand3 --> Images3[Brand Images] - Brand3 --> Assets3[Brand Assets] - - Terms1 --> Detection[Threat Detection] - Images1 --> Detection - Assets1 --> Detection - - Terms2 --> Detection - Images2 --> Detection - Assets2 --> Detection - - Terms3 --> Detection - Images3 --> Detection - Assets3 --> Detection - - Detection --> Attribution[Automatic Attribution] - Attribution --> Action[Evaluation & Action] - - style Org fill:#6622DC - style Brand1 fill:#985EFD - style Brand2 fill:#985EFD - style Brand3 fill:#985EFD - style Detection fill:#10b981 - style Attribution fill:#f59e0b - style Action fill:#ef4444 -``` +**Flexible Structure** - Add new brands as you grow, reorganize brands as needed, merge or split brands, maintain historical data. --- ## Key Takeaways - - - Brands represent identities that need protection - - - - Company brands and individual brands - - - - Terms, images, and assets define each brand - - - - Threats are automatically assigned to brands - - - - One organization can protect many brands - - - - Individual control with organizational oversight - - +- **Identity Protection** - Brands represent identities that need protection +- **Two Types** - Company brands and individual brands +- **Three Components** - Terms, images, and assets define each brand +- **Automatic Attribution** - Threats are automatically assigned to brands +- **Multiple Brands** - One organization can protect many brands +- **Granular + Unified** - Individual control with organizational oversight --- diff --git a/concepts/detections.mdx b/concepts/detections.mdx index 9efc250..a491c9b 100644 --- a/concepts/detections.mdx +++ b/concepts/detections.mdx @@ -13,254 +13,53 @@ Detections represent automated findings from ChainPatrol's continuous monitoring Each detection contains: - - - The specific URL, social account, or content identified - - - - Which detection source discovered it - - - - Confidence level (0-1) indicating likelihood of being malicious - - - - Why it was flagged and which rules triggered - - - - Your organization being targeted - - - - When the threat was first detected - - - - Current state (reported, under review, awaiting action) - - +- **Asset** - The specific URL, social account, or content identified +- **Source** - Which detection source discovered it +- **Score** - Confidence level (0-1) indicating likelihood of being malicious +- **Reason** - Why it was flagged and which rules triggered +- **Organization** - Your organization being targeted +- **Timestamp** - When the threat was first detected +- **Status** - Current state (reported, under review, awaiting action) ## Detection Lifecycle - - - A detection source finds content matching your monitoring keywords or patterns. - - **Example:** Google Search detects a website containing your brand name plus terms like "airdrop" or "claim tokens" - - - - The discovered asset is automatically submitted to ChainPatrol's analysis pipeline, where it: - - - Creates or retrieves the asset record - - Validates the asset hasn't already been marked as legitimate (allowed) - - Checks for duplicate detections - - - - The asset undergoes comprehensive scanning to gather intelligence: - - - - - Webpage screenshots - - HTML content - - Metadata extraction - - Text and image analysis - - - - - DNS records - - IP addresses - - Hosting information - - CDN and infrastructure - - - - - WHOIS data - - Registration date - - Registrar information - - Historical records - - - - - Social media profiles - - App store information - - Platform metadata - - Account details - - - - - Logo detection - - Similarity matching - - Brand element identification - - Visual fingerprinting - - - - - Smart contract analysis - - Token information - - Transaction patterns - - Wallet connections - - - - - - The system executes dozens of detection rules against the enriched asset data. - - **Each rule evaluates specific threat indicators:** - - - - Newly registered domains (< 30 days old) - - - - Logo or design mimicking your brand - - - - URLs or names that closely match yours - - - - Known malicious infrastructure or patterns - - - - Wallet drainer code, phishing forms - - - - - - Based on rule results, the system calculates a **threat score** (0-1) representing confidence that the asset is malicious. - - **Score Calculation:** - - - - Rules are grouped by category: - - Visual Similarity - - Threat Intelligence - - Domain Age - - Text Matching - - Behavioral Analysis - - - - Each rule has a confidence level: - - Very Low - - Low - - Medium - - High - - Very High - - - - - Weighted scores combined across all triggered rules - - Organization-specific adjustments applied - - Brand impersonation factors considered - - - - - - A detection record is created in the database with all gathered intelligence - - - - If your organization has auto-reporting enabled and the detection score exceeds your **medium threshold**, the system can automatically: - - - Create a report with the detected asset - - Mark the asset as blocked - - Submit takedown requests (if configured) - - Send notifications to your team - - - **Auto-Reporting Requirements:** - - Score must meet or exceed your medium threshold (typically 0.6-0.7) - - Detection source must be enabled - - Asset must not already be blocked - - Asset must not have been previously rejected multiple times - - - +1. **Discovery** - A detection source finds content matching your monitoring keywords or patterns. For example, Google Search detects a website containing your brand name plus terms like "airdrop" or "claim tokens". + +2. **Asset Processing** - The discovered asset is automatically submitted to ChainPatrol's analysis pipeline, where it creates or retrieves the asset record, validates the asset hasn't already been marked as legitimate (allowed), and checks for duplicate detections. + +3. **Scanning & Enrichment** - The asset undergoes comprehensive scanning to gather intelligence including content analysis (webpage screenshots, HTML content, metadata extraction, text and image analysis), network data (DNS records, IP addresses, hosting information, CDN and infrastructure), domain registration (WHOIS data, registration date, registrar information, historical records), platform data (social media profiles, app store information, platform metadata, account details), visual analysis (logo detection, similarity matching, brand element identification, visual fingerprinting), and blockchain data (smart contract analysis, token information, transaction patterns, wallet connections). + +4. **Rule Evaluation** - The system executes dozens of detection rules against the enriched asset data. Each rule evaluates specific threat indicators like domain age (newly registered domains < 30 days old), visual similarity (logo or design mimicking your brand), text similarity (URLs or names that closely match yours), threat intelligence (known malicious infrastructure or patterns), and behavioral indicators (wallet drainer code, phishing forms). + +5. **Scoring** - Based on rule results, the system calculates a threat score (0-1) representing confidence that the asset is malicious. Rules are grouped by category (Visual Similarity, Threat Intelligence, Domain Age, Text Matching, Behavioral Analysis), each rule has a confidence level (Very Low to Very High), and weighted scores are combined across all triggered rules with organization-specific adjustments applied. + +6. **Detection Creation** - A detection record is created in the database with all gathered intelligence. + +7. **Auto-Reporting (Optional)** - If your organization has auto-reporting enabled and the detection score exceeds your medium threshold, the system can automatically create a report with the detected asset, mark the asset as blocked, submit takedown requests (if configured), and send notifications to your team. + + +**Auto-Reporting Requirements:** Score must meet or exceed your medium threshold (typically 0.6-0.7), detection source must be enabled, asset must not already be blocked, and asset must not have been previously rejected multiple times. + ## Confidence Levels Detections are categorized into confidence levels based on your organization's thresholds: - - - **Score:** 0 to Low Threshold (typically < 0.4) - - **Description:** - Low confidence detections. May be false positives or tangentially related to your brand. - - **Use case:** - Useful for monitoring trends but rarely require action. - - **Example:** - - Generic mention of your brand in unrelated context - - Weak keyword matches - - Minimal similarity indicators - - - - **Score:** Low Threshold to Medium Threshold (typically 0.4 - 0.6) - - **Description:** - Some indicators suggest a potential threat, but evidence is limited. Requires manual review to confirm. - - **Common scenarios:** - - Domain contains your brand name but has legitimate business purpose - - Social media mentions your brand in neutral context - - Weak visual or textual similarity - - **Action:** Manual review recommended - - - - **Score:** Medium Threshold to High Threshold (typically 0.6 - 0.8) - - **Description:** - Strong indicators of malicious intent. Multiple detection rules triggered with reasonable confidence. - - **Common scenarios:** - - New domain with brand name and suspicious keywords - - Social media account impersonating your brand with stolen logo - - Token contract with similar name on blockchain - - **Action:** Often eligible for auto-reporting if enabled - - - This is the typical threshold for automatic reporting and blocking. - - - - - **Score:** High Threshold and above (typically > 0.8) - - **Description:** - Very strong evidence of malicious activity. Multiple high-confidence rules triggered. - - **Common scenarios:** - - Perfect visual replica of your website - - Domain nearly identical to yours (typosquatting) - - Known phishing infrastructure - - Contains wallet drainer code - - **Action:** Typically auto-reported immediately and prioritized for takedown - - - High confidence detections require immediate attention and rapid response. - - - +### None (Score 0 to Low Threshold, typically < 0.4) + +Low confidence detections. May be false positives or tangentially related to your brand. Useful for monitoring trends but rarely require action. Examples include generic mention of your brand in unrelated context, weak keyword matches, and minimal similarity indicators. + +### Low (Low Threshold to Medium Threshold, typically 0.4 - 0.6) + +Some indicators suggest a potential threat, but evidence is limited. Requires manual review to confirm. Common scenarios include domain contains your brand name but has legitimate business purpose, social media mentions your brand in neutral context, and weak visual or textual similarity. + +### Medium (Medium Threshold to High Threshold, typically 0.6 - 0.8) + +Strong indicators of malicious intent. Multiple detection rules triggered with reasonable confidence. Common scenarios include new domain with brand name and suspicious keywords, social media account impersonating your brand with stolen logo, and token contract with similar name on blockchain. This is the typical threshold for automatic reporting and blocking. + +### High (High Threshold and above, typically > 0.8) + +Very strong evidence of malicious activity. Multiple high-confidence rules triggered. Common scenarios include perfect visual replica of your website, domain nearly identical to yours (typosquatting), known phishing infrastructure, and contains wallet drainer code. High confidence detections require immediate attention and rapid response. ## Understanding Detection Groups @@ -270,183 +69,38 @@ Detections can be grouped together using a **Group ID** to represent related thr When analyzing an asset, the system may discover additional related threats: - - - A phishing page that links to multiple other scam domains - - - - A URL that redirects through several malicious domains - - - - Social media posts that mention multiple scam websites - - - - +- **Linked URLs** - A phishing page that links to multiple other scam domains +- **Redirects** - A URL that redirects through several malicious domains +- **Related Accounts** - Social media posts that mention multiple scam websites + All related detections share the same group ID, making it easy to identify and report entire phishing campaigns at once. - ### Campaign Tracking -Group IDs help you: - - - - Recognize coordinated phishing campaigns - - - - Map relationships between threats - - - - Report entire attack networks simultaneously - - - - Analyze attacker tactics and patterns - - +Group IDs help you identify campaigns (recognize coordinated phishing campaigns), track infrastructure (map relationships between threats), report networks (report entire attack networks simultaneously), and understand tactics (analyze attacker tactics and patterns). ## Deduplication The system automatically handles duplicate detections to prevent alert fatigue: - - - **Scenario:** - The same asset is detected multiple times by the same source for your organization. - - **Behavior:** - Only one detection record is kept. - - **Why:** - Prevents alert fatigue from repeated discoveries of the same threat. - - **Example:** - - Google Search finds `fake-metamask.com` on Monday - - Google Search finds `fake-metamask.com` again on Wednesday - - **Result:** Only the first detection is kept - - - - **Scenario:** - Multiple detection sources independently find the same threat. - - **Behavior:** - Separate detection records are created. - - **Why:** - This helps you: - - Validate threat confidence (multiple sources agree) - - Understand which sources are most effective - - Track how threats spread across platforms - - **Example:** - - Google Search finds `fake-metamask.com` - - Twitter monitoring finds `fake-metamask.com` - - **Result:** Two detection records, higher confidence - - - - **Scenario:** - Related assets in the same attack campaign. - - **Behavior:** - Linked via group IDs but maintained as separate detections. - - **Why:** - Allows you to: - - Report each asset individually - - Track takedown progress per asset - - Understand campaign scope - - **Example:** - - `fake-metamask.com` (main phishing site) - - `claim-airdrop.com` (linked from main site) - - `support-metamask.com` (redirect target) - - **Result:** Three detections with same group ID - - - -## Detection Workflow - -```mermaid -flowchart TD - Source[Detection Source] --> Discovery[Discovery] - Discovery --> Process[Asset Processing] - Process --> Scan[Scanning & Enrichment] - - Scan --> Content[Content Analysis] - Scan --> Network[Network Data] - Scan --> Domain[Domain Registration] - Scan --> Platform[Platform Data] - Scan --> Visual[Visual Analysis] - Scan --> Blockchain[Blockchain Data] - - Content --> Rules[Rule Evaluation] - Network --> Rules - Domain --> Rules - Platform --> Rules - Visual --> Rules - Blockchain --> Rules - - Rules --> Score[Threat Scoring] - Score --> Detection[Detection Created] - - Detection --> Check{Score ≥
Medium
Threshold?} - Check -->|Yes| AutoReport[Auto-Report] - Check -->|No| Manual[Manual Review Queue] - - AutoReport --> Action[Block & Takedown] - Manual --> Review[Human Review] - - style Source fill:#3b82f6 - style Discovery fill:#8b5cf6 - style Scan fill:#10b981 - style Rules fill:#f59e0b - style Score fill:#ef4444 - style Detection fill:#ec4899 - style AutoReport fill:#10b981 -``` +**Same Asset, Same Organization** - If the same asset is detected multiple times by the same source for your organization, only one detection record is kept to prevent alert fatigue from repeated discoveries. + +**Same Asset, Different Sources** - If multiple detection sources independently find the same threat, separate detection records are created. This helps validate threat confidence (multiple sources agree), understand which sources are most effective, and track how threats spread across platforms. + +**Different Assets, Same Campaign** - Related assets in the same attack campaign are linked via group IDs but maintained as separate detections. This allows you to report each asset individually, track takedown progress per asset, and understand campaign scope. + +--- ## Key Takeaways - - - Detections are automatically identified by monitoring sources - - - - Multiple data types analyzed for each detection - - - - 0-1 score indicates likelihood of being malicious - - - - Dozens of rules evaluate threat indicators - - - - Related threats linked via group IDs - - - - Prevents alert fatigue while maintaining visibility - - - - High-confidence threats can be automatically reported - - - - Full visibility from discovery to resolution - - +- **Automated Discovery** - Detections are automatically identified by monitoring sources +- **Comprehensive Analysis** - Multiple data types analyzed for each detection +- **Confidence Scoring** - 0-1 score indicates likelihood of being malicious +- **Rule-Based Evaluation** - Dozens of rules evaluate threat indicators +- **Group Tracking** - Related threats linked via group IDs +- **Smart Deduplication** - Prevents alert fatigue while maintaining visibility +- **Auto-Reporting** - High-confidence threats can be automatically reported +- **Lifecycle Tracking** - Full visibility from discovery to resolution --- diff --git a/concepts/legal-docs.mdx b/concepts/legal-docs.mdx index ecddcc8..a66ab58 100644 --- a/concepts/legal-docs.mdx +++ b/concepts/legal-docs.mdx @@ -15,199 +15,110 @@ Many online platforms require verified legal documentation before they will act These documents help providers confirm that the takedown request is legitimate and submitted by an authorized party. - - - Confirm the requesting party represents the organization - - - - Demonstrate legitimate ownership of brand or trademark - - - - Show authorization to request content removal - - +- **Verify Identity** - Confirm the requesting party represents the organization +- **Prove Ownership** - Demonstrate legitimate ownership of brand or trademark +- **Establish Authority** - Show authorization to request content removal ## Types of Legal Documents ChainPatrol typically works with the following categories of legal documentation: - - - **Proof of brand ownership** - - - Official documentation proving that an organization legally owns a brand name, logo, or trademark. - - - **When It's Required:** - - Content is impersonating a brand - - Misusing protected intellectual property - - Claiming false association with trademark - - Using brand elements without authorization - - **What It Includes:** - - Trademark registration number - - Registration date and jurisdiction - - Description of protected marks - - Visual representations (logos, wordmarks) - - Goods and services covered - - **Common Formats:** - - USPTO registration certificates (United States) - - EUIPO certificates (European Union) - - National trademark office documents - - International (Madrid Protocol) registrations - - - Providers often require this when content is impersonating a brand or misusing protected intellectual property. - - - - - **Authorization to act on behalf** - - - A document in which the brand owner declares that ChainPatrol is authorized to submit takedown requests on their behalf. - - - **Key Components:** - - Organization's legal name and details - - Statement of authorization - - Specific actions ChainPatrol is authorized to perform - - Authorized representative's signature - - Date of authorization - - Contact information - - **Typical Use Cases:** - - Social media takedowns (especially Twitter/X) - - App store removal requests - - Hosting provider complaints - - General brand protection activities - - **Example Statement:** - > "[Organization Name] hereby authorizes ChainPatrol to submit takedown requests, abuse reports, and content removal requests on our behalf for the purpose of protecting our brand and trademarks from impersonation, fraud, and unauthorized use." - - - LOAs are typically simpler and faster to obtain than Power of Attorney documents. - - - - - **Formal legal authorization** - - - A formal legal authorization allowing ChainPatrol to act for the organization in a broader or more formal capacity. - - - **Key Differences from LOA:** - - More formal legal standing - - Broader scope of authority - - Often notarized or witnessed - - Recognized across more jurisdictions - - Required for high-impact actions - - **When It's Required:** - - Domain suspensions - - TLD-level takedowns - - Registrar-level actions - - High-impact or escalated cases - - International jurisdictions - - **What It Authorizes:** - - Filing formal legal complaints - - Representing the organization in takedown proceedings - - Making binding statements on behalf of the organization - - Escalating to legal authorities if needed - - - Some providers require a POA for escalated or high-impact takedowns such as domain suspensions. - - - +### Trademark Registration + +Official documentation proving that an organization legally owns a brand name, logo, or trademark. + +**When It's Required:** +- Content is impersonating a brand +- Misusing protected intellectual property +- Claiming false association with trademark +- Using brand elements without authorization + +**What It Includes:** +- Trademark registration number +- Registration date and jurisdiction +- Description of protected marks +- Visual representations (logos, wordmarks) +- Goods and services covered + +**Common Formats:** +- USPTO registration certificates (United States) +- EUIPO certificates (European Union) +- National trademark office documents +- International (Madrid Protocol) registrations + +Providers often require this when content is impersonating a brand or misusing protected intellectual property. + +### Letter of Authorization (LOA) + +A document in which the brand owner declares that ChainPatrol is authorized to submit takedown requests on their behalf. + +**Key Components:** +- Organization's legal name and details +- Statement of authorization +- Specific actions ChainPatrol is authorized to perform +- Authorized representative's signature +- Date of authorization +- Contact information + +**Typical Use Cases:** +- Social media takedowns (especially Twitter/X) +- App store removal requests +- Hosting provider complaints +- General brand protection activities + +**Example Statement:** +> "[Organization Name] hereby authorizes ChainPatrol to submit takedown requests, abuse reports, and content removal requests on our behalf for the purpose of protecting our brand and trademarks from impersonation, fraud, and unauthorized use." + + +LOAs are typically simpler and faster to obtain than Power of Attorney documents. + + +### Power of Attorney (POA) + +A formal legal authorization allowing ChainPatrol to act for the organization in a broader or more formal capacity. + +**Key Differences from LOA:** +- More formal legal standing +- Broader scope of authority +- Often notarized or witnessed +- Recognized across more jurisdictions +- Required for high-impact actions + +**When It's Required:** +- Domain suspensions +- TLD-level takedowns +- Registrar-level actions +- High-impact or escalated cases +- International jurisdictions + +**What It Authorizes:** +- Filing formal legal complaints +- Representing the organization in takedown proceedings +- Making binding statements on behalf of the organization +- Escalating to legal authorities if needed + + +Some providers require a POA for escalated or high-impact takedowns such as domain suspensions. + ### Document Usage Across Platforms - - - **Hosting providers and registrars** - - **Typically required:** - - Trademark registration - - LOA or POA - - Business registration documents - - **Why:** - - Verify legitimate brand ownership - - Confirm authorization to request removal - - Protect against false takedown requests - - - - **Platforms like Twitter/X, Facebook, Instagram** - - **Typically required:** - - LOA (especially for Twitter/X) - - Trademark registration (for verified impersonation) - - Government-issued ID (for individual impersonation) - - **Why:** - - Prevent abuse of reporting systems - - Verify authorized representative - - Confirm legitimate brand protection claim - - - - **Google Play, Apple App Store** - - **Typically required:** - - Trademark registration - - LOA or POA - - Proof of brand ownership - - **Why:** - - Verify app is infringing on legitimate trademark - - Confirm authorization to request removal - - Protect against competitive abuse - - - - **Top-level domain registries** - - **Typically required:** - - POA (formal authorization) - - Trademark registration - - Detailed evidence of abuse - - **Why:** - - High-impact action (entire domain suspension) - - Legal liability considerations - - Requires formal legal standing - - +**Website Takedowns** (hosting providers and registrars) typically require trademark registration, LOA or POA, and business registration documents to verify legitimate brand ownership and confirm authorization to request removal. + +**Social Media Takedowns** (Twitter/X, Facebook, Instagram) typically require LOA (especially for Twitter/X), trademark registration (for verified impersonation), and government-issued ID (for individual impersonation) to prevent abuse of reporting systems and verify authorized representatives. + +**App Store Takedowns** (Google Play, Apple App Store) typically require trademark registration, LOA or POA, and proof of brand ownership to verify app infringement and confirm authorization to request removal. + +**TLD-Level Takedowns** (top-level domain registries) typically require POA (formal authorization), trademark registration, and detailed evidence of abuse due to the high-impact nature of entire domain suspension and legal liability considerations. ## What Legal Documents Are Used For Legal documents are attached to takedown submissions so platforms can verify that: - - - The requesting party truly represents the organization - - - - The brand or trademark is legitimately owned - - - - ChainPatrol has the authority to request removal of the content - - - - The takedown request complies with the provider's legal requirements - - +1. The requesting party truly represents the organization +2. The brand or trademark is legitimately owned +3. ChainPatrol has the authority to request removal of the content +4. The takedown request complies with the provider's legal requirements Without these documents, many providers may refuse or delay action on a takedown request. @@ -217,180 +128,72 @@ Without these documents, many providers may refuse or delay action on a takedown All legal documentation provided to ChainPatrol is handled with strong security controls. - - - **Protected environment** - - Legal documents are stored in a **secure storage bucket**, designed specifically to protect sensitive files. - - **Security measures:** - - - - Only authorized systems and personnel - - - - Data encrypted at rest and in transit - - - - Separated from general application data - - - - All access attempts are logged - - - - Complete history of document usage - - - - Meets industry security standards - - - - - - **Restricted to authorized personnel** - - Only authorized ChainPatrol systems and personnel can access these documents. - - **Who has access:** - - Takedown specialists (when processing requests) - - Legal team members (for review and verification) - - Authorized support staff (for customer assistance) - - Automated systems (for document attachment during submission) - - **Access controls:** - - Role-based permissions - - Multi-factor authentication required - - Access logged and monitored - - Regular access reviews - - - Documents are used solely for the purpose of supporting takedown submissions. - - - - - **Applied only when needed** - - Legal documents are **not directly part of the takedown object**—they are applied only during the submission process when a provider requires them. - - **How it works:** - - - - Takedown request is created for a malicious asset - - - - System determines which provider to contact - - - - System checks if provider requires legal documentation - - - - If required, appropriate documents are automatically attached - - - - Complete takedown request with documentation is submitted - - - - - This approach minimizes unnecessary exposure of sensitive documents while ensuring they're available when needed. - - - +### Secure Storage + +Legal documents are stored in a secure storage bucket designed specifically to protect sensitive files. + +**Security measures:** +- Restricted access (only authorized systems and personnel) +- Encryption (data encrypted at rest and in transit) +- Isolated storage (separated from general application data) +- Access logging (all access attempts are logged) +- Audit trail (complete history of document usage) +- Compliance (meets industry security standards) + +### Limited Access + +Only authorized ChainPatrol systems and personnel can access these documents. + +**Who has access:** +- Takedown specialists (when processing requests) +- Legal team members (for review and verification) +- Authorized support staff (for customer assistance) +- Automated systems (for document attachment during submission) + +**Access controls:** +- Role-based permissions +- Multi-factor authentication required +- Access logged and monitored +- Regular access reviews + +Documents are used solely for the purpose of supporting takedown submissions. + +### Usage Policy + +Legal documents are not directly part of the takedown object—they are applied only during the submission process when a provider requires them. + +**How it works:** + +1. Takedown request is created for a malicious asset +2. System determines which provider to contact +3. System checks if provider requires legal documentation +4. If required, appropriate documents are automatically attached +5. Complete takedown request with documentation is submitted + +This approach minimizes unnecessary exposure of sensitive documents while ensuring they're available when needed. ## Document Management Best Practices - - - **Regular updates are important** - - - Update POA/LOA documents annually - - Refresh after organizational changes - - Update contact information promptly - - Renew before expiration dates - - - Expired or outdated documents can delay takedown processing. - - - - - **Different providers have different requirements** - - Keep documents in multiple formats: - - PDF (most common) - - Scanned originals - - Notarized copies (for POA) - - Translated versions (for international takedowns) - - - - **Ensure proper authorization** - - - Have legal team review documents - - Ensure authorized signatories - - Verify scope of authorization - - Confirm compliance with company policies - - - - **Monitor effectiveness** - - - Track which providers accept which documents - - Note any rejection reasons - - Update documents based on feedback - - Maintain records of successful takedowns - - +**Keep Documents Current** - Update POA/LOA documents annually, refresh after organizational changes, update contact information promptly, and renew before expiration dates. Expired or outdated documents can delay takedown processing. + +**Maintain Multiple Formats** - Keep documents in PDF (most common), scanned originals, notarized copies (for POA), and translated versions (for international takedowns) since different providers have different requirements. + +**Coordinate with Legal Team** - Have legal team review documents, ensure authorized signatories, verify scope of authorization, and confirm compliance with company policies. + +**Track Document Usage** - Track which providers accept which documents, note any rejection reasons, update documents based on feedback, and maintain records of successful takedowns. --- ## Key Takeaways - - - Legal docs prove ownership and authorization - - - - Trademark registration, LOA, and POA - - - - Different platforms require different documents - - - - Protected with encryption and access controls - - - - Only authorized personnel can access - - - - Applied only during submission process - - - - Keep documents current and valid - - - - Required for most takedown requests - - +- **Proof of Authority** - Legal docs prove ownership and authorization +- **Three Main Types** - Trademark registration, LOA, and POA +- **Provider Requirements** - Different platforms require different documents +- **Secure Storage** - Protected with encryption and access controls +- **Limited Access** - Only authorized personnel can access +- **Used When Needed** - Applied only during submission process +- **Regular Updates** - Keep documents current and valid +- **Critical for Success** - Required for most takedown requests --- diff --git a/concepts/metrics.mdx b/concepts/metrics.mdx index eaf93fb..d1b82e3 100644 --- a/concepts/metrics.mdx +++ b/concepts/metrics.mdx @@ -13,452 +13,103 @@ They are built by aggregating your organization's activity (reports, detections, ### Why It Matters - - Metrics help you answer **"Are we protected?"** by showing threat volume, coverage, and response quality to your internal stakeholders and, when enabled, to external audiences via your Security Portal. - +Metrics help you answer **"Are we protected?"** by showing threat volume, coverage, and response quality to your internal stakeholders and, when enabled, to external audiences via your Security Portal. ## Key Characteristics - - - **Tied to your organization** - - Metrics are always calculated for a specific **organization**, and reflect only that organization's reports, threats, and takedown activity. - - **What this means:** - - You only see your organization's data - - No cross-organization visibility - - Customized to your brands and assets - - Reflects your specific threat landscape - - - - **Summary over a period** - - Every metrics view uses a time window (e.g., "last 30 days" or a custom range chosen via the date filter). - - **Common time periods:** - - Last 7 days - - Last 30 days - - Last 90 days - - Custom date range - - - The same metric (e.g., "New Threats") may look very different depending on the period you select. - - - - - **Segmented by multiple dimensions** - - Many metrics can be filtered by **brand** and broken down by: - - - - - Domains - - Twitter/X - - Telegram - - Other platforms - - - - - Brand impersonation - - Employee impersonation - - General phishing - - Specific attack types - - - - - - **What they contain** - - - - - Reports received - - New threats blocked - - Threats on watchlist - - Takedowns filed - - Takedowns completed - - - - - Threats by asset type - - Threats per brand - - Detections by source - - Category distributions - - - - - Threats blocked per day - - Takedowns completed per day - - Median time to takedown - - Trend analysis - - - - +### Organization-Specific + +Metrics are always calculated for a specific organization and reflect only that organization's reports, threats, and takedown activity. You only see your organization's data with no cross-organization visibility, customized to your brands and assets, reflecting your specific threat landscape. + +### Time-Bound + +Every metrics view uses a time window (e.g., "last 30 days" or a custom range). Common time periods include last 7 days, last 30 days, last 90 days, and custom date ranges. The same metric (e.g., "New Threats") may look very different depending on the period you select. + +### Filterable + +Many metrics can be filtered by brand and broken down by: + +**Asset Type** - Domains, Twitter/X, Telegram, other platforms + +**Threat Category** - Brand impersonation, employee impersonation, general phishing, specific attack types + +### Components + +**Counts** - Reports received, new threats blocked, threats on watchlist, takedowns filed, takedowns completed + +**Breakdowns** - Threats by asset type, threats per brand, detections by source, category distributions + +**Timelines and Speed** - Threats blocked per day, takedowns completed per day, median time to takedown, trend analysis ## What Lives Inside Metrics ### Core Volume Metrics - - - How many submissions your organization received from users, partners, and integrations - - - - How many assets were blocked as threats (domains, social profiles, Telegram channels, etc.) - - - - Threats you're actively watching (takedowns not appropriate or on hold) - - - - How many takedown requests your organization has initiated - - - - How many takedown requests have been successfully resolved - - +- **Reports** - How many submissions your organization received from users, partners, and integrations +- **New Threats** - How many assets were blocked as threats (domains, social profiles, Telegram channels, etc.) +- **Threats Watchlisted** - Threats you're actively watching (takedowns not appropriate or on hold) +- **Takedowns Filed** - How many takedown requests your organization has initiated +- **Takedowns Completed** - How many takedown requests have been successfully resolved ### Threat Breakdowns - - - **Platform-specific threat counts** - - - - Blocked malicious domains and URLs - - **Includes:** - - Phishing websites - - Fake landing pages - - Impersonation sites - - Malicious web applications - - - - Blocked threats on Twitter/X - - **Includes:** - - Impersonation accounts - - Scam posts - - Fake support accounts - - Fraudulent giveaways - - - - Blocked threats on Telegram - - **Includes:** - - Fake support channels - - Scam groups - - Impersonation accounts - - Phishing bots - - - - Blocked threats on all other supported surfaces - - **Includes:** - - App stores - - Other social networks (Discord, Reddit, etc.) - - Developer platforms (GitHub, npm) - - Email addresses - - Blockchain addresses - - - - - - **Brand-specific targeting** - - Threats blocked per brand inside your organization, showing which brands are targeted more heavily. - - **Use cases:** - - Identify most-targeted brands - - Allocate protection resources - - Track brand-specific campaigns - - Compare threat levels across portfolio - - **Example visualization:** - ``` - Brand A: 150 threats (45%) - Brand B: 100 threats (30%) - Brand C: 85 threats (25%) - ``` - - +**By Asset Type:** + +- **Domain Threats** - Blocked malicious domains and URLs (phishing websites, fake landing pages, impersonation sites, malicious web applications) +- **Twitter Threats** - Blocked threats on Twitter/X (impersonation accounts, scam posts, fake support accounts, fraudulent giveaways) +- **Telegram Threats** - Blocked threats on Telegram (fake support channels, scam groups, impersonation accounts, phishing bots) +- **Other Threats** - Blocked threats on all other supported surfaces (app stores, other social networks, developer platforms, email addresses, blockchain addresses) + +**By Brand:** + +Threats blocked per brand inside your organization, showing which brands are targeted more heavily. Use this to identify most-targeted brands, allocate protection resources, track brand-specific campaigns, and compare threat levels across portfolio. ### Time-Series and Speed Metrics - - - **Daily threat volume over time** - - Shows how many assets were blocked on each day in the selected range. - - **Insights:** - - Identify threat spikes - - Track seasonal patterns - - Measure detection effectiveness - - Spot coordinated campaigns - - **Visualization:** Line chart showing daily counts - - - - **Daily takedown completion rate** - - Shows how many takedowns reached "completed" status on each day. - - **Insights:** - - Track takedown velocity - - Measure provider responsiveness - - Identify bottlenecks - - Monitor team efficiency - - **Visualization:** Bar chart showing daily completions - - - - **Speed of threat removal** - - Calculated from when a takedown request is created to when it is first marked completed. - - **Available breakdowns:** - - Overall median - - By asset type (domains, social media, etc.) - - By threat category (brand vs. employee impersonation) - - **Example:** - - Overall: 36 hours - - Domains: 48 hours - - Social media: 24 hours - - Telegram: 18 hours - - - Lower median times indicate faster threat removal and better provider relationships. - - - +**Threats Blocked Per Day** - Shows how many assets were blocked on each day in the selected range. Helps identify threat spikes, track seasonal patterns, measure detection effectiveness, and spot coordinated campaigns. + +**Takedowns Completed Per Day** - Shows how many takedowns reached "completed" status on each day. Helps track takedown velocity, measure provider responsiveness, identify bottlenecks, and monitor team efficiency. + +**Median Time to Takedown** - Calculated from when a takedown request is created to when it is first marked completed. Available as overall median, by asset type (domains, social media, etc.), and by threat category (brand vs. employee impersonation). Lower median times indicate faster threat removal and better provider relationships. ## How Metrics Relate to Other Concepts - - - **From scans to metrics** - - When asset scans and reviews lead to an asset being **blocked**, that asset contributes to metrics such as: - - **New Threats** - - **Threats by asset type** - - **Threats blocked per day** - - Ongoing scans and liveness updates ensure that metrics reflect the current state of your threat surface (e.g., how many blocked assets are still alive). - - - - **Detection to metric pipeline** - - Every detection or blocked asset rolls up into counts like: - - **New threats** - - **Detections by type** - - **Domains blocked** - - Metrics summarize how much malicious activity is being found and neutralized for your organization over time. - - - - **From reports to action** - - - **Reports** raised by your team or users drive the **Reports** metric - - Review outcomes (e.g., approving a threat as real and blocking it) flow into threat and takedown metrics - - Shows how well your review process is keeping up with incoming threats - - - - **Takedown effectiveness** - - Takedown records power: - - **Takedowns Filed** and **Takedowns Completed** - - **Median time to takedown** per asset type and category - - These metrics show how quickly threats are being removed once identified. - - - - **Service impact on visibility** - - - Metrics can be filtered by **brand** to show which brands are most targeted - - Enabling services like **detection**, **reviewing**, **takedowns**, and **wallet blocking** typically increases visibility in metrics (more threats found, blocked, and removed) rather than reducing numbers to zero - - - Higher threat counts don't mean you're less secure—they mean you're detecting more threats that were always there. - - - +**Assets and Asset Scans** - When asset scans and reviews lead to an asset being blocked, that asset contributes to metrics such as New Threats, Threats by asset type, and Threats blocked per day. Ongoing scans and liveness updates ensure that metrics reflect the current state of your threat surface. + +**Threats / Detections** - Every detection or blocked asset rolls up into counts like new threats, detections by type, and domains blocked. Metrics summarize how much malicious activity is being found and neutralized for your organization over time. + +**Reports and Reviews** - Reports raised by your team or users drive the Reports metric. Review outcomes (e.g., approving a threat as real and blocking it) flow into threat and takedown metrics. Shows how well your review process is keeping up with incoming threats. + +**Takedowns** - Takedown records power Takedowns Filed, Takedowns Completed, and Median time to takedown per asset type and category. These metrics show how quickly threats are being removed once identified. + +**Brands and Services** - Metrics can be filtered by brand to show which brands are most targeted. Enabling services like detection, reviewing, takedowns, and wallet blocking typically increases visibility in metrics (more threats found, blocked, and removed). Higher threat counts don't mean you're less secure—they mean you're detecting more threats that were always there. ## Examples - - - **Scenario:** Executive reporting - - - - You select "Last 90 days" on the Metrics page - - - - The dashboard shows: - - Reports received: 245 - - New threats blocked: 187 - - Takedowns filed: 142 - - Takedowns completed: 128 - - Plus charts of threats blocked per day - - - - You share these numbers with leadership to summarize how much malicious activity was detected and what action was taken - - - - **Key insights:** - - 76% of reports resulted in blocked threats - - 90% of takedowns were completed - - Average of 2 threats blocked per day - - Clear demonstration of protection value - - - - **Scenario:** Threat landscape analysis - - - - You compare threat counts for the last month: - - **Domain Threats**: 45 (down from 60 last month) - - **Twitter Threats**: 30 (stable) - - **Telegram Threats**: 55 (up from 35 last month) - - **Other Threats**: 20 (stable) - - - - You see that domain threats have decreased while Telegram threats have increased - - - - You adjust your monitoring and communication plans: - - Increase Telegram monitoring frequency - - Alert community about Telegram scams - - Investigate why attackers shifted platforms - - - - **Key insights:** - - Attackers are shifting to Telegram - - Domain blocking is working (deterrent effect) - - Need to enhance Telegram-specific defenses - - Community education opportunity - - - - **Scenario:** Provider performance review - - **Median time to takedown by asset type:** - - Domains: 48 hours - - Twitter: 24 hours - - Telegram: 18 hours - - App stores: 72 hours - - **Insights:** - - Social platforms respond faster than hosting providers - - App stores have longest response times - - Telegram is most responsive - - **Actions:** - - Focus on improving domain takedown speed - - Investigate app store delays - - Document Telegram best practices - - Consider alternative providers for slow responders - - - -## Metrics Dashboard Layout - -```mermaid -graph TD - Dashboard[Metrics Dashboard] --> Filters[Time & Brand Filters] - Dashboard --> Volume[Volume Metrics] - Dashboard --> Breakdown[Threat Breakdowns] - Dashboard --> Timeline[Time-Series Charts] - Dashboard --> Speed[Speed Metrics] - - Volume --> Reports[Reports] - Volume --> NewThreats[New Threats] - Volume --> Watchlist[Watchlisted] - Volume --> Filed[Takedowns Filed] - Volume --> Completed[Takedowns Completed] - - Breakdown --> AssetType[By Asset Type] - Breakdown --> Brand[By Brand] - Breakdown --> Category[By Category] - - Timeline --> BlockedPerDay[Threats Blocked/Day] - Timeline --> CompletedPerDay[Takedowns Completed/Day] - - Speed --> MedianTime[Median Time to Takedown] - Speed --> ByType[By Asset Type] - Speed --> ByCategory[By Threat Category] - - style Dashboard fill:#6622DC - style Volume fill:#3b82f6 - style Breakdown fill:#8b5cf6 - style Timeline fill:#10b981 - style Speed fill:#f59e0b -``` +### Example 1: Quarterly Threat Overview + +For executive reporting, you select "Last 90 days" on the Metrics page. The dashboard shows reports received (245), new threats blocked (187), takedowns filed (142), takedowns completed (128), plus charts of threats blocked per day. You share these numbers with leadership to summarize malicious activity detected and action taken. Key insights: 76% of reports resulted in blocked threats, 90% of takedowns were completed, average of 2 threats blocked per day. + +### Example 2: Domains vs. Social Threats + +For threat landscape analysis, you compare threat counts for the last month: Domain Threats (45, down from 60 last month), Twitter Threats (30, stable), Telegram Threats (55, up from 35 last month), Other Threats (20, stable). You see that domain threats have decreased while Telegram threats have increased, and adjust your monitoring and communication plans accordingly—increase Telegram monitoring frequency, alert community about Telegram scams, investigate why attackers shifted platforms. + +### Example 3: Takedown Speed Analysis + +For provider performance review, you analyze median time to takedown by asset type: Domains (48 hours), Twitter (24 hours), Telegram (18 hours), App stores (72 hours). Insights: Social platforms respond faster than hosting providers, app stores have longest response times, Telegram is most responsive. Actions: Focus on improving domain takedown speed, investigate app store delays, document Telegram best practices. --- ## Key Takeaways - - - Metrics aggregate activity into readable summaries - - - - Always calculated for your specific organization - - - - Every view uses a specific time window - - - - Break down by brand, asset type, and category - - - - Reports, threats, watchlist, and takedowns - - - - By asset type, brand, and category - - - - Median time to takedown and daily trends - - - - Identify trends and adjust protection strategies - - +- **High-Level Summary** - Metrics aggregate activity into readable summaries +- **Organization-Specific** - Always calculated for your specific organization +- **Time-Bound** - Every view uses a specific time window +- **Filterable** - Break down by brand, asset type, and category +- **Volume Tracking** - Reports, threats, watchlist, and takedowns +- **Threat Breakdowns** - By asset type, brand, and category +- **Speed Metrics** - Median time to takedown and daily trends +- **Actionable Insights** - Identify trends and adjust protection strategies --- diff --git a/concepts/organizations.mdx b/concepts/organizations.mdx index 242c873..5111684 100644 --- a/concepts/organizations.mdx +++ b/concepts/organizations.mdx @@ -15,61 +15,23 @@ An organization is the top-level container for all your security operations, tea ChainPatrol is a **fully managed security product**. This means our team handles the heavy lifting: - - - Continuous scanning across platforms - - - - Expert analysis of potential threats - - - - Detailed evaluation of threat patterns - - - - Professional requests to providers and platforms - - - - +- **Day-to-Day Threat Hunting** - Continuous scanning across platforms +- **Suspicious Activity Review** - Expert analysis of potential threats +- **Attack Analysis** - Detailed evaluation of threat patterns +- **Takedown Filing** - Professional requests to providers and platforms + You don't need to become a security expert or dedicate staff to monitor threats around the clock. We do that work for you. - ### Your Level of Involvement That said, you're not locked out of the process. If you want your team to be more hands-on, you can: - - - **Invite Members** - - Invite team members into your organization's dashboard with customized permissions and roles. - - - - **Report Threats** - - Your team can report threats they discover through the dashboard or integrations. - - - - **Approve or Decline** - - Review and approve specific takedowns or blocklist decisions before they take effect. - - - - **Connect Tools** - - Integrate Slack, Telegram, SSO, and other tools to fit ChainPatrol into your existing workflows. - - - - +- **Invite Members** - Invite team members into your organization's dashboard with customized permissions and roles +- **Report Threats** - Your team can report threats they discover through the dashboard or integrations +- **Approve or Decline** - Review and approve specific takedowns or blocklist decisions before they take effect +- **Connect Tools** - Integrate Slack, Telegram, SSO, and other tools to fit ChainPatrol into your existing workflows + You decide how involved you want to be—from fully hands-off to deeply integrated with your team's operations. - ## Brands and Assets @@ -77,114 +39,54 @@ Every organization has one or more **brands** that ChainPatrol protects. ### What is a Brand? - - - A brand could be: - - Your company name - - A product line - - Your executives or key personnel - - A key identity that attackers might try to impersonate - - - - We use brands to detect **brand impersonation** attacks: - - Lookalike domains - - Fake social profiles - - Scam campaigns borrowing your brand's name - - Imagery or messaging designed to trick people - - +A brand could be your company name, a product line, your executives or key personnel, or a key identity that attackers might try to impersonate. + +We use brands to detect **brand impersonation** attacks including lookalike domains, fake social profiles, scam campaigns borrowing your brand's name, and imagery or messaging designed to trick people. ### What are Assets? In addition to brands, your organization also has **assets**—the digital properties that actually belong to you: - - - Domains and web applications - - - - Twitter, Discord, Telegram, etc. - - - - App store and extension marketplace listings - - - - Blockchain addresses and contracts - - - - Official company and team emails - - - - GitHub repos, forums, documentation sites - - +- **Websites** - Domains and web applications +- **Social Accounts** - Twitter, Discord, Telegram, etc. +- **App Listings** - App store and extension marketplace listings +- **Wallet Addresses** - Blockchain addresses and contracts +- **Email Addresses** - Official company and team emails +- **Other Properties** - GitHub repos, forums, documentation sites - -We track your official assets so we can spot copycats and **general phishing** pages that mimic your legitimate sites or channels. When we find something suspiciously similar to your assets but not actually yours, it gets flagged for review. - +We track your official assets so we can spot copycats and general phishing pages that mimic your legitimate sites or channels. When we find something suspiciously similar to your assets but not actually yours, it gets flagged for review. ## Services You Can Enable Each organization can turn individual services on or off depending on what you need. These services control which ChainPatrol features are active for your organization: - - - Enables ChainPatrol's automated scanning across the web, social platforms, app stores, and other sources. When this is turned on, we continuously look for new threats targeting your brands. - - **Status:** Foundation service—required for all other services - - - - Activates the systems that collect and organize reports and detections into a single view. This powers your dashboards and ensures you have up-to-date visibility into what's happening. - - **Status:** Recommended for all organizations - - - - Turns on ChainPatrol's review workflows, where our team validates suspicious assets and decides whether they should be blocked, allowed, watchlisted, or escalated. - - **Status:** Recommended for accuracy and quality control - - - - Adds a final approval step for specific types of assets. When enabled, you choose which asset categories (like domains, social media, or messaging platforms) require explicit confirmation from an admin in your organization before ChainPatrol's blocklist decisions take effect. - - **Configuration:** If you don't select any specific types, all asset types will require approval. - - **Status:** Optional—for organizations requiring internal oversight - - - - Allows approved crypto-related threats to be added to ChainPatrol's global blocklist, which is consumed by partner wallets like Coinbase Wallet and MetaMask to protect their users from known malicious addresses. - - **Status:** Essential for Web3 organizations - - - - Enables ChainPatrol to file takedown requests with hosting providers, registrars, and platforms on your behalf. When this service is on, we don't just block threats—we work to get them removed from the internet entirely. - - **Requirements:** Legal documentation (trademark proof, authorized representative details) - - **Status:** Recommended for comprehensive protection - - - - Speeds up the takedown process for clear-cut cases. Once you've provided the required legal documents (like a Power of Attorney) and your main website URL, ChainPatrol can automatically submit takedown requests for approved threats without waiting for manual back-and-forth on every case. - - **Requirements:** - - Power of Attorney document - - Main website URL - - All other services enabled - - **Status:** Advanced—for high-volume threat environments - - +### Detection + +Enables ChainPatrol's automated scanning across the web, social platforms, app stores, and other sources. When this is turned on, we continuously look for new threats targeting your brands. This is the foundation service—required for all other services. + +### Monitoring & Reporting + +Activates the systems that collect and organize reports and detections into a single view. This powers your dashboards and ensures you have up-to-date visibility into what's happening. Recommended for all organizations. + +### Reviewing + +Turns on ChainPatrol's review workflows, where our team validates suspicious assets and decides whether they should be blocked, allowed, watchlisted, or escalated. Recommended for accuracy and quality control. + +### Obligatory Organization Admin Approval + +Adds a final approval step for specific types of assets. When enabled, you choose which asset categories (like domains, social media, or messaging platforms) require explicit confirmation from an admin in your organization before ChainPatrol's blocklist decisions take effect. If you don't select any specific types, all asset types will require approval. This is optional—for organizations requiring internal oversight. + +### Wallet Blocking + +Allows approved crypto-related threats to be added to ChainPatrol's global blocklist, which is consumed by partner wallets like Coinbase Wallet and MetaMask to protect their users from known malicious addresses. Essential for Web3 organizations. + +### Takedowns + +Enables ChainPatrol to file takedown requests with hosting providers, registrars, and platforms on your behalf. When this service is on, we don't just block threats—we work to get them removed from the internet entirely. Requires legal documentation (trademark proof, authorized representative details). Recommended for comprehensive protection. + +### Automated Takedowns + +Speeds up the takedown process for clear-cut cases. Once you've provided the required legal documents (like a Power of Attorney) and your main website URL, ChainPatrol can automatically submit takedown requests for approved threats without waiting for manual back-and-forth on every case. Requires Power of Attorney document, main website URL, and all other services enabled. This is an advanced feature for high-volume threat environments. Learn more about configuring these services in our [Services Setup guide](/protect-your-brand/services-setup). @@ -196,148 +98,46 @@ You control who can access your organization and what they're allowed to do. ### How It Works - - - Invite team members into your organization's dashboard - - - - Assign them roles that determine their access level - - - - Configure specific permissions for what they can do - - - - Retain ultimate control over approvals and sensitive actions - - +1. Invite team members into your organization's dashboard +2. Assign them roles that determine their access level +3. Configure specific permissions for what they can do +4. Retain ultimate control over approvals and sensitive actions ### What Permissions Control - - - Ability to report and submit threats - - - - Approve or reject blocklist changes - - - - Modify organization settings and configuration - - - - View confidential data and reports - - - - Enable or disable organization services - - - - Invite, remove, or modify team members - - +- **Threat Reporting** - Ability to report and submit threats +- **Blocklist Approvals** - Approve or reject blocklist changes +- **Settings Management** - Modify organization settings and configuration +- **Sensitive Information** - View confidential data and reports +- **Service Control** - Enable or disable organization services +- **Member Management** - Invite, remove, or modify team members This permission system ensures that potentially destructive actions—like turning on Wallet Blocking or Automated Takedowns—only happen with your organization's explicit permission. -### Division of Responsibility - -```mermaid -flowchart LR - ChainPatrol[ChainPatrol Team] -->|Handles| Operations[Day-to-Day Operations] - ChainPatrol -->|Manages| Scanning[Threat Scanning] - ChainPatrol -->|Performs| Review[Expert Review] - ChainPatrol -->|Executes| Takedowns[Takedown Filing] - - Organization[Your Organization] -->|Controls| Approvals[Final Approvals] - Organization -->|Manages| Access[Team Access] - Organization -->|Configures| Services[Service Settings] - Organization -->|Decides| Involvement[Level of Involvement] - - style ChainPatrol fill:#6622DC - style Organization fill:#985EFD -``` - - ChainPatrol's staff handle the day-to-day security operations, but you retain ultimate control over approvals, visibility, and how the platform integrates with your team. - ## Organization Structure ### Typical Organization Hierarchy - - - **Simple Structure** - - Most organizations have a single brand: - - One company identity - - All assets under one brand - - Straightforward management - - **Example:** A startup protecting their main product - - - - **Complex Structure** - - Some organizations manage multiple brands: - - Parent company + subsidiaries - - Multiple product lines - - Acquired companies - - Regional brands - - **Example:** A holding company protecting multiple portfolio companies - - - - **Advanced Structure** - - Large enterprises may have: - - Multiple brands - - Hundreds or thousands of assets - - Complex approval workflows - - Multiple teams with different permissions - - **Example:** A Fortune 500 company with global operations - - +**Single Brand** - Most organizations have a single brand with one company identity, all assets under one brand, and straightforward management. Example: A startup protecting their main product. + +**Multiple Brands** - Some organizations manage multiple brands including parent company + subsidiaries, multiple product lines, acquired companies, and regional brands. Example: A holding company protecting multiple portfolio companies. + +**Enterprise** - Large enterprises may have multiple brands, hundreds or thousands of assets, complex approval workflows, and multiple teams with different permissions. Example: A Fortune 500 company with global operations. --- ## Key Takeaways - - - Everything happens within your organization - - - - ChainPatrol handles day-to-day operations - - - - Choose your level of hands-on participation - - - - Enable only what you need - - - - Control who can do what - - - - Final say on all critical decisions - - +- **Centralized Workspace** - Everything happens within your organization +- **Fully Managed** - ChainPatrol handles day-to-day operations +- **Flexible Involvement** - Choose your level of hands-on participation +- **Configurable Services** - Enable only what you need +- **Granular Permissions** - Control who can do what +- **You're in Control** - Final say on all critical decisions --- diff --git a/concepts/reports.mdx b/concepts/reports.mdx index bcf56bc..ef3b968 100644 --- a/concepts/reports.mdx +++ b/concepts/reports.mdx @@ -13,136 +13,46 @@ When you create a report, you're proposing that specific assets should either be ### What a Report Contains - - - One or more URLs, profiles, or addresses - - - - Title and description explaining the threat - - - - Screenshots and supporting materials - - +- **Assets** - One or more URLs, profiles, or addresses +- **Context** - Title and description explaining the threat +- **Evidence** - Screenshots and supporting materials ## When Reports Get Created Reports flow into ChainPatrol from multiple sources: - - - **Your team or ChainPatrol staff** can create reports directly in the dashboard whenever they spot something suspicious. - - **Who can create:** - - Organization members - - ChainPatrol staff - - Security team members - - **When to use:** - - Discovered threats - - Community-reported issues - - Proactive monitoring - - - - **From your community** when your organization has a public Security Portal enabled, anyone can submit a report. - - **How it works:** - - Public submission form - - Automatically flagged as customer report - - No login required - - **Benefits:** - - Community-powered detection - - Early threat discovery - - User engagement - - - - **Through the API** if you have integrations or partners that need to submit threats programmatically. - - **Use cases:** - - Automated monitoring tools - - Partner integrations - - Custom workflows - - Bulk submissions - - - See our [API documentation](/external-api/report-create) for integration details. - - - - - **From automated detection** where ChainPatrol's systems continuously scan the web, social platforms, and other sources for threats. - - **How it works:** - - Continuous monitoring - - Automatic report creation - - Pre-analyzed evidence - - Instant submission - - **Coverage:** - - 50+ platforms monitored - - 24/7 scanning - - Real-time detection - - +### Manual Submission + +Your team or ChainPatrol staff can create reports directly in the dashboard whenever they spot something suspicious. Organization members, ChainPatrol staff, and security team members can create reports for discovered threats, community-reported issues, and proactive monitoring. + +### Public Portal + +When your organization has a public Security Portal enabled, anyone can submit a report through the public submission form. Reports are automatically flagged as customer reports with no login required. This enables community-powered detection, early threat discovery, and user engagement. + +### API Integration + +Through the API, integrations or partners can submit threats programmatically for automated monitoring tools, partner integrations, custom workflows, and bulk submissions. See our [API documentation](/external-api/report-create) for integration details. + +### Automated Detection + +ChainPatrol's systems continuously scan the web, social platforms, and other sources for threats through continuous monitoring, automatic report creation, pre-analyzed evidence, and instant submission. We monitor 50+ platforms 24/7 with real-time detection. ## How Reports Get Reviewed Every report that comes into your organization is reviewed by ChainPatrol's team. - - - Reviewers examine the evidence, screenshots, and context provided - - - - Run automated security scans and analysis on the reported assets - - - - Decide whether each asset should be: - - **Blocked** - Confirmed malicious - - **Allowed** - Confirmed legitimate - - **Watchlisted** - Monitored for changes - - **Escalated** - Requires additional investigation - - - - Apply the decision and update asset status - - +1. **Evidence Review** - Reviewers examine the evidence, screenshots, and context provided +2. **Security Checks** - Run automated security scans and analysis on the reported assets +3. **Decision** - Decide whether each asset should be Blocked (confirmed malicious), Allowed (confirmed legitimate), Watchlisted (monitored for changes), or Escalated (requires additional investigation) +4. **Action** - Apply the decision and update asset status ### Automatic Review In some cases, the review happens automatically: - - - When our systems have extremely high confidence that an asset is malicious. - - **Examples:** - - Known wallet drainer script detected - - Exact copy of known phishing site - - Matches multiple high-confidence rules - - **Result:** Approved immediately without manual validation - - - - When the report comes from someone we've marked as a trusted reporter. - - **Who qualifies:** - - Verified security researchers - - Trusted partner organizations - - ChainPatrol staff - - **Result:** Fast-tracked for approval - - +**High Confidence Detection** - When our systems have extremely high confidence that an asset is malicious (known wallet drainer script detected, exact copy of known phishing site, matches multiple high-confidence rules), it's approved immediately without manual validation. + +**Trusted Reporter** - When the report comes from someone we've marked as a trusted reporter (verified security researchers, trusted partner organizations, ChainPatrol staff), it's fast-tracked for approval. ### Organization Admin Approval @@ -150,237 +60,69 @@ In some cases, the review happens automatically: If you've enabled **Obligatory Organization Admin Approval** for certain types of assets, there's an extra step. -Even after ChainPatrol's team approves a report, the changes won't be applied to your blocklist until someone from your organization with admin permissions confirms them. - - - - Our team reviews and approves the report - - - - Report waits for organization admin confirmation - - - - Your admin reviews and approves or rejects - - - - Asset status is updated based on final decision - - +Even after ChainPatrol's team approves a report, the changes won't be applied to your blocklist until someone from your organization with admin permissions confirms them: + +1. ChainPatrol reviews and approves the report +2. Report waits for organization admin confirmation +3. Your admin reviews and approves or rejects +4. Asset status is updated based on final decision ## Report Status Reports move through three stages as they're processed: - - - The report is waiting in the queue for review - - - - ChainPatrol staff or automated systems are actively reviewing it - - - - The review is complete and decisions have been made on all assets - - - -### Status Transitions - -```mermaid -flowchart LR - TODO[TODO] -->|Review Started| IN_PROGRESS[IN_PROGRESS] - IN_PROGRESS -->|Review Complete| CLOSED[CLOSED] - - style TODO fill:#f59e0b - style IN_PROGRESS fill:#3b82f6 - style CLOSED fill:#10b981 -``` +- **TODO** - The report is waiting in the queue for review +- **IN_PROGRESS** - ChainPatrol staff or automated systems are actively reviewing it +- **CLOSED** - The review is complete and decisions have been made on all assets ## Finding Your Reports The **Reports page** in your dashboard shows all the reports for your organization, whether they're pending review, currently being worked on, or already closed. -### Filtering and Search - - - - Find reports by who created them - - - - Filter by submission date - - - - Search for specific assets - - - - View TODO, IN_PROGRESS, or CLOSED reports - - - - -This makes it easy to track the status of something you reported or follow up on threats that were flagged by your community. - +You can filter and search by creator, date, asset, and status to track the status of something you reported or follow up on threats flagged by your community. ## How to Submit a Report Creating a report in ChainPatrol is straightforward: - - - Start by clicking **Create Report** from the dashboard - - - - Paste in the assets you want to report, one per line: - - URLs (e.g., `https://fake-metamask.com`) - - Social media profiles (e.g., `@fake_support`) - - Blockchain addresses (e.g., `0x123...`) - - Any other asset type ChainPatrol monitors - - - The system automatically figures out what kind of asset each one is, so you don't need to categorize them yourself. - - - - - Provide information to help reviewers: - - **Title:** - - Summarize what you're reporting - - Be clear and concise - - Example: "Fake MetaMask wallet drainer site" - - **Description:** - - Explain why these assets are suspicious - - Include any relevant details - - Describe how you found them - - Note any user reports or complaints - - - - If you have screenshots or other visual evidence, upload them: - - Screenshots of malicious content - - User reports or messages - - Social media posts - - Any supporting documentation - - - Visual evidence helps reviewers quickly understand what's going on and speeds up the review process. - - - - - Hit **Submit** and your report goes into the review queue - - +1. **Click Create Report** - Start by clicking **Create Report** from the dashboard + +2. **Add Assets** - Paste in the assets you want to report, one per line: URLs (e.g., `https://fake-metamask.com`), social media profiles (e.g., `@fake_support`), blockchain addresses (e.g., `0x123...`), or any other asset type ChainPatrol monitors. The system automatically figures out what kind of asset each one is. + +3. **Add Context** - Provide a title summarizing what you're reporting and a description explaining why these assets are suspicious, how you found them, and any relevant details. + +4. **Upload Evidence** - Upload screenshots of malicious content, user reports or messages, social media posts, or any supporting documentation. Visual evidence helps reviewers quickly understand what's going on and speeds up the review process. + +5. **Submit** - Hit Submit and your report goes into the review queue ### What Happens Next - - - **Right After Submission:** - - Report enters TODO status - - You receive confirmation - - Report appears in your dashboard - - ChainPatrol team is notified - - - - **During Review:** - - Status changes to IN_PROGRESS - - Assets are scanned and analyzed - - Evidence is evaluated - - Decisions are made - - - - **After Review:** - - Status changes to CLOSED - - Asset statuses are updated - - You're notified of the outcome - - Actions are taken (blocking, allowing, etc.) - - +**Immediately** - Report enters TODO status, you receive confirmation, report appears in your dashboard, and ChainPatrol team is notified. + +**During Review** - Status changes to IN_PROGRESS, assets are scanned and analyzed, evidence is evaluated, and decisions are made. + +**After Review** - Status changes to CLOSED, asset statuses are updated, you're notified of the outcome, and actions are taken (blocking, allowing, etc.). ## Report Best Practices - - - The more context you provide, the faster and more accurate the review will be. - - **Include:** - - How you discovered the threat - - Why you believe it's malicious - - Any user reports or complaints - - Timeline of when it appeared - - - - Screenshots are extremely valuable for reviewers. - - **Capture:** - - The full page or profile - - Specific malicious elements - - User-facing content - - Before it gets taken down - - - - The sooner you report a threat, the sooner it can be blocked. - - **Why it matters:** - - Faster protection for users - - Less time for scammers to operate - - Better chance of successful takedown - - - - If multiple assets are part of the same campaign, report them together. - - **Benefits:** - - Reviewers see the full picture - - More efficient review process - - Better threat intelligence - - Coordinated response - - +**Provide Clear Context** - Include how you discovered the threat, why you believe it's malicious, any user reports or complaints, and timeline of when it appeared. + +**Include Visual Evidence** - Capture the full page or profile, specific malicious elements, user-facing content, and screenshots before it gets taken down. + +**Report Promptly** - The sooner you report a threat, the sooner it can be blocked, providing faster protection for users and less time for scammers to operate. + +**Group Related Assets** - If multiple assets are part of the same campaign, report them together so reviewers see the full picture for more efficient review and coordinated response. --- ## Key Takeaways - - - Reports can contain multiple related assets - - - - Created manually, via API, or automatically - - - - ChainPatrol team reviews every report - - - - TODO, IN_PROGRESS, CLOSED - - - - Simple process with automatic asset detection - - - - More evidence = faster, better review - - +- **Bundle Assets** - Reports can contain multiple related assets +- **Multiple Sources** - Created manually, via API, or automatically +- **Expert Review** - ChainPatrol team reviews every report +- **Three Statuses** - TODO, IN_PROGRESS, CLOSED +- **Easy Submission** - Simple process with automatic asset detection +- **Context Matters** - More evidence = faster, better review --- diff --git a/concepts/reviews.mdx b/concepts/reviews.mdx index e6ddec0..c0ecf4b 100644 --- a/concepts/reviews.mdx +++ b/concepts/reviews.mdx @@ -15,167 +15,53 @@ Think of a review as the approval or rejection of a recommendation to block a th Each review consists of: - - - Approve, reject, skip, or escalate - - - - Type of threat (e.g., phishing, brand impersonation) - - - - Optional reasoning explanation - - - - Who made the decision - - - - When the review was made - - +- **Decision** - Approve, reject, skip, or escalate +- **Label** - Type of threat (e.g., phishing, brand impersonation) +- **Comment** - Optional reasoning explanation +- **Reviewer** - Who made the decision +- **Timestamp** - When the review was made ## Who Can Review? -Several types of users can make reviews: - - - - **Our security analysts** who review reports for all customers - - **Capabilities:** - - Review all reports - - Create, read, and delete reviews - - Apply expert threat analysis - - Handle complex cases - - - - **Verified security researchers and partners** who have demonstrated expertise in threat identification - - **Capabilities:** - - Submit high-confidence reports - - Auto-approval for trusted submissions - - Create and read reviews - - Fast-track threat blocking - - - - **Admins and owners** of customer organizations who can review reports for their own brand - - **Capabilities:** - - Review reports for their organization - - Approve or reject proposals - - Final say on blocklist decisions - - Override escalations - - - - **Our automation system** that can auto-approve certain high-confidence threats - - **Capabilities:** - - Instant review of clear threats - - Threat score calculation - - Pattern recognition - - 24/7 operation - - +### ChainPatrol Staff + +Our security analysts who review reports for all customers. They can review all reports, create, read, and delete reviews, apply expert threat analysis, and handle complex cases. + +### Trusted Reporters + +Verified security researchers and partners who have demonstrated expertise in threat identification. They can submit high-confidence reports, receive auto-approval for trusted submissions, create and read reviews, and fast-track threat blocking. + +### Customer Administrators + +Admins and owners of customer organizations who can review reports for their own brand. They can review reports for their organization, approve or reject proposals, have final say on blocklist decisions, and override escalations. + +### Automated System + +Our automation system that can auto-approve certain high-confidence threats. It provides instant review of clear threats, threat score calculation, pattern recognition, and 24/7 operation. ## Review Actions There are four types of review decisions: - - - **What it means:** - - Confirms that the reported asset is malicious and should be blocked. - - **What happens:** - - Asset is added to ChainPatrol's blocklist - - Distributed to integrated platforms - - Takedown process initiated (if enabled) - - Organization is notified - - **When to use:** - - Clear evidence of malicious activity - - High confidence in threat assessment - - Asset matches known attack patterns - - - - **What it means:** - - Indicates the reported asset is legitimate and should not be blocked. - - **Common reasons:** - - The asset is actually official (false positive) - - The threat has already been removed - - Insufficient evidence of malicious activity - - Misidentification or misunderstanding - - **What happens:** - - Proposal is closed - - Asset remains unblocked - - Reporter may be notified - - - - **What it means:** - - Reviewer cannot make a definitive decision yet. This keeps the proposal in a pending state for another reviewer to examine. - - **Common reasons:** - - Insufficient evidence to confirm or deny the threat - - Need for additional context or investigation - - Waiting for asset to load or become accessible - - Requires more specialized expertise - - **What happens:** - - Proposal remains in queue - - Another reviewer will examine it - - May be escalated if skipped multiple times - - - - **What it means:** - - Passes the review decision to another party for final judgment. - - **Escalation Types:** - - - - Requests the brand owner to review and decide - - **When used:** - - Staff reviewers are uncertain - - Asset type requires customer approval - - Content is ambiguous - - **What happens:** - - Customer team receives notifications (Slack/Discord) - - Proposal stays pending until customer decides - - - - Passes to senior ChainPatrol analysts - - **When used:** - - Customer administrators are uncertain - - Complex cases require expert review - - Multiple conflicting signals - - **What happens:** - - Routes to senior security analysts - - In-depth analysis performed - - Final decision made by experts - - - - +### Approve + +Confirms that the reported asset is malicious and should be blocked. The asset is added to ChainPatrol's blocklist, distributed to integrated platforms, takedown process is initiated (if enabled), and the organization is notified. Use when there's clear evidence of malicious activity, high confidence in threat assessment, and asset matches known attack patterns. + +### Reject + +Indicates the reported asset is legitimate and should not be blocked. Common reasons include the asset is actually official (false positive), the threat has already been removed, insufficient evidence of malicious activity, or misidentification. The proposal is closed and the asset remains unblocked. + +### Skip + +Reviewer cannot make a definitive decision yet. This keeps the proposal in a pending state for another reviewer to examine. Common reasons include insufficient evidence to confirm or deny the threat, need for additional context or investigation, waiting for asset to load or become accessible, or requires more specialized expertise. + +### Escalate + +Passes the review decision to another party for final judgment. + +**Escalate to Customer** - Requests the brand owner to review and decide. Used when staff reviewers are uncertain, asset type requires customer approval, or content is ambiguous. The customer team receives notifications (Slack/Discord) and the proposal stays pending until customer decides. + +**Escalate to Team** - Passes to senior ChainPatrol analysts. Used when customer administrators are uncertain, complex cases require expert review, or there are multiple conflicting signals. Routes to senior security analysts for in-depth analysis and final decision. ## Automated Review @@ -183,178 +69,51 @@ The ChainPatrol automation system automatically reviews proposals under specific ### Auto-Approval Criteria -A proposal is **automatically approved** when: - - - - Reports from trusted reporters are auto-approved if they don't trigger legitimacy warnings - - - - Reports with a threat score of **1.0 or higher** are auto-approved if: - - No legitimacy checks indicate the asset is legitimate - - The organization doesn't require customer approval - - There's no active dispute on the report - - +A proposal is automatically approved when: + +1. **Trusted Reporter Submissions** - Reports from trusted reporters are auto-approved if they don't trigger legitimacy warnings +2. **High Threat Score** - Reports with a threat score of 1.0 or higher are auto-approved if no legitimacy checks indicate the asset is legitimate, the organization doesn't require customer approval, and there's no active dispute on the report ### Auto-Skip Criteria -A proposal is **automatically skipped** (sent for manual review) when: - - - - High-confidence rules indicate the asset appears legitimate - - - - The threat score is below 1.0 - - - - Organization settings require manual approval from their team - - - - Someone has disputed the report - - - - Too many auto-approvals in a short time period - - +A proposal is automatically skipped (sent for manual review) when: + +- High-confidence rules indicate the asset appears legitimate +- The threat score is below 1.0 +- Organization settings require manual approval from their team +- Someone has disputed the report +- Too many auto-approvals in a short time period ### Threat Scoring - The automation system calculates a threat score by analyzing multiple factors. - -**Scoring Components:** - - - - **Signals analyzed:** - - Visual similarity to known brands - - Logo matching - - Name and text similarity - - Domain typosquatting - - Profile impersonation - - **Score range:** 0.0 - 1.0+ - - - - **Indicators checked:** - - Credential harvesting forms - - Suspicious URL patterns - - Malicious links - - Social engineering tactics - - Wallet connection scams - - **Score range:** 0.0 - 1.0+ - - - - **How it works:** - - The system takes the **maximum score** from each category and adds them together. - - **Example:** - - Brand impersonation: 0.6 - - General phishing: 0.8 - - **Total score: 1.4** ✅ Auto-approved - - - This ensures multiple detections don't artificially inflate the total. - - - +**Brand Impersonation** signals include visual similarity to known brands, logo matching, name and text similarity, domain typosquatting, and profile impersonation (score range 0.0 - 1.0+). + +**General Phishing** indicators include credential harvesting forms, suspicious URL patterns, malicious links, social engineering tactics, and wallet connection scams (score range 0.0 - 1.0+). + +**Score Calculation** - The system takes the maximum score from each category and adds them together. For example: Brand impersonation 0.6 + General phishing 0.8 = Total score 1.4 (auto-approved). This ensures multiple detections don't artificially inflate the total. ## Evidence Reviewed When making a review decision, reviewers examine multiple types of evidence: - - - ChainPatrol runs automated detection rules that check for: - - - - Logos, names, visual similarity - - - - Credential forms, suspicious URLs - - - - Official certificates, verified accounts, trusted hosting - - - - Fake wallet connections, transaction scams - - - - - - Screenshots and HTML snapshots showing: - - - Visual appearance of the website or profile - - Page content and text - - Forms and input fields - - External links and resources - - Network requests and behavior - - - - Information from the person who submitted the report: - - - Description of the threat - - Reporter's identity and trust level - - Attachments and supporting evidence - - Report source (form, API, integration) - - Timeline of discovery - - - - Past activity related to the asset: - - - Previous reports of the same or similar assets - - Takedown history - - Related threats from the same infrastructure - - Pattern analysis across campaigns - - +**Detection Rules** - ChainPatrol runs automated detection rules that check for brand impersonation (logos, names, visual similarity), phishing indicators (credential forms, suspicious URLs), legitimacy signals (official certificates, verified accounts, trusted hosting), and blockchain threats (fake wallet connections, transaction scams). + +**Asset Scans** - Screenshots and HTML snapshots showing visual appearance of the website or profile, page content and text, forms and input fields, external links and resources, and network requests and behavior. + +**Report Context** - Information from the person who submitted the report including description of the threat, reporter's identity and trust level, attachments and supporting evidence, report source (form, API, integration), and timeline of discovery. + +**Historical Data** - Past activity related to the asset including previous reports of the same or similar assets, takedown history, related threats from the same infrastructure, and pattern analysis across campaigns. ## How to Revert a Review -Reviewers can revert their review decisions within **5 minutes** of submission. - - -This safety window allows you to undo a mistaken approval or rejection. - - -### Revert Process - - - - Go to the report page containing your review - - - - Look for the "Need to revert the change?" section - - - - Click the revert button while the timer is still active (within 5 minutes) - - - - The review will be deleted and the proposal will return to pending status - - +Reviewers can revert their review decisions within **5 minutes** of submission. This safety window allows you to undo a mistaken approval or rejection. + +1. Navigate to the report page containing your review +2. Look for the "Need to revert the change?" section +3. Click the revert button while the timer is still active +4. The review will be deleted and the proposal will return to pending status **Superusers** can revert reviews at any time, but standard reviewers are limited to the 5-minute window. @@ -364,113 +123,28 @@ This safety window allows you to undo a mistaken approval or rejection. Reviews can be escalated in two directions: -```mermaid -flowchart TD - Review[Review Decision Needed] --> Staff{Staff
Reviewer} - Review --> Customer{Customer
Admin} - - Staff -->|Uncertain| EscCustomer[Escalate to Customer] - Staff -->|Complex| EscTeam[Escalate to Team] - Staff -->|Clear| Decision[Make Decision] - - Customer -->|Uncertain| EscTeam - Customer -->|Clear| Decision - - EscCustomer --> CustomerReview[Customer Reviews] - EscTeam --> SeniorReview[Senior Analyst Reviews] - - CustomerReview --> FinalDecision[Final Decision] - SeniorReview --> FinalDecision - Decision --> FinalDecision - - style Review fill:#f59e0b - style EscCustomer fill:#3b82f6 - style EscTeam fill:#8b5cf6 - style FinalDecision fill:#10b981 -``` +**Staff reviewers** can escalate to customer when uncertain, escalate to team when complex, or make a direct decision when clear. + +**Customer admins** can escalate to team when uncertain or make a direct decision when clear. ### Resolving Escalations - - - **Once escalated to a customer:** - - Proposal stays pending until customer admin reviews it - - Customer approval or rejection finalizes the decision - - Notifications sent via Slack/Discord - - Superusers can override if needed - - - - **Once escalated to team:** - - Routes to senior ChainPatrol analysts - - In-depth investigation performed - - Expert decision made - - Customer notified of outcome - - +**Customer Escalations** - The proposal stays pending until customer admin reviews it. Customer approval or rejection finalizes the decision. Notifications are sent via Slack/Discord, and superusers can override if needed. + +**Team Escalations** - Routes to senior ChainPatrol analysts. In-depth investigation is performed. Expert decision is made and customer is notified of outcome. ## Why Human Review vs. Automation? ChainPatrol uses a **hybrid approach** combining automation with human expertise: - - - **Ideal scenarios for automation:** - - - - High threat scores with strong evidence - - - - Reports from verified security researchers - - - - Similar to previously confirmed threats - - - - Multiple detection rules agree - - - - - - **Scenarios requiring human judgment:** - - - - Asset shows signs of being official - - - - Unclear or conflicting evidence - - - - Unusual patterns that don't fit standard rules - - - - Organizations that require manual approval - - - - Someone claims the report is incorrect - - - - - - +**When Automation Works Best** - Clear-cut phishing with high threat scores and strong evidence, reports from trusted sources (verified security researchers), repeat patterns similar to previously confirmed threats, and high confidence where multiple detection rules agree. + +**When Human Review is Required** - Asset shows signs of being official (legitimacy signals), unclear or conflicting evidence (low confidence), unusual patterns that don't fit standard rules (edge cases), organizations that require manual approval (customer preference), and when someone claims the report is incorrect (disputes). + This approach ensures we block real threats quickly while maintaining accuracy and giving brands control over their security decisions. - ## Review Permissions -Different user roles have different review capabilities: - | Role | Create Reviews | Read Reviews | Delete Reviews | Special Abilities | |------|----------------|--------------|----------------|-------------------| | **Staff (Non-Customer)** | ✅ | ✅ | ✅ | Review all reports | @@ -483,31 +157,12 @@ Different user roles have different review capabilities: ## Key Takeaways - - - Reviews approve, reject, skip, or escalate proposals - - - - Combines automation with human expertise - - - - Automated scoring determines auto-approval - - - - Rules, scans, context, and history inform decisions - - - - 5-minute revert window for mistakes - - - - Complex cases go to customers or senior analysts - - +- **Decision Points** - Reviews approve, reject, skip, or escalate proposals +- **Hybrid Approach** - Combines automation with human expertise +- **Threat Scoring** - Automated scoring determines auto-approval +- **Multiple Evidence Types** - Rules, scans, context, and history inform decisions +- **Safety Window** - 5-minute revert window for mistakes +- **Escalation Paths** - Complex cases go to customers or senior analysts --- diff --git a/concepts/security-portal.mdx b/concepts/security-portal.mdx index 6409f6e..f160171 100644 --- a/concepts/security-portal.mdx +++ b/concepts/security-portal.mdx @@ -11,124 +11,44 @@ The **Security Portal** is your organization's public-facing page where people o It's a branded landing page that shows your organization's name and gives anyone with the link an easy way to submit threats they've encountered, whether that's a phishing site, a fake social profile, or a malicious app pretending to be yours. -### Transparency Features - When the Security Portal is enabled, it can also display: - - - Show what threats have been reported and what action was taken - - - - Display high-level statistics about threats detected and addressed - - - - +- **Public Reports** - Show what threats have been reported and what action was taken +- **Public Metrics** - Display high-level statistics about threats detected and addressed + This gives your community and stakeholders transparency into how actively threats are being detected and addressed for your organization. - ## Who Uses It? The Security Portal is designed for **your community**: - - - **Community-powered threat reporting** - - - - People who use your products or services and encounter suspicious content - - **What they report:** - - Phishing sites they've encountered - - Fake social media accounts - - Scam messages claiming to be from your brand - - Suspicious apps or extensions - - - - Discord moderators, Telegram admins, and active community participants - - **What they report:** - - Impersonation in community channels - - Scam posts targeting your community - - Fake support accounts - - Coordinated attack campaigns - - - - Business partners, affiliates, and ecosystem participants - - **What they report:** - - Threats affecting shared users - - Cross-brand impersonation - - Supply chain threats - - Industry-wide campaigns - - - - Independent researchers and white-hat hackers - - **What they report:** - - Newly discovered threats - - Sophisticated attack patterns - - Zero-day phishing campaigns - - Technical vulnerabilities - - - - - Instead of requiring them to have an account or go through complicated channels, they can simply visit your Security Portal and submit a report in a few clicks. - - - - - **Quick access for your team** - - You can also use it internally to give your team a quick, always-available way to report threats without logging into the full ChainPatrol dashboard. - - **Benefits:** - - No login required - - Faster submission for quick reports - - Mobile-friendly interface - - Bookmarkable URL - - Share with non-technical team members - - **Use cases:** - - Customer support spotting scams - - Marketing team finding impersonation - - Community managers reporting threats - - Executives forwarding suspicious content - - +### External Users + +**Users and Customers** - People who use your products or services and encounter suspicious content. They report phishing sites, fake social media accounts, scam messages claiming to be from your brand, and suspicious apps or extensions. + +**Community Members** - Discord moderators, Telegram admins, and active community participants who report impersonation in community channels, scam posts targeting your community, fake support accounts, and coordinated attack campaigns. + +**Partners** - Business partners, affiliates, and ecosystem participants who report threats affecting shared users, cross-brand impersonation, supply chain threats, and industry-wide campaigns. + +**Security Researchers** - Independent researchers and white-hat hackers who report newly discovered threats, sophisticated attack patterns, zero-day phishing campaigns, and technical vulnerabilities. + +Instead of requiring them to have an account or go through complicated channels, they can simply visit your Security Portal and submit a report in a few clicks. + +### Internal Team + +You can also use it internally to give your team a quick, always-available way to report threats without logging into the full ChainPatrol dashboard. Benefits include no login required, faster submission for quick reports, mobile-friendly interface, and a bookmarkable URL you can share with non-technical team members. ## Where Can You Find It? Your Security Portal lives at a unique URL based on your organization's slug. - - **Example:** If your organization is `acme`, your Security Portal would be at: - - `chainpatrol.io/acme` - +**Example:** If your organization is `acme`, your Security Portal would be at `chainpatrol.io/acme` -### Locating Your Portal URL - - - - Go to **Settings → Security Portal** in your dashboard - - - - Look for the "Security Portal URL" card - - - - Click the link to copy your unique URL and share it with your community - - +To locate your portal URL: + +1. Go to **Settings → Security Portal** in your dashboard +2. Look for the "Security Portal URL" card +3. Click the link to copy your unique URL and share it with your community Add your Security Portal URL to your website footer, documentation, and community resources so users know where to report threats. @@ -138,332 +58,73 @@ Add your Security Portal URL to your website footer, documentation, and communit You configure the Security Portal in **Settings → Security Portal** within your organization's dashboard. -### Configuration Options - - - - **Controls who can access the portal** - - - - The portal isn't accessible to anyone - - - - Only members of your organization can see it - - - - Anyone with the link can access it - - - - **When to use each:** - - - - **Use when:** - - Not ready to accept community reports - - Testing other features first - - Temporarily pausing public submissions - - **Effect:** - - Portal returns 404 error - - No one can submit reports via portal - - URL is not accessible - - - - **Use when:** - - Want internal-only reporting - - Testing portal before public launch - - Limiting to team members only - - **Effect:** - - Requires ChainPatrol login - - Only organization members can access - - Good for internal testing - - - - **Use when:** - - Ready for community reporting - - Want to maximize threat detection - - Building transparent security program - - **Effect:** - - Anyone with URL can submit reports - - No authentication required - - Maximum community engagement - - - - - - **Display submitted reports publicly** - - - A toggle that determines whether non-authenticated users can view the reports submitted to your organization. - - - **When enabled:** - - People visiting your Security Portal can see what's been reported - - Shows what action has been taken on each report - - Demonstrates active threat monitoring - - Builds community trust - - **What's displayed:** - - Report title and description - - Assets reported (URLs, accounts, etc.) - - Status (pending, in progress, closed) - - Date submitted - - Action taken (blocked, allowed, etc.) - - **What's NOT displayed:** - - Internal comments - - Reviewer identities - - Sensitive investigation details - - Private organization information - - - Consider your transparency goals and privacy requirements before enabling public reports. - - - - - **Display threat statistics publicly** - - - A toggle that displays high-level threat statistics on your Security Portal. - - - **Metrics displayed:** - - Threats blocked - - Takedowns filed - - Takedowns completed - - Reports received - - Threats by asset type - - Recent activity trends - - **Benefits:** - - - - Show stakeholders you're actively monitoring - - - - Demonstrate security commitment - - - - Show impact of community reports - - - - Signal to attackers that you're protected - - - - - Public metrics demonstrate that your organization takes security seriously without exposing sensitive details. - - - +### Visibility + +Controls who can access the portal: + +- **Disabled** - The portal isn't accessible to anyone. Portal returns 404 error and no one can submit reports via portal. +- **Private** - Only members of your organization can see it. Requires ChainPatrol login and is good for internal testing. +- **Public** - Anyone with the link can access it. No authentication required for maximum community engagement. + +### Public Reports + +A toggle that determines whether non-authenticated users can view the reports submitted to your organization. + +When enabled, people visiting your Security Portal can see what's been reported, what action has been taken, and it demonstrates active threat monitoring while building community trust. + +What's displayed includes report title and description, assets reported (URLs, accounts, etc.), status (pending, in progress, closed), date submitted, and action taken. Internal comments, reviewer identities, and sensitive investigation details are NOT displayed. + + +Consider your transparency goals and privacy requirements before enabling public reports. + + +### Public Metrics + +A toggle that displays high-level threat statistics on your Security Portal. + +Metrics displayed include threats blocked, takedowns filed, takedowns completed, reports received, threats by asset type, and recent activity trends. This demonstrates that your organization takes security seriously without exposing sensitive details. ## Why Does It Exist? The Security Portal serves two primary purposes: - - - **Make it easy for your community to help protect your brand** - - ### The Problem - - When users encounter a phishing site or a fake profile impersonating you, they often want to report it but don't know how. - - **Common barriers:** - - No clear reporting channel - - Complicated submission process - - Requires account creation - - Unclear if reports are acted upon - - ### The Solution - - The Security Portal gives them a simple, trusted place to submit that information directly to ChainPatrol. - - **Benefits:** - - - - Simple form, no account required - - - - Users know exactly what to report - - - - Official, branded reporting page - - - - See that reports lead to action - - - - - - **Demonstrate active security monitoring** - - By enabling public reports and metrics, you can show: - - - - **Demonstrate security posture** - - - Board members see active threat monitoring - - Investors understand security investment - - Partners verify protection measures - - Auditors review security processes - - - - **Compliance and due diligence** - - - Show proactive threat detection - - Document response procedures - - Demonstrate user protection - - Evidence of security controls - - - - **Build community trust** - - - Users see you take security seriously - - Community understands threat landscape - - Transparency builds confidence - - Encourages more reporting - - - - - This builds trust and demonstrates that your organization takes security seriously. - - - +### Community-Powered Protection + +When users encounter a phishing site or a fake profile impersonating you, they often want to report it but don't know how. Common barriers include no clear reporting channel, complicated submission process, requiring account creation, and being unclear if reports are acted upon. + +The Security Portal gives them a simple, trusted place to submit that information directly to ChainPatrol with easy submission (no account required), a clear process, a trusted branded channel, and visible impact showing reports lead to action. + +### Transparency & Trust + +By enabling public reports and metrics, you can demonstrate active security monitoring to stakeholders, regulators, and your user base. Board members see active threat monitoring, investors understand security investment, partners verify protection measures, and auditors review security processes. This builds trust and demonstrates that your organization takes security seriously. ## Where Do Community Reports Go? When someone submits a report through your Security Portal, it flows into your organization's **Reports** page in the ChainPatrol dashboard, just like any other report. -### Report Processing Flow - - - - User submits report via Security Portal - - - - Report appears in your organization's Reports page - - - - ChainPatrol's team evaluates the evidence and runs security checks - - - - Determines whether reported assets should be blocked, allowed, or escalated - - - - If "Obligatory Organization Admin Approval" is enabled, your team confirms the action - - - - Asset status is updated and distributed to blocklist - - +The report processing flow works as follows: - -From there, the report goes through the same review process as any other submission. - +1. User submits report via Security Portal +2. Report appears in your organization's Reports page +3. ChainPatrol's team evaluates the evidence and runs security checks +4. Determines whether reported assets should be blocked, allowed, or escalated +5. If "Obligatory Organization Admin Approval" is enabled, your team confirms the action +6. Asset status is updated and distributed to blocklist -## Security Portal Workflow - -```mermaid -flowchart TD - User[Community Member] --> Portal[Security Portal] - Portal --> Check{Portal
Visibility?} - - Check -->|Disabled| Error404[404 Error] - Check -->|Private| Login{Logged In?} - Check -->|Public| Form[Report Form] - - Login -->|No| LoginPage[Login Required] - Login -->|Yes| Form - - Form --> Submit[Submit Report] - Submit --> Dashboard[ChainPatrol Dashboard] - - Dashboard --> Review[Review Process] - Review --> AdminCheck{Admin
Approval
Required?} - - AdminCheck -->|No| Action[Action Applied] - AdminCheck -->|Yes| AdminReview[Admin Reviews] - - AdminReview --> Action - Action --> Blocklist[Added to Blocklist] - - Portal --> Display{Public
Reports/Metrics?} - Display -->|Yes| ShowData[Display Public Data] - Display -->|No| FormOnly[Form Only] - - style Portal fill:#6622DC - style Form fill:#3b82f6 - style Review fill:#8b5cf6 - style Action fill:#10b981 - style Error404 fill:#ef4444 -``` +From there, the report goes through the same review process as any other submission. --- ## Key Takeaways - - - Branded landing page for community threat reports - - - - No account required for public portals - - - - Disabled, Private, or Public access - - - - Show public reports and metrics - - - - Enables users to help protect your brand - - - - Reports flow through standard review workflow - - - - Demonstrates active security monitoring - - - - Based on your organization's slug - - +- **Public Reporting Page** - Branded landing page for community threat reports +- **Easy Submission** - No account required for public portals +- **Three Visibility Levels** - Disabled, Private, or Public access +- **Optional Transparency** - Show public reports and metrics +- **Community-Powered** - Enables users to help protect your brand +- **Same Review Process** - Reports flow through standard review workflow +- **Trust Building** - Demonstrates active security monitoring +- **Unique URL** - Based on your organization's slug --- diff --git a/concepts/takedowns.mdx b/concepts/takedowns.mdx index 20b8409..76c5625 100644 --- a/concepts/takedowns.mdx +++ b/concepts/takedowns.mdx @@ -15,229 +15,46 @@ This request is sent to the organization responsible for hosting or displaying t Takedowns are an essential tool for protecting brands and users online. They help remove content that: - - - Impersonates legitimate organizations - - - - Misleads or scams users - - - - Abuses a brand's trademarks - - - - Spreads harmful information - - - - Distributes fraudulent or malicious applications - - - - Hosts phishing pages or fake login portals - - +- Impersonates legitimate organizations +- Misleads or scams users +- Abuses a brand's trademarks +- Spreads harmful information +- Distributes fraudulent or malicious applications +- Hosts phishing pages or fake login portals ## Where Takedowns Are Sent Because digital threats appear across many parts of the internet, takedowns may be sent to a wide range of platforms: - - - **Web hosting and domain infrastructure** - - - - Organizations that host website content - - **Examples:** - - AWS, Cloudflare, Vercel - - Shared hosting companies - - VPS and dedicated server providers - - **Typical response time:** 4-48 hours - - - - Companies that register and manage domain names - - **Examples:** - - GoDaddy, Namecheap, Google Domains - - Country-specific registrars - - Reseller networks - - **Typical response time:** 24-72 hours - - - - Organizations managing top-level domains (.com, .xyz, etc.) - - **Examples:** - - Verisign (.com, .net) - - Public Interest Registry (.org) - - Country-code registries - - **Typical response time:** Varies widely - - - - - - **Social platforms and communication channels** - - - - Impersonation accounts, scam posts - - - - Fake pages, scam groups - - - - Impersonation profiles, fraudulent posts - - - - Scam livestreams, fake giveaways - - - - Fake support channels, scam groups - - - - Phishing servers, impersonation bots - - - - Scam subreddits, impersonation accounts - - - - Scam videos, impersonation accounts - - - - **What gets removed:** - - Impersonation accounts - - Scam posts and messages - - Fake support channels - - Fraudulent giveaways - - - - **Mobile and browser application marketplaces** - - - - Android applications - - - - iOS applications - - - - Browser extensions - - - - Firefox extensions - - - - Windows applications - - - - **What gets removed:** - - Fake wallet applications - - Malicious browser extensions - - Impersonation apps - - Fraudulent utilities - - - - **Distributed and blockchain-based hosting** - - - **InterPlanetary File System** - - Harmful content can be stored in a distributed way across IPFS nodes. - - **Takedown targets:** - - IPFS gateway operators - - Pinning services - - Node operators hosting malicious content - - **Challenges:** - - Decentralized nature makes complete removal difficult - - Content may persist on some nodes - - Gateway blocking is most effective approach - - - - Decentralized platforms require different takedown strategies, often focusing on gateway access rather than complete content removal. - - - +### Websites -## The Purpose of Takedowns +**Hosting Providers** - Organizations that host website content (AWS, Cloudflare, Vercel, shared hosting companies, VPS and dedicated server providers). Typical response time: 4-48 hours. -Regardless of the platform, the purpose of a takedown is the same: +**Domain Registrars** - Companies that register and manage domain names (GoDaddy, Namecheap, Google Domains, country-specific registrars, reseller networks). Typical response time: 24-72 hours. - - **To remove dangerous or unauthorized content quickly, securely, and effectively.** - +**TLD Registries** - Organizations managing top-level domains (.com, .xyz, etc.) like Verisign (.com, .net), Public Interest Registry (.org), and country-code registries. Response time varies widely. + +### Social Media + +Twitter/X, Facebook, Instagram, YouTube, Telegram, Discord, Reddit, TikTok, and more. What gets removed includes impersonation accounts, scam posts and messages, fake support channels, and fraudulent giveaways. + +### App Stores + +Google Play, Apple App Store, Chrome Web Store, Firefox Add-ons, Microsoft Store. What gets removed includes fake wallet applications, malicious browser extensions, impersonation apps, and fraudulent utilities. + +### Decentralized Platforms + +IPFS (InterPlanetary File System) - Harmful content can be stored in a distributed way across IPFS nodes. Takedown targets include IPFS gateway operators, pinning services, and node operators hosting malicious content. Gateway blocking is the most effective approach since the decentralized nature makes complete removal difficult. + +## The Purpose of Takedowns + +Regardless of the platform, the purpose of a takedown is the same: **to remove dangerous or unauthorized content quickly, securely, and effectively.** ### Takedowns vs. Blocklisting - - - **Complete removal from the internet** - - **Advantages:** - - Content is permanently removed - - Attackers lose their infrastructure - - Prevents future victims from accessing - - Demonstrates enforcement action - - **Disadvantages:** - - Takes time (hours to days) - - Some providers don't respond - - Attackers can quickly create new sites - - Jurisdiction and legal challenges - - **Best for:** - - Long-term threat elimination - - Persistent campaigns - - High-profile impersonation - - - - **Immediate protection at point of access** - - **Advantages:** - - Instant protection (15-30 minutes) - - Works regardless of hosting provider - - Protects even if content stays online - - Universal coverage across platforms - - **Disadvantages:** - - Content remains online - - Requires integration with security tools - - May not prevent all access methods - - **Best for:** - - Immediate threat mitigation - - Rapid response scenarios - - Protecting users before takedown completes - - +**Takedowns** provide complete removal from the internet. Content is permanently removed, attackers lose their infrastructure, future victims are prevented from accessing, and enforcement action is demonstrated. However, takedowns take time (hours to days), some providers don't respond, attackers can quickly create new sites, and there are jurisdiction and legal challenges. Best for long-term threat elimination, persistent campaigns, and high-profile impersonation. + +**Blocklisting** provides immediate protection at point of access. Protection is instant (15-30 minutes), works regardless of hosting provider, protects users even if content stays online, and offers universal coverage across platforms. However, content remains online, requires integration with security tools, and may not prevent all access methods. Best for immediate threat mitigation, rapid response scenarios, and protecting users before takedown completes. **ChainPatrol's approach:** "Blocklist-first, takedown-second" provides immediate protection while working toward permanent removal. @@ -245,162 +62,39 @@ Regardless of the platform, the purpose of a takedown is the same: ## Takedown Lifecycle - - - Takedown has been created and is waiting to be processed - - - - ChainPatrol is actively working on the takedown: - - Submitting to appropriate provider - - Monitoring the request - - Following up as needed - - - - The provider removed the harmful content - - +1. **TODO** - Takedown has been created and is waiting to be processed +2. **IN PROGRESS** - ChainPatrol is actively working on the takedown: submitting to appropriate provider, monitoring the request, following up as needed +3. **COMPLETED** - The provider removed the harmful content ### Alternative Outcomes - - - Takedown stopped (e.g., content invalid or unnecessary) - - - - Identified as false positive, marked for retraction - - - - Formal retraction request submitted to provider - - - - Provider confirmed retraction—takedown reversed - - +- **CANCELED** - Takedown stopped (e.g., content invalid or unnecessary) +- **PENDING RETRACTION** - Identified as false positive, marked for retraction +- **RETRACTION SENT** - Formal retraction request submitted to provider +- **RETRACTED** - Provider confirmed retraction—takedown reversed ## What Makes Takedowns Effective - - - **Proper authorization and evidence** - - Effective takedowns require: - - Power of Attorney (POA) authorizing action - - Trademark registration documents - - Clear evidence of abuse or impersonation - - Authorized representative details - - - ChainPatrol handles all legal documentation and submission on your behalf. - - - - - **Established communication channels** - - We maintain relationships with 100+ providers: - - Known abuse contact information - - Established reporting procedures - - Track record of successful takedowns - - Understanding of each provider's requirements - - - - **Continuous monitoring and escalation** - - We don't just submit and forget: - - Regular status checks - - Follow-up communications - - Escalation when needed - - Alternative approaches if initial request fails - - - - **Comprehensive documentation** - - Each takedown includes: - - Screenshots of malicious content - - Technical metadata (hosting, DNS, etc.) - - Timeline of activity - - User reports and impact evidence - - - -## Takedown Workflow - -```mermaid -flowchart TD - Asset[Asset Blocked] --> Check{Takedown
Service
Enabled?} - - Check -->|No| End1[No Takedown] - Check -->|Yes| Create[Create Takedown] - - Create --> TODO[Status: TODO] - TODO --> Assign[Assign Provider] - Assign --> Submit[Submit Request] - - Submit --> InProgress[Status: IN PROGRESS] - InProgress --> Monitor[Monitor & Follow Up] - - Monitor --> Response{Provider
Response?} - - Response -->|Content Removed| Complete[Status: COMPLETED] - Response -->|Invalid Request| Cancel[Status: CANCELED] - Response -->|False Positive| Retract[Retraction Process] - Response -->|No Response| Escalate[Escalate] - - Escalate --> Monitor - Retract --> Retracted[Status: RETRACTED] - - style Create fill:#3b82f6 - style InProgress fill:#8b5cf6 - style Monitor fill:#f59e0b - style Complete fill:#10b981 - style Cancel fill:#ef4444 - style Retracted fill:#10b981 -``` +**Legal Documentation** - Effective takedowns require Power of Attorney (POA) authorizing action, trademark registration documents, clear evidence of abuse or impersonation, and authorized representative details. ChainPatrol handles all legal documentation and submission on your behalf. + +**Provider Relationships** - We maintain relationships with 100+ providers with known abuse contact information, established reporting procedures, track record of successful takedowns, and understanding of each provider's requirements. + +**Persistent Follow-Up** - We don't just submit and forget. We perform regular status checks, follow-up communications, escalation when needed, and alternative approaches if initial request fails. + +**Evidence Collection** - Each takedown includes screenshots of malicious content, technical metadata (hosting, DNS, etc.), timeline of activity, and user reports and impact evidence. --- ## Key Takeaways - - - Takedowns are official requests to remove content - - - - Sent to hosting, social media, app stores, and more - - - - Removes impersonation, scams, and trademark abuse - - - - From TODO to COMPLETED with full visibility - - - - Works alongside blocklists for comprehensive protection - - - - Requires proper authorization and evidence - - - - Established channels with 100+ providers - - - - Continuous monitoring until completion - - +- **Formal Removal Request** - Takedowns are official requests to remove content +- **Multiple Platforms** - Sent to hosting, social media, app stores, and more +- **Brand Protection** - Removes impersonation, scams, and trademark abuse +- **Lifecycle Tracking** - From TODO to COMPLETED with full visibility +- **Complement to Blocklisting** - Works alongside blocklists for comprehensive protection +- **Legal Documentation** - Requires proper authorization and evidence +- **Provider Relationships** - Established channels with 100+ providers +- **Persistent Follow-Up** - Continuous monitoring until completion --- diff --git a/concepts/watchlist.mdx b/concepts/watchlist.mdx index 77b504d..b2e797e 100644 --- a/concepts/watchlist.mdx +++ b/concepts/watchlist.mdx @@ -15,223 +15,62 @@ Think of the watchlist as a "middle ground" between blocking and allowing—asse Assets are added to the watchlist for two primary reasons: - - - **When we can't make a clear determination** - - Sometimes when we process an asset to see if it's malicious, we don't find enough red flags to block the asset, but we also don't find enough green flags to allow the asset. - - ### The Gray Area - - - - - Insufficient evidence of malicious intent - - Weak or ambiguous threat indicators - - Could be legitimate but suspicious - - - - - Asset isn't clearly official or trusted - - Some concerning patterns detected - - Uncertainty about legitimacy - - - - ### What We Do - - In this situation, if we suspect that the asset may become malicious in the future, we keep tabs on the asset to see if it changes. - - **We can act and remove the asset from the watchlist when:** - - - - Asset starts showing definitive malicious behavior or content - - - - Asset is confirmed as official or safe - - - - Asset goes offline, gets suspended, or undergoes significant changes - - - - ### Common Scenarios - - - - **Scenario:** Domain is registered but shows only a parking page - - **Why watchlist:** - - Domain name is suspicious (contains brand name + "airdrop") - - No active content to analyze yet - - May become malicious when content is added - - **What we monitor:** - - When content appears - - What type of content is added - - Whether it becomes a phishing site - - - - **Scenario:** Website or profile is currently offline - - **Why watchlist:** - - URL structure suggests brand impersonation - - Can't analyze content that doesn't exist - - May come online with malicious content - - **What we monitor:** - - When it comes back online - - What content appears - - Whether it impersonates your brand - - - - **Scenario:** Asset has some concerning elements but unclear intent - - **Why watchlist:** - - Uses brand-related keywords but purpose is unclear - - Design has some similarities but not exact copy - - Could be legitimate or could be preparing for scam - - **What we monitor:** - - Content changes over time - - Addition of phishing forms or wallet drainers - - Clarification of intent - - - - - - **Tracking takedown progress** - - When we start the takedown process, we want to make sure that we keep tabs on the asset in order to determine when the takedown has been completed. - - ### Automatic Watchlisting - - - We place every asset onto the watchlist when the takedown is in progress. - - - **Why this matters:** - - - - Continuous scanning to detect when asset goes offline - - - - Automatically mark takedown as complete when asset is inaccessible - - - - No manual checking required for takedown status - - - - Immediate notification when takedown succeeds - - - - ### The Takedown Monitoring Flow - - - - Takedown request submitted to hosting provider or platform - - - - Asset automatically added to watchlist for monitoring - - - - Asset is scanned periodically to check liveness status - - - - Asset goes offline, gets suspended, or becomes inaccessible - - - - Takedown marked as complete, asset removed from watchlist - - - - ### What We Monitor - - - - - Is the asset still accessible? - - HTTP status codes (404, 403, etc.) - - DNS resolution failures - - Server responses - - - - - "Suspended by provider" messages - - Account termination notices - - Content removal confirmations - - Domain suspension indicators - - - - - Malicious content removed - - Page replaced with error message - - Redirect to different content - - Complete site removal - - - - - This allows us to monitor the asset and see if it goes offline, at which point we can take the asset off of the watchlist. - - - +### Inconclusive Evidence + +Sometimes when we process an asset to see if it's malicious, we don't find enough red flags to block the asset, but we also don't find enough green flags to allow the asset. + +**The Gray Area:** + +- **Not Enough to Block** - Insufficient evidence of malicious intent, weak or ambiguous threat indicators, could be legitimate but suspicious +- **Not Enough to Allow** - Asset isn't clearly official or trusted, some concerning patterns detected, uncertainty about legitimacy + +In this situation, if we suspect that the asset may become malicious in the future, we keep tabs on the asset to see if it changes. + +We can act and remove the asset from the watchlist when it becomes clearly malicious, becomes clearly legitimate, or changes status (goes offline, gets suspended, or undergoes significant changes). + +**Common Scenarios:** + +**Parking Page** - Domain is registered but shows only a parking page. The domain name is suspicious (contains brand name + "airdrop") but there's no active content to analyze yet. We monitor when content appears and what type of content is added. + +**Dead Asset** - Website or profile is currently offline. The URL structure suggests brand impersonation but we can't analyze content that doesn't exist. We monitor when it comes back online and what content appears. + +**Ambiguous Content** - Asset has some concerning elements but unclear intent. Uses brand-related keywords but purpose is unclear, design has some similarities but not exact copy. We monitor content changes over time and addition of phishing forms or wallet drainers. + +### Monitoring for Takedowns + +When we start the takedown process, we want to make sure that we keep tabs on the asset in order to determine when the takedown has been completed. + +We place every asset onto the watchlist when the takedown is in progress. This enables automated monitoring (continuous scanning to detect when asset goes offline), completion detection (automatically mark takedown as complete when asset is inaccessible), resource efficiency (no manual checking required for takedown status), and faster response (immediate notification when takedown succeeds). + +**The Takedown Monitoring Flow:** + +1. Takedown request submitted to hosting provider or platform +2. Asset automatically added to watchlist for monitoring +3. Asset is scanned periodically to check liveness status +4. Asset goes offline, gets suspended, or becomes inaccessible +5. Takedown marked as complete, asset removed from watchlist + +**What We Monitor:** + +- **Liveness Status** - Is the asset still accessible, HTTP status codes, DNS resolution failures, server responses +- **Provider Actions** - "Suspended by provider" messages, account termination notices, content removal confirmations, domain suspension indicators +- **Content Changes** - Malicious content removed, page replaced with error message, redirect to different content, complete site removal + +This allows us to monitor the asset and see if it goes offline, at which point we can take the asset off of the watchlist. ## Who Would Watchlist Something? Watchlisting can be done either manually or automatically: - - - **By analysts during review** - - - When an analyst reviews a reported asset and encounters inconclusive evidence, they can manually add it to the watchlist. - - - **Decision factors:** - - Threat indicators present but not conclusive - - Asset appears suspicious but needs more time to develop - - Waiting for asset to become accessible - - Need to observe behavior over time - - **Who can do this:** - - ChainPatrol security analysts - - Customer administrators (for their organization) - - Trusted reviewers - - - - **During takedown process** - - - Every asset is automatically added to the watchlist when a takedown is initiated. - - - **Triggers:** - - Takedown request submitted - - Takedown status changes to "IN_PROGRESS" - - Asset needs monitoring for completion - - **No manual intervention required:** - - System automatically adds to watchlist - - Monitoring begins immediately - - Removal happens automatically when offline - - +### Manual Watchlisting + +When an analyst reviews a reported asset and encounters inconclusive evidence, they can manually add it to the watchlist. Decision factors include threat indicators present but not conclusive, asset appears suspicious but needs more time to develop, waiting for asset to become accessible, and need to observe behavior over time. + +Who can do this: ChainPatrol security analysts, customer administrators (for their organization), and trusted reviewers. + +### Automatic Watchlisting + +Every asset is automatically added to the watchlist when a takedown is initiated. Triggers include takedown request submitted, takedown status changes to "IN_PROGRESS", and asset needs monitoring for completion. No manual intervention required—system automatically adds to watchlist, monitoring begins immediately, and removal happens automatically when offline. ## How the Watchlist Works @@ -239,148 +78,59 @@ Watchlisting can be done either manually or automatically: Assets on the watchlist are scanned at different frequencies based on how long they've been monitored and their current status: - - - **More frequent monitoring for uncertain assets** - - | Time on Watchlist | Scan Frequency | - |-------------------|----------------| - | < 6 hours | Hourly | - | < 24 hours | Every 2 hours | - | < 2 days | Every 4 hours | - | < 7 days | Every 6 hours | - | < 2 weeks | Every 12 hours | - | < 1 month | Daily | - | < 2 months | Every 2 days | - | > 2 months | Every 4 days | - - - Frequent early scans catch rapid changes; frequency decreases if asset remains stable. - - - - - **Less frequent monitoring for blocked assets** - - | Time on Watchlist | Scan Frequency | - |-------------------|----------------| - | < 6 hours | Every 3 hours | - | < 24 hours | Every 6 hours | - | < 2 days | Every 12 hours | - | < 7 days | Every 18 hours | - | < 2 weeks | Every 36 hours | - | < 1 month | Every 3 days | - | < 2 months | Every 6 days | - | > 2 months | Every 12 days | - - - Blocked assets are already protected, so monitoring focuses on confirming takedown success. - - - +**UNKNOWN/ALLOWED Assets** (more frequent monitoring for uncertain assets): + +| Time on Watchlist | Scan Frequency | +|-------------------|----------------| +| < 6 hours | Hourly | +| < 24 hours | Every 2 hours | +| < 2 days | Every 4 hours | +| < 7 days | Every 6 hours | +| < 2 weeks | Every 12 hours | +| < 1 month | Daily | +| < 2 months | Every 2 days | +| > 2 months | Every 4 days | + +Frequent early scans catch rapid changes; frequency decreases if asset remains stable. + +**BLOCKED Assets** (less frequent monitoring): + +| Time on Watchlist | Scan Frequency | +|-------------------|----------------| +| < 6 hours | Every 3 hours | +| < 24 hours | Every 6 hours | +| < 2 days | Every 12 hours | +| < 7 days | Every 18 hours | +| < 2 weeks | Every 36 hours | +| < 1 month | Every 3 days | +| < 2 months | Every 6 days | +| > 2 months | Every 12 days | + +Blocked assets are already protected, so monitoring focuses on confirming takedown success. ### Removal from Watchlist Assets are automatically removed from the watchlist when: - - - Asset confirmed as legitimate - - - - Dead asset becomes accessible (pushed to review queue) - - - - Decay factor removes long-term uncertain assets - - - - Asset goes offline during takedown - - - - Hosting provider suspends the asset - - - - Analyst decides monitoring is no longer needed - - - -## Watchlist Workflow - -```mermaid -flowchart TD - Review[Asset Review] --> Decision{Clear
Decision?} - Takedown[Takedown Initiated] --> AutoWatch[Auto-Add to Watchlist] - - Decision -->|Yes - Block| Block[Block Asset] - Decision -->|Yes - Allow| Allow[Allow Asset] - Decision -->|No - Unclear| ManualWatch[Add to Watchlist] - - ManualWatch --> Monitor[Periodic Monitoring] - AutoWatch --> Monitor - - Monitor --> Check{Status
Change?} - - Check -->|Becomes Malicious| Block - Check -->|Becomes Legitimate| Allow - Check -->|Goes Offline| Complete[Takedown Complete] - Check -->|30 Days UNKNOWN| Remove[Remove from Watchlist] - Check -->|No Change| Monitor - - Block --> RemoveWatch[Remove from Watchlist] - Allow --> RemoveWatch - Complete --> RemoveWatch - Remove --> RemoveWatch - - style Review fill:#3b82f6 - style Takedown fill:#8b5cf6 - style Monitor fill:#f59e0b - style Block fill:#ef4444 - style Allow fill:#10b981 - style Complete fill:#10b981 -``` +- **Status Changes to ALLOWED** - Asset confirmed as legitimate +- **Asset Comes Online** - Previously dead asset becomes accessible (pushed to review queue) +- **30 Days in UNKNOWN** - Decay factor removes long-term uncertain assets +- **Takedown Success** - Asset goes offline during takedown +- **Provider Suspension** - Hosting provider suspends the asset +- **Manual Removal** - Analyst decides monitoring is no longer needed --- ## Key Takeaways - - - Watchlist is for assets between blocking and allowing - - - - Inconclusive evidence and takedown monitoring - - - - Scan frequency adjusts based on time and status - - - - All takedown assets are automatically watchlisted - - - - Analysts can watchlist during inconclusive reviews - - - - Assets leave watchlist when status becomes clear - - - - Long-term uncertain assets are eventually removed - - - - Regular checks detect changes and completion - - +- **Middle Ground** - Watchlist is for assets between blocking and allowing +- **Two Main Purposes** - Inconclusive evidence and takedown monitoring +- **Adaptive Monitoring** - Scan frequency adjusts based on time and status +- **Automatic for Takedowns** - All takedown assets are automatically watchlisted +- **Manual for Review** - Analysts can watchlist during inconclusive reviews +- **Multiple Exit Paths** - Assets leave watchlist when status becomes clear +- **Time-Based Decay** - Long-term uncertain assets are eventually removed +- **Continuous Scanning** - Regular checks detect changes and completion --- diff --git a/getting-started/how-it-works/asset-scans.mdx b/getting-started/how-it-works/asset-scans.mdx index 6f5afd2..c2b2068 100644 --- a/getting-started/how-it-works/asset-scans.mdx +++ b/getting-started/how-it-works/asset-scans.mdx @@ -15,203 +15,97 @@ Asset scans solve a simple problem: the internet changes constantly, attackers i ChainPatrol supports many asset types across the digital landscape: - - - URLs and hosted pages (including redirect chains and landing pages) - - - - Twitter/X, Telegram, YouTube, Reddit, Medium, Farcaster, and more - - - - Google Play, Apple App Store, Mozilla Add-ons, and other marketplaces - - - - Normalized contract/address identifiers (e.g., CAIP-2 style) with chain context - - +- **Web Properties** - URLs and hosted pages (including redirect chains and landing pages) +- **Social & Content Profiles** - Twitter/X, Telegram, YouTube, Reddit, Medium, Farcaster, and more +- **App Listings & Extensions** - Google Play, Apple App Store, Mozilla Add-ons, and other marketplaces +- **Crypto Addresses** - Normalized contract/address identifiers (e.g., CAIP-2 style) with chain context ## Asset vs. Asset Scan Understanding the difference is key to how our monitoring works: - - - An **asset** is the thing itself—a URL, handle, listing, or address. - - Example: `https://fake-metamask.com` - - - - An **asset scan** is a **time-stamped snapshot** of that asset. The same asset may be scanned many times, and scans form a timeline of changes. - - Example: Scan #1 (Jan 1), Scan #2 (Jan 3), Scan #3 (Jan 5) - - - - +**Asset** - An asset is the thing itself—a URL, handle, listing, or address. Example: `https://fake-metamask.com` + +**Asset Scan** - An asset scan is a time-stamped snapshot of that asset. The same asset may be scanned many times, and scans form a timeline of changes. Example: Scan #1 (Jan 1), Scan #2 (Jan 3), Scan #3 (Jan 5) + Multiple scans of the same asset create a historical timeline, allowing us to track changes, detect when threats go live or are taken down, and monitor asset behavior over time. - ## When Scans Run Scans are triggered in three main ways: - - - Scans run automatically in several scenarios: - - - When ChainPatrol detection sources surface something relevant - - When an asset is added (e.g., via report, onboarding, or API ingestion) - - During **watchlist monitoring**, where assets are rescanned on a schedule that adapts over time: - - More frequent early on - - Less frequent as an asset stays stable - - Blocked assets may be scanned less often to reduce noise - - - - Manual or API-triggered scans: - - - When a team member triggers a rescan from the UI - - When your systems submit assets via API - - - - For certain platform-hosted assets (e.g., specific site builders or marketplaces), ChainPatrol periodically re-checks whether a previously-blocked asset is still reachable. - - +**Automatically** - Scans run when ChainPatrol detection sources surface something relevant, when an asset is added (e.g., via report, onboarding, or API ingestion), and during watchlist monitoring where assets are rescanned on a schedule that adapts over time (more frequent early on, less frequent as an asset stays stable, blocked assets scanned less often to reduce noise). + +**On Demand** - Manual or API-triggered scans occur when a team member triggers a rescan from the UI or when your systems submit assets via API. + +**Ongoing Liveness Checks** - For certain platform-hosted assets (e.g., specific site builders or marketplaces), ChainPatrol periodically re-checks whether a previously-blocked asset is still reachable. ## How Scans Work Our scanning process follows a systematic approach to evaluate threats efficiently and accurately: - - - We normalize the input (e.g., resolve canonical URLs or identifiers), create a scan record, and run a first pass of checks that don't require external enrichment. - - - - Depending on asset type, we collect relevant data: - - **Web URL / Page Enrichments:** - - HTTP fetch results (status, redirects, extracted links, basic metadata like title/description) - - Optional browser capture (screenshot/DOM signals when available) - - Network and registration context (e.g., DNS, TLS, WHOIS/RDAP when enabled) - - **Platform/API Enrichments:** - - Profile/listing details (descriptions, author/publisher fields, follower/engagement signals, etc.) - - - Some enrichments run only when earlier signals suggest elevated risk to keep scans efficient. - - - - - We evaluate the asset using rules and AI/ML signals for patterns like phishing, impersonation, and scam mechanics. This includes both content-based and visual/behavioral indicators when available. - - - - Each scan is tagged with **labels** and produces **scores** for prioritization: - - **Common Labels:** - - Captcha detected - - Parked domain - - Provider suspended - - Brand impersonation - - Wallet drainer detected - - **Liveness Status:** - - **ALIVE** - Asset is active and accessible - - **DEAD** - Asset is no longer reachable - - **UNKNOWN** - Inconclusive (not "safe") - - - - For supported web and social surfaces, scans can extract outbound links and redirects to help you trace related infrastructure and uncover threat networks. - - +1. **Normalize and Prepare** - We normalize the input (e.g., resolve canonical URLs or identifiers), create a scan record, and run a first pass of checks that don't require external enrichment. + +2. **Enrich with Context** - Depending on asset type, we collect relevant data: + + **Web URL / Page Enrichments:** + - HTTP fetch results (status, redirects, extracted links, basic metadata like title/description) + - Optional browser capture (screenshot/DOM signals when available) + - Network and registration context (e.g., DNS, TLS, WHOIS/RDAP when enabled) + + **Platform/API Enrichments:** + - Profile/listing details (descriptions, author/publisher fields, follower/engagement signals, etc.) + + + Some enrichments run only when earlier signals suggest elevated risk to keep scans efficient. + + +3. **Security Analysis** - We evaluate the asset using rules and AI/ML signals for patterns like phishing, impersonation, and scam mechanics. This includes both content-based and visual/behavioral indicators when available. + +4. **Labels, Scores, and Liveness** - Each scan is tagged with labels and produces scores for prioritization: + + **Common Labels:** + - Captcha detected + - Parked domain + - Provider suspended + - Brand impersonation + - Wallet drainer detected + + **Liveness Status:** + - **ALIVE** - Asset is active and accessible + - **DEAD** - Asset is no longer reachable + - **UNKNOWN** - Inconclusive (not "safe") + +5. **Relationship Discovery** - For supported web and social surfaces, scans can extract outbound links and redirects to help you trace related infrastructure and uncover threat networks. ## How Scan Results Are Used - - - Scans provide evidence (metadata, redirects, links, screenshots) so reviewers can decide to block, allow, investigate further, or initiate takedowns - - - - High-risk scans feed detection workflows and monitoring pipelines; actions vary by configuration and policy - - - - Watchlist and liveness workflows keep your monitoring set current and highlight meaningful changes over time - - +- **Triage and Review** - Scans provide evidence (metadata, redirects, links, screenshots) so reviewers can decide to block, allow, investigate further, or initiate takedowns +- **Detections & Automation** - High-risk scans feed detection workflows and monitoring pipelines; actions vary by configuration and policy +- **Monitoring Hygiene** - Watchlist and liveness workflows keep your monitoring set current and highlight meaningful changes over time ## What You See in the Product Our platform provides comprehensive visibility into scan results and asset history: - - - A complete history of scans for each asset, including: - - Liveness status changes - - Notable changes in content or behavior - - Risk score evolution - - Label additions/removals - - - - Deep dive into individual scans with: - - Evidence artifacts (screenshots, metadata) - - Applied labels and their sources - - Scoring signals and rule matches - - Enrichment data (redirects, links, network info) - - - - High-level overview showing: - - Recent activity and new threats - - Top-risk assets requiring attention - - Monitoring coverage across platforms - - Trend analysis over time - - - - Actionable insights including: - - Scan volume and frequency - - Detection speed metrics - - Number of risky assets still live - - Takedown success rates - - +**Per-Asset Timeline** - A complete history of scans for each asset, including liveness status changes, notable changes in content or behavior, risk score evolution, and label additions/removals. + +**Scan Detail Views** - Deep dive into individual scans with evidence artifacts (screenshots, metadata), applied labels and their sources, scoring signals and rule matches, and enrichment data (redirects, links, network info). + +**Org/Brand Dashboards** - High-level overview showing recent activity and new threats, top-risk assets requiring attention, monitoring coverage across platforms, and trend analysis over time. + +**Reporting & Metrics** - Actionable insights including scan volume and frequency, detection speed metrics, number of risky assets still live, and takedown success rates. --- ## Scan Efficiency & Scale - - - Adaptive scan frequency based on asset risk and stability - - - - Deep analysis triggered only when risk signals warrant it - - - - Multiple assets scanned simultaneously for faster coverage - - - - Timeline-based analysis to detect behavioral changes - - - - +- **Smart Scheduling** - Adaptive scan frequency based on asset risk and stability +- **Selective Enrichment** - Deep analysis triggered only when risk signals warrant it +- **Parallel Processing** - Multiple assets scanned simultaneously for faster coverage +- **Historical Context** - Timeline-based analysis to detect behavioral changes + Our scanning infrastructure processes thousands of assets daily, providing real-time threat intelligence while maintaining accuracy and minimizing false positives. - --- diff --git a/getting-started/how-it-works/blocklist.mdx b/getting-started/how-it-works/blocklist.mdx index f12e76e..86c7e0f 100644 --- a/getting-started/how-it-works/blocklist.mdx +++ b/getting-started/how-it-works/blocklist.mdx @@ -11,23 +11,10 @@ The ChainPatrol Blocklist is a continuously updated list of **350,000+ malicious ### Key Features - - - Combines threat intelligence from 100+ organizations using ChainPatrol - - - - Assets blocklisted and distributed in 15-30 minutes after confirmation - - - - Available via public API to maximize distribution and protection - - - - Automatically distributed to wallets, browsers, and security tools - - +- **Global Coverage** - Combines threat intelligence from 100+ organizations using ChainPatrol +- **Rapid Response** - Assets blocklisted and distributed in 15-30 minutes after confirmation +- **Freely Accessible** - Available via public API to maximize distribution and protection +- **20+ Integrations** - Automatically distributed to wallets, browsers, and security tools Traditional takedown processes take hours or days. ChainPatrol provides protection in **15-30 minutes**. @@ -37,252 +24,103 @@ Traditional takedown processes take hours or days. ChainPatrol provides protecti Assets are added to the blocklist through a rigorous review process: - - - Potential threats are identified through automated detection, community reports, or partner submissions - - - - Our AI-powered scanning engine analyzes assets using 50+ detection rules - - - - A BLOCK proposal is created and reviewed by our security team - - - - After review approval, the asset status changes to BLOCKED - - - - The blocked asset is automatically submitted to our integration partners - - - - +1. **Detection** - Potential threats are identified through automated detection, community reports, or partner submissions +2. **Analysis** - Our AI-powered scanning engine analyzes assets using 50+ detection rules +3. **Review** - A BLOCK proposal is created and reviewed by our security team +4. **Approval** - After review approval, the asset status changes to BLOCKED +5. **Distribution** - The blocked asset is automatically submitted to our integration partners + Only assets that pass through this review and approval process are added to the blocklist. - ## Blocklist Integrations ChainPatrol's blocklist is integrated with 20+ wallets, browsers, and security platforms: - - - - - Protects Chrome, Safari, Edge, and Firefox users - - - - Network-level protection for enterprises - - - - - - **Major Integrations:** - - - - Direct integration via Eth-Phishing-Detect - - - - Real-time API integration - - - - Via multiple blocklist sources - - - - Via WalletConnect and direct APIs - - - - Via multiple blocklist sources - - - - Via blocklist APIs - - - - Real-time API protecting 20+ wallets - - - - - And 15+ additional wallet providers - - - - - - - Security Alliance's information sharing network - - - - Cryptocurrency industry threat sharing - - - - Ethereum ecosystem blocklist (ChainPatrol is a core contributor) - - - - Cross-chain with Polkadot ecosystem - - - - - - - - Content moderation API - - - - Governance platform protection - - - - Custom integrations for enterprise customers - - - - +### Browser Security + +- **Google Safe Browsing** - Protects Chrome, Safari, Edge, and Firefox users +- **Cloudflare Gateway** - Network-level protection for enterprises + +### Wallet Providers + +Major integrations include: + +- **MetaMask** - Direct integration via Eth-Phishing-Detect +- **Phantom** - Real-time API integration +- **Coinbase Wallet** - Via multiple blocklist sources +- **Rainbow Wallet** - Via WalletConnect and direct APIs +- **Trust Wallet** - Via multiple blocklist sources +- **Ledger Live** - Via blocklist APIs +- **WalletConnect** - Real-time API protecting 20+ wallets + +And 15+ additional wallet providers. + +### Threat Intelligence + +- **SEAL-ISAC** - Security Alliance's information sharing network +- **Crypto-ISAC** - Cryptocurrency industry threat sharing +- **Eth-Phishing-Detect** - Ethereum ecosystem blocklist (ChainPatrol is a core contributor) +- **Polkadot Phishing List** - Cross-chain with Polkadot ecosystem + +### Applications & Services + +- **Polymarket** - Content moderation API +- **Snapshot** - Governance platform protection +- **Enterprise Custom** - Custom integrations for enterprise customers ## Accessing the Blocklist - - - Your organization's blocklist page shows all assets that have been added to the blocklist by your team: - - - - Access the **Blocklist** section in your organization dashboard - - - - View assets filtered by type, date, and status - - - - Search for specific assets or domains - - - - Export blocklist data as a CSV file for reporting purposes - - - - - - The blocklist is publicly accessible via our API and SDK. - - - - Learn how to access the blocklist via REST API - - - - Use our JavaScript SDK for easy integration - - - - +### Web Dashboard + +Your organization's blocklist page shows all assets that have been added to the blocklist by your team: + +1. Access the **Blocklist** section in your organization dashboard +2. View assets filtered by type, date, and status +3. Search for specific assets or domains +4. Export blocklist data as a CSV file for reporting purposes + +### API Access + +The blocklist is publicly accessible via our API and SDK. + +- [API Documentation](/external-api/overview) - Learn how to access the blocklist via REST API +- [SDK Documentation](/sdk/overview) - Use our JavaScript SDK for easy integration ## False Positives We take false positives seriously. If you believe an asset has been incorrectly blocklisted: - - - If your legitimate website or asset has been blocklisted: - - - - Visit [chainpatrol.com/dispute](https://chainpatrol.com/dispute) to submit a dispute - - - - Include documentation proving your asset is legitimate: - - Business registration - - Domain age and history - - Verified social media accounts - - SSL certificates - - Other legitimacy indicators - - - - Our team will review your dispute within 24 hours - - - - If approved, your asset will be removed from the blocklist and marked as ALLOWED - - - - - - If you've reported an asset that turns out to be legitimate: - - - - Find the asset's report in your dashboard - - - - Create an ALLOW proposal with your reasoning - - - - Our team will review and update the status if appropriate - - - - - - +### For Asset Owners + +If your legitimate website or asset has been blocklisted: + +1. **Submit a Dispute** - Visit [chainpatrol.com/dispute](https://chainpatrol.com/dispute) to submit a dispute +2. **Provide Evidence** - Include documentation proving your asset is legitimate (business registration, domain age and history, verified social media accounts, SSL certificates, other legitimacy indicators) +3. **Review Process** - Our team will review your dispute within 24 hours +4. **Resolution** - If approved, your asset will be removed from the blocklist and marked as ALLOWED + +### For ChainPatrol Users + +If you've reported an asset that turns out to be legitimate: + +1. Find the asset's report in your dashboard +2. Create an ALLOW proposal with your reasoning +3. Our team will review and update the status if appropriate + When an asset is removed from the blocklist, the update is distributed to all integration partners within the same **15-30 minute timeframe**. - ## Blocklist Distribution When an asset is blocklisted, it's automatically distributed to multiple platforms: - - - All asset types eligible for browser protection - - - - URLs hosted on 50+ hosting providers (Vercel, Cloudflare, AWS, etc.) - - - - All URL and domain assets - - - - Ethereum-related phishing sites - - - - Cross-network phishing domains - - - - Real-time API updates to wallet providers - - +- **Google Safe Browsing** - All asset types eligible for browser protection +- **SEAL-ISAC** - URLs hosted on 50+ hosting providers (Vercel, Cloudflare, AWS, etc.) +- **Crypto-ISAC** - All URL and domain assets +- **Eth-Phishing-Detect** - Ethereum-related phishing sites +- **Polkadot Phishing** - Cross-network phishing domains +- **Direct Partners** - Real-time API updates to wallet providers - Distribution happens automatically through our integration workflows. There's no manual step required. - In the case of a false positive, we will submit retraction requests for ChainPatrol's submissions to these partners. @@ -294,45 +132,20 @@ Traditional cybersecurity relies on **takedowns** — requesting hosting provide ### Traditional Takedown Timeline - - - 4-48 hours for takedown - - - - 24-72 hours for takedown - - - - Some providers never respond - - +- **Hosting Provider** - 4-48 hours for takedown +- **Domain Registrar** - 24-72 hours for takedown +- **No Response** - Some providers never respond ### ChainPatrol's Blocklist Approach ChainPatrol provides **immediate protection** by: - - - Block access at the browser and wallet level - - - - Protect users even if the site remains online - - - - Works across all hosting providers and jurisdictions - - - - Users protected in minutes, not days - - - - +- **Browser & Wallet Blocking** - Block access at the browser and wallet level +- **Always-On Protection** - Protect users even if the site remains online +- **Universal Coverage** - Works across all hosting providers and jurisdictions +- **15-30 Minute Response** - Users protected in minutes, not days + This **"blocklist-first, takedown-second"** approach means users are protected within minutes, not days. - --- diff --git a/getting-started/how-it-works/detection-sources.mdx b/getting-started/how-it-works/detection-sources.mdx index 2e1372b..f82dc40 100644 --- a/getting-started/how-it-works/detection-sources.mdx +++ b/getting-started/how-it-works/detection-sources.mdx @@ -11,35 +11,13 @@ Detection sources operate on automated schedules, running searches across variou ### The Detection Flow - - - Each detection source runs on a predefined schedule (e.g., every 15 minutes, hourly, daily) - - - - The source searches its platform (ex. Twitter, Google Ads, Reddit) using your organization's keywords and monitoring rules - - - - Matching results are collected as potential threats - - - - Discovered assets are automatically submitted to the threat detection system - - - - Assets are scanned, enriched with additional data, and evaluated by the rules engine - - - - A threat score is calculated based on multiple detection rules - - - - If the score exceeds your organization's detection thresholds, the threat can be automatically reported or flagged for review - - +1. **Scheduled Execution** - Each detection source runs on a predefined schedule (e.g., every 15 minutes, hourly, daily) +2. **Platform Scanning** - The source searches its platform (ex. Twitter, Google Ads, Reddit) using your organization's keywords and monitoring rules +3. **Asset Discovery** - Matching results are collected as potential threats +4. **Automatic Processing** - Discovered assets are automatically submitted to the threat detection system +5. **Enrichment & Analysis** - Assets are scanned, enriched with additional data, and evaluated by the rules engine +6. **Threat Scoring** - A threat score is calculated based on multiple detection rules +7. **Action Taken** - If the score exceeds your organization's detection thresholds, the threat can be automatically reported or flagged for review ## Available Detection Sources @@ -47,145 +25,75 @@ Detection sources operate on automated schedules, running searches across variou ChainPatrol supports **28 different detection sources** across multiple categories - - - Monitor search results for phishing sites and scam pages. - - - - Scans Google search results - - - - Monitors Bing search results - - - - Tracks Yahoo search results - - - - Monitors DuckDuckGo search results - - - - Monitors Google Ads for malicious content - - - - - - Track social media for impersonation accounts and fraudulent posts. - - - - - **Twitter Post Search** - Searches Twitter posts for threats - - **Twitter User Search** - Monitors Twitter user profiles - - **Twitter Profile Monitoring** - Tracks replies on posts from specific Twitter profiles - - - - - **Reddit Subreddit Search** - Searches for Reddit communities by name - - - - - **YouTube Search** - Searches YouTube videos and channels - - - - - **Medium Tag RSS** - Monitors Medium articles by tags - - - - - **Telegram Channels Search** - Searches for Telegram channels - - **Telegram User Search** - Searches for Telegram user accounts - - - - - **TikTok Video Search** - Searches TikTok videos - - **TikTok User Search** - Searches TikTok user profiles - - - - - - Monitor mobile app stores and browser extension marketplaces. - - - - Monitors Google Play Store apps - - - - Tracks iOS App Store applications - - - - Monitors Firefox browser extensions - - - - - - Specialized sources for cryptocurrency and blockchain threats. - - - Monitors DeFi protocols and tokens for impersonation - - - - - Additional monitoring capabilities for comprehensive protection. - - - - Leverages URLScan.io's database to find threats - - - - Detects typosquatting domains using homoglyph analysis - - - - Monitors certificate transparency logs for newly issued TLS/SSL certificates - - - - Monitors community guestbook submissions - - - - Scans for assets hosted on known malicious IPs - - - - Re-checks existing assets for status changes - - - - Handles external threat submissions via API - - - - +### Search Engines + +Monitor search results for phishing sites and scam pages: + +- **Google Search** - Scans Google search results +- **Bing Search** - Monitors Bing search results +- **Yahoo Search** - Tracks Yahoo search results +- **DuckDuckGo Search** - Monitors DuckDuckGo search results +- **Google Ads Search** - Monitors Google Ads for malicious content + +### Social Media + +Track social media for impersonation accounts and fraudulent posts: + +**Twitter/X Monitoring:** +- Twitter Post Search - Searches Twitter posts for threats +- Twitter User Search - Monitors Twitter user profiles +- Twitter Profile Monitoring - Tracks replies on posts from specific Twitter profiles + +**Reddit Monitoring:** +- Reddit Subreddit Search - Searches for Reddit communities by name + +**YouTube Monitoring:** +- YouTube Search - Searches YouTube videos and channels + +**Medium Monitoring:** +- Medium Tag RSS - Monitors Medium articles by tags + +**Telegram Monitoring:** +- Telegram Channels Search - Searches for Telegram channels +- Telegram User Search - Searches for Telegram user accounts + +**TikTok Monitoring:** +- TikTok Video Search - Searches TikTok videos +- TikTok User Search - Searches TikTok user profiles + +### App Stores + +Monitor mobile app stores and browser extension marketplaces: + +- **Google Play** - Monitors Google Play Store apps +- **Apple App Store** - Tracks iOS App Store applications +- **Mozilla Add-ons** - Monitors Firefox browser extensions + +### Web3 & Blockchain + +Specialized sources for cryptocurrency and blockchain threats: + +- **DexScreener Search** - Monitors DeFi protocols and tokens for impersonation + +### Specialized Sources + +Additional monitoring capabilities for comprehensive protection: + +- **URLScan** - Leverages URLScan.io's database to find threats +- **DNS Twist** - Detects typosquatting domains using homoglyph analysis +- **Certstream** - Monitors certificate transparency logs for newly issued TLS/SSL certificates +- **Guestbook** - Monitors community guestbook submissions +- **Blocked IP Scan** - Scans for assets hosted on known malicious IPs +- **Asset Check** - Re-checks existing assets for status changes +- **External** - Handles external threat submissions via API ## Source Configuration Each detection source can be customized with: - - - Enable or disable sources - - - - Organization or global level - - - - Custom timing and frequency - - +- **Status Options** - Enable or disable sources +- **Scope Settings** - Organization or global level +- **Schedule Configuration** - Custom timing and frequency ### Status Options @@ -196,15 +104,9 @@ Each detection source can be customized with: Detection sources can operate at two levels: - - - Uses your specific keywords and monitoring settings - - - - Runs system-wide monitoring for all organizations - - +**Organization Level** - Uses your specific keywords and monitoring settings + +**Global Level** - Runs system-wide monitoring for all organizations ### Schedule Configuration @@ -221,96 +123,37 @@ Sources run on automated schedules that vary by: ### Setting Up Detection Sources - - - Enable search engines and social media sources first - - - - Add all your brand names, product names, and common misspellings - - - - Add your legitimate domains to reduce false positives - - - - Set appropriate auto-reporting thresholds based on your risk tolerance - - - - Review initial detections to fine-tune your configuration - - +1. **Start with core sources** - Enable search engines and social media sources first +2. **Configure included terms** - Add all your brand names, product names, and common misspellings +3. **Set excluded terms** - Add your legitimate domains to reduce false positives +4. **Adjust thresholds** - Set appropriate auto-reporting thresholds based on your risk tolerance +5. **Monitor results** - Review initial detections to fine-tune your configuration ### Optimizing Detection Coverage - - - Different sources catch different types of threats - - - - Essential if you have mobile applications - - - - Add official Twitter assets to monitor replies - - - - Periodically review and adjust your configuration - - +- **Use Multiple Sources** - Different sources catch different types of threats +- **Monitor App Stores** - Essential if you have mobile applications +- **Add Official Assets** - Add official Twitter assets to monitor replies +- **Regular Reviews** - Periodically review and adjust your configuration ### Managing False Positives - - - Add legitimate mentions to your excluded terms list to filter out false positives - - - - Fine-tune keyword similarity thresholds for token monitoring - - - - Manually review results before enabling automatic actions - - - - Identify rules that generate false positives and adjust accordingly - - +- **Refine Excluded Terms** - Add legitimate mentions to your excluded terms list to filter out false positives +- **Adjust Similarity Thresholds** - Fine-tune keyword similarity thresholds for token monitoring +- **Use Evaluate Status** - Manually review results before enabling automatic actions +- **Review Rules Dashboard** - Identify rules that generate false positives and adjust accordingly ## Performance Considerations - - - Each detection source respects platform-specific rate limits. The system automatically handles rate limiting by: - - - Adjusting request timing - - Batching operations where possible - - Logging when limits are reached - - - Rate limiting ensures compliance with platform APIs while maintaining consistent monitoring coverage. - - - - - Detection sources are optimized for efficiency: - - - Results are processed in batches to avoid overwhelming the system - - Duplicate assets are automatically filtered out - - Sources run in parallel when possible - - Failed detections are logged but don't block other sources - - - Our infrastructure is designed to handle high-volume monitoring without impacting detection speed or accuracy. - - - +### Rate Limits + +Each detection source respects platform-specific rate limits. The system automatically handles rate limiting by adjusting request timing, batching operations where possible, and logging when limits are reached. Rate limiting ensures compliance with platform APIs while maintaining consistent monitoring coverage. + +### Resource Usage + +Detection sources are optimized for efficiency. Results are processed in batches to avoid overwhelming the system, duplicate assets are automatically filtered out, sources run in parallel when possible, and failed detections are logged but don't block other sources. + +Our infrastructure is designed to handle high-volume monitoring without impacting detection speed or accuracy. --- diff --git a/getting-started/how-it-works/how-we-use-ai.mdx b/getting-started/how-it-works/how-we-use-ai.mdx index 05516d9..8369745 100644 --- a/getting-started/how-it-works/how-we-use-ai.mdx +++ b/getting-started/how-it-works/how-we-use-ai.mdx @@ -28,55 +28,26 @@ We've engineered the optimal balance between speed and accuracy: ChainPatrol uses a multi-model approach, combining the best AI technologies for comprehensive threat detection. - - - Advanced text and content analysis - - - - Screenshot comparison and DOM analysis - - - - Specialized Web3 threat detection - - - - Multi-model score aggregation - - +- **Large Language Models** - Advanced text and content analysis +- **Visual & Structural Analysis** - Screenshot comparison and DOM analysis +- **Custom-Trained Models** - Specialized Web3 threat detection +- **Decision Engine** - Multi-model score aggregation ### 1. Large Language Models We leverage state-of-the-art LLMs for content analysis: - - - Analyzes text content, social media posts, and communications to identify phishing language patterns and scam indicators - - - - Enables multi-modal analysis, processing both text and visual content simultaneously for faster, more accurate detection - - +**OpenAI GPT-4** - Analyzes text content, social media posts, and communications to identify phishing language patterns and scam indicators + +**Gemini 2.0** - Enables multi-modal analysis, processing both text and visual content simultaneously for faster, more accurate detection ### 2. Visual & Structural Analysis Phishing sites often look identical to legitimate ones. Our visual AI catches them: - - - Compares screenshots against your legitimate sites to catch pixel-perfect impersonation attempts - - - - Examines DOM structure, code patterns, and page layouts to identify known phishing templates—even when visuals differ - - - - Real-time visual and structural scanning of suspicious URLs - - +1. **Visual Similarity Detection** - Compares screenshots against your legitimate sites to catch pixel-perfect impersonation attempts +2. **Structural Analysis** - Examines DOM structure, code patterns, and page layouts to identify known phishing templates—even when visuals differ +3. **URLScan Integration** - Real-time visual and structural scanning of suspicious URLs ### 3. Custom-Trained Models @@ -90,49 +61,20 @@ Our models are tuned specifically for Web3 threats: Here's what happens when a potential threat is identified: - - - Our engine monitors 50+ platforms 24/7 - - - - Multiple AI models analyze the threat independently - - - - Our decision engine aggregates confidence scores - - - - High-confidence threats are blocked; edge cases go to analysts - - - - Confirmed threats are pushed to all integrated platforms - - +1. **Discovery** - Our engine monitors 50+ platforms 24/7 +2. **Analysis** - Multiple AI models analyze the threat independently +3. **Scoring** - Our decision engine aggregates confidence scores +4. **Action** - High-confidence threats are blocked; edge cases go to analysts +5. **Distribution** - Confirmed threats are pushed to all integrated platforms ### The Decision Engine At the core of our system is a proprietary decision engine that: - - - Aggregates outputs from all AI models - - - - Applies confidence-based scoring - - - - Checks against known threat databases - - - - Makes final disposition in milliseconds - - +- **Model Aggregation** - Aggregates outputs from all AI models +- **Weighted Scoring** - Applies confidence-based scoring +- **Cross-Reference** - Checks against known threat databases +- **Fast Decisions** - Makes final disposition in milliseconds **No single point of failure:** A threat must pass multiple independent checks before being actioned, ensuring accuracy while maintaining speed. @@ -142,28 +84,13 @@ At the core of our system is a proprietary decision engine that: Our AI monitors threats across **50+ platforms**—and we can add new integrations within days. - - - - URLs & Domains - - Web Pages - - Wallet Addresses - - Phone Numbers - - Email Addresses - - Forms & Surveys - - - - Discord • Twitter/X • Telegram • LinkedIn • YouTube • Reddit • TikTok • Instagram • Threads • Medium • WhatsApp • Facebook • Snapchat • Substack - - - - Google Play • Apple App Store • Chrome Web Store • Firefox Add-ons • ChatGPT Plugins • Microsoft Store • Opera Extensions - - - - OpenSea • ENS • IPFS • Farcaster • Blur • Magic Eden • DeBank • Bluesky • Primal • DeSo - - +**Core Detection Types:** URLs & Domains, Web Pages, Wallet Addresses, Phone Numbers, Email Addresses, Forms & Surveys + +**Social & Communication:** Discord, Twitter/X, Telegram, LinkedIn, YouTube, Reddit, TikTok, Instagram, Threads, Medium, WhatsApp, Facebook, Snapchat, Substack + +**App Stores & Extensions:** Google Play, Apple App Store, Chrome Web Store, Firefox Add-ons, ChatGPT Plugins, Microsoft Store, Opera Extensions + +**Web3 Platforms:** OpenSea, ENS, IPFS, Farcaster, Blur, Magic Eden, DeBank, Bluesky, Primal, DeSo **Need coverage for a platform we don't list?** Contact us—new integrations can be added within days. @@ -175,65 +102,33 @@ When our AI detects a threat, it doesn't just sit in a database. We push it dire ### Browser Protection - - Integration means threats are blocked in Chrome, Edge, and Safari—reaching billions of users. We maintain a **68.32% acceptance rate**, among the highest in the industry. - +**Google Safe Browsing** - Integration means threats are blocked in Chrome, Edge, and Safari—reaching billions of users. We maintain a **68.32% acceptance rate**, among the highest in the industry. ### Wallet Protection Direct API integrations with leading wallets provide real-time warnings: - - - Core integration partner - - - - Direct API for Solana ecosystem - - - - Real-time threat API - - - - Ecosystem-wide protection - - +- **MetaMask** - Core integration partner +- **Phantom** - Direct API for Solana ecosystem +- **WalletConnect** - Real-time threat API +- **20+ More Wallets** - Ecosystem-wide protection ### Infrastructure Partners - - - Direct threat reporting for faster takedowns - - - - Moderation API integration - - - - +- **Cloudflare** - Direct threat reporting for faster takedowns +- **Polymarket** - Moderation API integration + **The result:** Threats detected by ChainPatrol can be blocked across the entire Web3 ecosystem within seconds. - ## Continuous Learning & Improvement Our AI gets smarter every day through: - - - Every analyst decision feeds back into our models. When our team reviews edge cases, that knowledge improves future detection accuracy. - - - - We're **core contributors to Eth-Phishing-Detect** with elevated permissions, and active members of **SEAL-ISAC**. This gives us early access to emerging threats and allows us to share our detections with the broader security community. - - - - Our threat database grows daily with new examples, ensuring our models stay ahead of evolving attack techniques. - - +**Human-in-the-Loop Training** - Every analyst decision feeds back into our models. When our team reviews edge cases, that knowledge improves future detection accuracy. + +**Threat Intelligence Networks** - We're core contributors to Eth-Phishing-Detect with elevated permissions, and active members of SEAL-ISAC. This gives us early access to emerging threats and allows us to share our detections with the broader security community. + +**Expanding Datasets** - Our threat database grows daily with new examples, ensuring our models stay ahead of evolving attack techniques. --- diff --git a/getting-started/how-it-works/review.mdx b/getting-started/how-it-works/review.mdx index a364d39..f21dbb4 100644 --- a/getting-started/how-it-works/review.mdx +++ b/getting-started/how-it-works/review.mdx @@ -13,27 +13,12 @@ Each Proposal is evaluated by either human reviewers or our automation, who can ### Proposal Decisions - - - Accepts the Asset's status change and closes the Proposal - - - - Denies the status change and closes the Proposal - - - - Keeps Proposal pending when there's insufficient evidence - - - - Sends to senior team members or customer for additional review - - - - +- **Approve** - Accepts the Asset's status change and closes the Proposal +- **Reject** - Denies the status change and closes the Proposal +- **Skip** - Keeps Proposal pending when there's insufficient evidence +- **Escalate** - Sends to senior team members or customer for additional review + Only **Approve** and **Reject** decisions close out the Proposal. **Skip** and **Escalate** keep the Proposal in `PENDING` status for further evaluation. - ## Automation @@ -43,77 +28,28 @@ Our automated review system handles high-confidence threat detections, allowing Automated review is enabled when specific conditions are met: - - - Reviewing automation only activates for organizations with an active subscription status: - - **Active** - Fully subscribed organization - - **Trial** - Organization in trial period - - **Prospect** - Prospective customer with evaluation access - - - - Automation requires sufficient data about the Asset. Some platforms currently lack adequate information gathering capabilities: - - **Platforms requiring human review:** - - Facebook - - Instagram - - TikTok - - These asset types always require manual evaluation due to limited automated data collection. - - - - Automated review **only** handles Proposals to set an Asset to `BLOCKED` status. - - **Not automated:** - - Proposals to set Assets to `ALLOWED` status - - Proposals to set Assets to `UNKNOWN` status - - +**Organization Requirements** - Reviewing automation only activates for organizations with an active subscription status (Active, Trial, or Prospect). + +**Asset Information Requirements** - Automation requires sufficient data about the Asset. Some platforms currently lack adequate information gathering capabilities. Platforms requiring human review include Facebook, Instagram, and TikTok due to limited automated data collection. + +**Proposal Type Restrictions** - Automated review only handles Proposals to set an Asset to `BLOCKED` status. Proposals to set Assets to `ALLOWED` or `UNKNOWN` status are not automated. ### How Does Automated Review Make a Decision? Our automated review system calculates a **risk score** to determine whether an asset should be approved as malicious. - - - During an Asset Scan, multiple detection rules are executed against the asset - - - - The risk score is a weighted sum of all individual scores from each successful rule execution - - - - The final risk score is compared against our approval threshold (1.0) - - - - Assets meeting the threshold are automatically approved; others are escalated - - +1. **Rule Execution** - During an Asset Scan, multiple detection rules are executed against the asset +2. **Score Calculation** - The risk score is a weighted sum of all individual scores from each successful rule execution +3. **Threshold Evaluation** - The final risk score is compared against our approval threshold (1.0) +4. **Decision** - Assets meeting the threshold are automatically approved; others are escalated #### Risk Score Example - - - **Scenario:** Asset has 10 rules executed - - 6 rules contribute a score of 0.2 each = 1.2 total - - 4 rules contribute a score of 0.1 each = 0.4 total - - **Total Risk Score: 1.6** - - ✅ Since 1.6 ≥ 1.0, the Proposal is **automatically approved** - - - - **Scenario:** Asset has 10 rules executed - - 4 rules contribute a score of 0.1 each = 0.4 total - - 2 rules contribute a score of 0.2 each = 0.4 total - - **Total Risk Score: 0.8** - - ⚠️ Since 0.8 < 1.0, the Proposal is **escalated for human review** - - +**High Risk (Auto-Approved):** +Asset has 10 rules executed. 6 rules contribute a score of 0.2 each (= 1.2 total), 4 rules contribute a score of 0.1 each (= 0.4 total). Total Risk Score: 1.6. Since 1.6 ≥ 1.0, the Proposal is automatically approved. + +**Medium Risk (Escalated):** +Asset has 10 rules executed. 4 rules contribute a score of 0.1 each (= 0.4 total), 2 rules contribute a score of 0.2 each (= 0.4 total). Total Risk Score: 0.8. Since 0.8 < 1.0, the Proposal is escalated for human review. ### Legitimacy Rules @@ -129,129 +65,44 @@ Legitimacy Rules are special detection rules that identify when an asset is **no For a Proposal to be automatically approved, **all** of the following must be true: - - - ✅ Asset must not already be `ALLOWED` - - ✅ Organization must have Reviewing enabled and not be inactive - - ✅ Proposal must be for blocking the Asset (not for allowing) - - ✅ No Legitimacy Rules of "Very High" confidence have passed - - - - At least **one** of the following must be true: - - **Option 1:** Risk Score ≥ 1.0 - - The overall Risk Score of the Asset is at or above 1.0 - - **Option 2:** Trusted Reporter - - The Asset was part of a Report created by a Trusted Reporter - - +**Required Conditions:** +- Asset must not already be `ALLOWED` +- Organization must have Reviewing enabled and not be inactive +- Proposal must be for blocking the Asset (not for allowing) +- No Legitimacy Rules of "Very High" confidence have passed + +**Approval Triggers (at least one must be true):** +- **Option 1:** Risk Score ≥ 1.0 (the overall Risk Score of the Asset is at or above 1.0) +- **Option 2:** Trusted Reporter (the Asset was part of a Report created by a Trusted Reporter) ## Human Review Humans are essential for making decisions about Proposals that fall outside automated approval criteria. - Since automation only handles Proposals to block Assets with a Risk Score ≥ 1.0, human analysts evaluate all other cases. - ### When Humans Are Involved - - - Proposals to Block an Asset with a Risk Score < 1.0 - - - - All Proposals to Allow an Asset - - - - Proposals to set an Asset to Unknown - - +- **Low Risk Blocks** - Proposals to Block an Asset with a Risk Score < 1.0 +- **Allow Proposals** - All Proposals to Allow an Asset +- **Unknown Status** - Proposals to set an Asset to Unknown ### Human Review Process - - - Proposals are routed to appropriate analysts based on expertise and workload - - - - Analysts examine scan results, screenshots, metadata, and context - - - - Using established criteria and guidelines, analysts make Approve/Reject/Skip/Escalate decisions - - - - Decisions feed back into our AI models to improve future automation accuracy - - +1. **Proposal Assignment** - Proposals are routed to appropriate analysts based on expertise and workload +2. **Evidence Review** - Analysts examine scan results, screenshots, metadata, and context +3. **Decision Making** - Using established criteria and guidelines, analysts make Approve/Reject/Skip/Escalate decisions +4. **Quality Assurance** - Decisions feed back into our AI models to improve future automation accuracy ### What Analysts Use to Make Decisions -Our analysts leverage comprehensive data to make informed decisions: - - - - - Screenshots and visual evidence - - Page content and metadata - - Network and infrastructure data - - Historical scan timeline - - - - - Which rules triggered and their confidence levels - - Rule weights and scoring breakdown - - Legitimacy rule results - - - - - Related assets and infrastructure - - Reporter information and history - - Brand-specific guidelines - - Recent threat patterns - - - - - Custom detection thresholds - - Allowlist and blocklist entries - - Brand protection priorities - - - -## Review Workflow Summary - -```mermaid -flowchart TD - Start[Asset Detected] --> Proposal[Create Proposal] - Proposal --> Check{Eligible for
Automation?} - - Check -->|No| Human[Human Review] - Check -->|Yes| Score{Risk Score
≥ 1.0?} - - Score -->|No| Human - Score -->|Yes| Legit{Legitimacy
Rule Passed?} - - Legit -->|Yes| Human - Legit -->|No| AutoApprove[Auto-Approve] - - Human --> Decision{Analyst
Decision} - Decision -->|Approve| Blocked[Asset Blocked] - Decision -->|Reject| Remain[Status Unchanged] - Decision -->|Skip| Pending[Remains Pending] - Decision -->|Escalate| Senior[Senior Review] - - AutoApprove --> Blocked - Senior --> Decision -``` +**Asset Scan Results** - Screenshots and visual evidence, page content and metadata, network and infrastructure data, historical scan timeline. + +**Detection Rules** - Which rules triggered and their confidence levels, rule weights and scoring breakdown, legitimacy rule results. + +**Context & Intelligence** - Related assets and infrastructure, reporter information and history, brand-specific guidelines, recent threat patterns. + +**Organization Settings** - Custom detection thresholds, allowlist and blocklist entries, brand protection priorities. --- diff --git a/getting-started/how-it-works/takedown.mdx b/getting-started/how-it-works/takedown.mdx index eea7eea..54df4fb 100644 --- a/getting-started/how-it-works/takedown.mdx +++ b/getting-started/how-it-works/takedown.mdx @@ -7,39 +7,16 @@ description: "How ChainPatrol removes malicious content through coordinated take Every takedown follows a clear lifecycle inside ChainPatrol: - - - A takedown has been created and is waiting to be processed - - - - ChainPatrol is actively working on the takedown (submitting it to the appropriate provider and monitoring the request) - - - - The provider removed the harmful content - - +1. **TODO** - A takedown has been created and is waiting to be processed +2. **IN PROGRESS** - ChainPatrol is actively working on the takedown (submitting it to the appropriate provider and monitoring the request) +3. **COMPLETED** - The provider removed the harmful content ### Alternative Outcomes - - - The takedown was stopped (e.g., content turned out to be invalid or unnecessary) - - - - Identified as false positive, marked for retraction but not yet sent to provider - - - - Formal retraction request submitted to provider to halt or reverse the takedown - - - - Provider confirmed retraction—takedown fully stopped or reversed - - +- **CANCELED** - The takedown was stopped (e.g., content turned out to be invalid or unnecessary) +- **PENDING RETRACTION** - Identified as false positive, marked for retraction but not yet sent to provider +- **RETRACTION SENT** - Formal retraction request submitted to provider to halt or reverse the takedown +- **RETRACTED** - Provider confirmed retraction—takedown fully stopped or reversed ## How ChainPatrol Processes a Takedown @@ -51,19 +28,9 @@ A takedown is automatically created for every asset that is blocked, provided th Each takedown is directly linked to the blocked asset and contains all essential context required for further action: - - - URL, social profile, IPFS hash, or app listing - - - - Explanation of why the asset was classified as harmful - - - - Platform or host responsible for the content - - +- **Asset Reference** - URL, social profile, IPFS hash, or app listing +- **Supporting Evidence** - Explanation of why the asset was classified as harmful +- **Provider Information** - Platform or host responsible for the content After creation, the takedown is placed into the **TODO** state, indicating that it has been generated and is ready to be reviewed and processed. @@ -71,38 +38,21 @@ After creation, the takedown is placed into the **TODO** state, indicating that ChainPatrol determines which platform, hosting company, registrar, or channel is responsible for the content. - - - - Hosting providers (AWS, Cloudflare, Vercel, etc.) - - Domain registrars (GoDaddy, Namecheap, etc.) - - **TLD registrars** (for top-level domains like `.com`, `.xyz`, etc.) - - - - - Twitter/X - - Facebook - - Instagram - - YouTube - - **Telegram** - - Discord - - Reddit - - - - - Google Play Store - - Apple App Store - - Browser extension marketplaces - - - - - **IPFS** gateways and pinning services - - Decentralized hosting platforms - - - - +**Hosting & Domains:** +- Hosting providers (AWS, Cloudflare, Vercel, etc.) +- Domain registrars (GoDaddy, Namecheap, etc.) +- TLD registrars (for top-level domains like `.com`, `.xyz`, etc.) + +**Social Media:** +Twitter/X, Facebook, Instagram, YouTube, Telegram, Discord, Reddit + +**App Stores:** +Google Play Store, Apple App Store, Browser extension marketplaces + +**Distributed Storage:** +IPFS gateways and pinning services, decentralized hosting platforms + We maintain an up-to-date record of **100+ abuse contacts** for both submission of takedowns and retraction of requests made in error. - ### Submitting the Takedown @@ -110,43 +60,21 @@ ChainPatrol prepares and submits the takedown request to the appropriate provide **What's Included in a Submission:** - - - Detailed description of why the content is considered harmful, including evidence and context - - - - Supporting legal documents required to justify the removal (when applicable) - - - - Submissions use each provider's preferred reporting channel to ensure highest likelihood of success - - +- **Clear Explanation** - Detailed description of why the content is considered harmful, including evidence and context +- **Legal Documentation** - Supporting legal documents required to justify the removal (when applicable) +- **Provider-Specific Format** - Submissions use each provider's preferred reporting channel to ensure highest likelihood of success Once submitted, the takedown transitions into the **IN PROGRESS** state. - **Full Transparency:** Customers have real-time visibility including status updates and provider responses. Copies of provider communications are surfaced directly in the takedown events timeline. - ### Monitoring After submission, ChainPatrol continuously monitors the takedown to track its progress and outcome: - - - Verifying whether targeted content has been removed - - - - Reviewing and interpreting responses from the provider - - - - Automatically retrying or escalating when needed - - +- **Content Verification** - Verifying whether targeted content has been removed +- **Provider Responses** - Reviewing and interpreting responses from the provider +- **Escalation** - Automatically retrying or escalating when needed The takedown remains active until a final outcome is reached. Continuous monitoring ensures takedowns are not prematurely closed. @@ -156,40 +84,13 @@ The takedown remains active until a final outcome is reached. Continuous monitor A takedown ends in one of the following states: - - - **The provider removed the content.** - - Examples include: - - Websites becoming inaccessible - - Social media profiles or messages being removed - - Telegram channels being shut down - - IPFS content becoming unavailable via gateways - - Scam apps being delisted - - - - **The takedown request cannot proceed.** - - Reasons include: - - Invalid content - - Missing required documentation - - Asset no longer meets takedown criteria - - - - **The takedown was formally withdrawn after submission.** - - Typically because: - - Asset identified as false positive - - Content determined to be legitimate - - Organization requested retraction - - +**COMPLETED** - The provider removed the content. Examples include websites becoming inaccessible, social media profiles or messages being removed, Telegram channels being shut down, IPFS content becoming unavailable via gateways, and scam apps being delisted. + +**CANCELED** - The takedown request cannot proceed. Reasons include invalid content, missing required documentation, and asset no longer meets takedown criteria. + +**RETRACTED** - The takedown was formally withdrawn after submission. Typically because asset identified as false positive, content determined to be legitimate, or organization requested retraction. - All outcomes are logged clearly and shown to customers for transparency. - ## Takedown Retraction @@ -209,155 +110,61 @@ A retraction is typically initiated when ChainPatrol determines that the origina ### Retraction Process - - - Asset is identified as legitimate or false positive - - - - Takedown marked for retraction but request not yet sent - - - - Formal request submitted to provider to halt or reverse the takedown - - - - Provider confirms—takedown stopped or reversed - - - - +1. **Identification** - Asset is identified as legitimate or false positive +2. **PENDING RETRACTION** - Takedown marked for retraction but request not yet sent +3. **RETRACTION SENT** - Formal request submitted to provider to halt or reverse the takedown +4. **RETRACTED** - Provider confirms—takedown stopped or reversed + Takedown retractions are handled with the same level of care, structure, and transparency as takedown submissions. - ## Types of Takedowns ChainPatrol supports multiple takedown categories, each with a clear expected outcome: - - - **Targets:** Hosting providers, domain registrars, and TLD registries - - **Outcome:** The website becomes inaccessible or the domain is suspended - - **Examples:** - - Phishing sites hosted on cloud providers - - Malicious domains registered through registrars - - Typosquatting domains - - - - **Platforms:** X/Twitter, Facebook, Instagram, YouTube, Telegram, Discord, Reddit - - **Outcome:** The impersonating profile, channel, post, or video is removed or suspended - - **Examples:** - - Fake brand accounts - - Impersonation profiles - - Scam posts and videos - - Malicious Telegram channels - - - - **Targets:** Mobile app platforms and extension marketplaces - - **Outcome:** Fraudulent apps are removed from the marketplace - - **Examples:** - - Fake wallet apps - - Malicious browser extensions - - Impersonation applications - - - - **Targets:** IPFS gateway operators or pinning services - - **Outcome:** The malicious IPFS content is unpinned or becomes inaccessible through common gateways - - **Examples:** - - Phishing sites hosted on IPFS - - Malicious content distributed via decentralized storage - - +**Website Takedowns** - Targets hosting providers, domain registrars, and TLD registries. Outcome: The website becomes inaccessible or the domain is suspended. Examples include phishing sites hosted on cloud providers, malicious domains registered through registrars, and typosquatting domains. + +**Social Media Takedowns** - Platforms include X/Twitter, Facebook, Instagram, YouTube, Telegram, Discord, Reddit. Outcome: The impersonating profile, channel, post, or video is removed or suspended. Examples include fake brand accounts, impersonation profiles, scam posts and videos, and malicious Telegram channels. + +**App Store Takedowns** - Targets mobile app platforms and extension marketplaces. Outcome: Fraudulent apps are removed from the marketplace. Examples include fake wallet apps, malicious browser extensions, and impersonation applications. + +**IPFS Takedowns** - Targets IPFS gateway operators or pinning services. Outcome: The malicious IPFS content is unpinned or becomes inaccessible through common gateways. Examples include phishing sites hosted on IPFS and malicious content distributed via decentralized storage. ## Customer Visibility & Status Updates Inside ChainPatrol, customers have clear visibility into each takedown: - - - Real-time status: TODO, IN PROGRESS, COMPLETED, CANCELED, or retraction states - - - - Complete timeline of all major actions and state changes - - - - Full copies of emails and communications from providers - - - - Confirmation when content has been successfully removed - - - - +- **Current State** - Real-time status: TODO, IN PROGRESS, COMPLETED, CANCELED, or retraction states +- **Timestamps** - Complete timeline of all major actions and state changes +- **Provider Responses** - Full copies of emails and communications from providers +- **Evidence of Removal** - Confirmation when content has been successfully removed + This gives customers a full understanding of progress and outcomes throughout the entire takedown lifecycle. - ## Security & Compliance ChainPatrol ensures that all takedown-related data is handled securely and responsibly: - - - Legal documents stored using secure systems and access controls - - - - Data only shared with providers when explicitly required - - - - Following best practices to protect customer data - - - - Maintaining strict confidentiality throughout the process - - +- **Secure Storage** - Legal documents stored using secure systems and access controls +- **Limited Sharing** - Data only shared with providers when explicitly required +- **Industry Standards** - Following best practices to protect customer data +- **Confidentiality** - Maintaining strict confidentiality throughout the process ## Frequently Asked Questions - - - The takedown will move to the **COMPLETED** state, and you'll see confirmation from the provider in the takedown timeline. - - - - Response times vary across platforms. Some act quickly, while others require legal documentation or take several days to respond. Hosting providers typically respond within 4-48 hours, while domain registrars may take 24-72 hours or longer. - - - - If previously removed content reappears, the existing takedown is **reactivated** by returning to the **TODO** state. ChainPatrol will then act on it again, re-filing requests until the content is completely taken down. - - - - No provider guarantees removal in all cases, but ChainPatrol works to maximize success through consistent, accurate submissions and continuous monitoring. Our success rates vary by provider but are typically very high for legitimate threats. - - - - Most takedowns require legal documents such as: - - Letter of Authorization - - Power of Attorney - - Trademark registration - - Business registration documents - - Requirements vary by provider and will be communicated during onboarding. - - +**How do I know if my takedown was successful?** +The takedown will move to the **COMPLETED** state, and you'll see confirmation from the provider in the takedown timeline. + +**Why did my takedown take longer than expected?** +Response times vary across platforms. Some act quickly, while others require legal documentation or take several days to respond. Hosting providers typically respond within 4-48 hours, while domain registrars may take 24-72 hours or longer. + +**What happens if the content appears again?** +If previously removed content reappears, the existing takedown is **reactivated** by returning to the **TODO** state. ChainPatrol will then act on it again, re-filing requests until the content is completely taken down. + +**Can ChainPatrol guarantee removal?** +No provider guarantees removal in all cases, but ChainPatrol works to maximize success through consistent, accurate submissions and continuous monitoring. Our success rates vary by provider but are typically very high for legitimate threats. + +**What documentation do I need to provide?** +Most takedowns require legal documents such as Letter of Authorization, Power of Attorney, Trademark registration, and Business registration documents. Requirements vary by provider and will be communicated during onboarding. --- diff --git a/getting-started/how-it-works/watchlist.mdx b/getting-started/how-it-works/watchlist.mdx index 6a82b2a..350ec18 100644 --- a/getting-started/how-it-works/watchlist.mdx +++ b/getting-started/how-it-works/watchlist.mdx @@ -7,33 +7,16 @@ description: "How ChainPatrol monitors assets to detect when they become malicio The watchlist is a set of assets that are not blocked or allowed, but are **actively monitored**. We watchlist assets for two main reasons: - - - Monitoring assets to determine if they become malicious - - - - Monitoring assets to determine if they go offline - - +- **Review Process** - Monitoring assets to determine if they become malicious +- **Takedown Process** - Monitoring assets to determine if they go offline ### When Assets Leave the Watchlist We remove assets from the watchlist for three reasons: - - - Asset status changed to ALLOWED - - - - Previously dead asset becomes accessible again - - - - Asset has been offline for more than 30 days - - +- **Asset Allowed** - Asset status changed to ALLOWED +- **Comes Back Online** - Previously dead asset becomes accessible again +- **Offline Too Long** - Asset has been offline for more than 30 days For more details about the watchlist concept, see our [Concepts documentation](/concepts/watchlist). @@ -45,97 +28,40 @@ For more details about the watchlist concept, see our [Concepts documentation](/ During the review flow, an analyst can choose to put an asset onto the watchlist. This is typically done for two scenarios: - - - **What it is:** The domain is reserved but has no active content - - **Why we watchlist:** The URL indicates potential brand impersonation, but there's not enough evidence yet to perform a takedown. We monitor to see if malicious content appears. - - **Example:** `metamask-airdrop.com` shows a domain parking page, but the name suggests future malicious use. - - - - **What it is:** The asset is currently offline or inaccessible - - **Why we watchlist:** The URL structure suggests brand impersonation, but we can't analyze content that doesn't exist yet. We monitor to detect when it comes online. - - **Example:** `uniswap-claim.xyz` returns a 404 error, but the domain name is suspicious. - - +**Parking Page** - The domain is reserved but has no active content. The URL indicates potential brand impersonation, but there's not enough evidence yet to perform a takedown. We monitor to see if malicious content appears. Example: `metamask-airdrop.com` shows a domain parking page, but the name suggests future malicious use. + +**Dead Asset** - The asset is currently offline or inaccessible. The URL structure suggests brand impersonation, but we can't analyze content that doesn't exist yet. We monitor to detect when it comes online. Example: `uniswap-claim.xyz` returns a 404 error, but the domain name is suspicious. ### Takedown Process When we file a takedown, we automatically place the asset being taken down onto the watchlist. - - - Takedown request submitted to the appropriate provider - - - - Asset automatically added to watchlist for monitoring - - - - Regular scans check if the asset goes offline - - - - If asset goes offline, takedown is marked as complete automatically - - - - +1. **Takedown Filed** - Takedown request submitted to the appropriate provider +2. **Asset Watchlisted** - Asset automatically added to watchlist for monitoring +3. **Automated Monitoring** - Regular scans check if the asset goes offline +4. **Automatic Completion** - If asset goes offline, takedown is marked as complete automatically + This automation allows us to confirm successful takedowns without manual verification, speeding up the entire process. - ### Watchlist Eligibility Only specific asset types can be placed on the watchlist due to our ability to monitor them consistently in an automated fashion: - - - Web addresses and domains - - - - Specific web pages - - - - Email addresses - - - - Twitter/X accounts - - - - Telegram channels and users - - - - +- **URL** - Web addresses and domains +- **Page** - Specific web pages +- **Email** - Email addresses +- **Twitter** - Twitter/X accounts +- **Telegram** - Telegram channels and users + Asset types not on this list are monitored by our human staff for takedown confirmation instead of automated watchlist monitoring. - ## What Happens When Assets Are on the Watchlist When an asset is on the watchlist, we monitor it by running asset scans periodically to determine if there is any change in behavior: - - - Monitoring HTTP status codes and accessibility - - - - Detecting modifications to page content - - - - Tracking DNS record and hosting changes - - +- **Status Changes** - Monitoring HTTP status codes and accessibility +- **Content Changes** - Detecting modifications to page content +- **Infrastructure Changes** - Tracking DNS record and hosting changes We also run checks to determine if we should keep the asset on the watchlist or remove it because it's unlikely to become malicious. @@ -177,9 +103,7 @@ Blocked assets are scanned less frequently since they're already protected: | < 2 months | Every 6 days | | > 2 months | Every 12 days | - **Why the difference?** UNKNOWN/ALLOWED assets need closer monitoring to catch when they become malicious. BLOCKED assets are already protected, so we primarily monitor to confirm takedown success. - ## Removing Assets from the Watchlist @@ -187,95 +111,26 @@ Assets are automatically removed from the watchlist under specific conditions: ### Asset Becomes ALLOWED - - If an asset's status changes from `BLOCKED` or `UNKNOWN` to `ALLOWED`, we immediately remove it from the watchlist. - - **Reason:** Allowed assets are verified as legitimate and don't require monitoring. - +If an asset's status changes from `BLOCKED` or `UNKNOWN` to `ALLOWED`, we immediately remove it from the watchlist. Allowed assets are verified as legitimate and don't require monitoring. ### Asset Comes Online - - If an asset's liveness status changes from `DEAD` to `ALIVE` or `UNKNOWN`, we remove it from the watchlist. - - **What happens next:** The asset is pushed back into the review queue where a human analyst will evaluate whether it's malicious. - +If an asset's liveness status changes from `DEAD` to `ALIVE` or `UNKNOWN`, we remove it from the watchlist. The asset is pushed back into the review queue where a human analyst will evaluate whether it's malicious. ### Decay Factor -Assets are removed from the watchlist when they've been there too long without changes: - - - - If an asset is in `UNKNOWN` status, we remove it from the watchlist after **30 days**. - - **Reason:** If an asset hasn't become malicious after a month, it's unlikely to pose a threat. - - - - If the asset was watchlisted during the takedown process and the takedown is in `IN_PROGRESS` state: - - - Asset goes offline → Removed from watchlist - - Takedown provider suspends the asset → Removed from watchlist - - **Reason:** The takedown was successful, so continued monitoring is unnecessary. - - - - An analyst can manually remove an asset from the watchlist if they determine it's no longer necessary to monitor. - - **Reason:** Human judgment may identify cases where automated rules don't apply. - - - -## Watchlist Workflow - -```mermaid -flowchart TD - Start[Asset Detected] --> Decision{Add to
Watchlist?} - - Decision -->|Parking Page| Watchlist[Add to Watchlist] - Decision -->|Dead Asset| Watchlist - Decision -->|Takedown Filed| Watchlist - Decision -->|No| End[Normal Processing] - - Watchlist --> Monitor[Periodic Scanning] - - Monitor --> Check{Status
Change?} - - Check -->|Becomes ALLOWED| Remove1[Remove from Watchlist] - Check -->|Comes Online| Review[Push to Review Queue] - Check -->|30 Days UNKNOWN| Remove2[Remove from Watchlist] - Check -->|Takedown Success| Remove3[Remove from Watchlist] - Check -->|No Change| Monitor - - Review --> Remove4[Remove from Watchlist] - - Remove1 --> End - Remove2 --> End - Remove3 --> End - Remove4 --> End -``` +**UNKNOWN Assets - 30 Day Limit** - If an asset is in `UNKNOWN` status, we remove it from the watchlist after 30 days. If an asset hasn't become malicious after a month, it's unlikely to pose a threat. + +**Takedown Success** - If the asset was watchlisted during the takedown process and the takedown is in `IN_PROGRESS` state, when the asset goes offline or the takedown provider suspends the asset, it's removed from the watchlist since the takedown was successful. + +**Manual Removal** - An analyst can manually remove an asset from the watchlist if they determine it's no longer necessary to monitor. ## Best Practices - - - Watchlist domains with suspicious names but no active content yet - - - - Let the watchlist automatically confirm takedown success - - - - Periodically review long-term watchlist items to ensure they're still relevant - - - - The adaptive scan frequency optimizes monitoring without manual intervention - - +- **Use for Suspicious Domains** - Watchlist domains with suspicious names but no active content yet +- **Monitor Takedowns** - Let the watchlist automatically confirm takedown success +- **Review Regularly** - Periodically review long-term watchlist items to ensure they're still relevant +- **Trust the Automation** - The adaptive scan frequency optimizes monitoring without manual intervention --- diff --git a/getting-started/what-we-do/brand-impersonation.mdx b/getting-started/what-we-do/brand-impersonation.mdx index 5c1ec6b..c9c64c7 100644 --- a/getting-started/what-we-do/brand-impersonation.mdx +++ b/getting-started/what-we-do/brand-impersonation.mdx @@ -11,38 +11,13 @@ Brand impersonation is a broad category of abuse where malicious actors **preten Brand impersonation is commonly used to steal money, credentials, or sensitive information, distribute malware, manipulate public perception, or damage a brand's reputation. -These attacks often span multiple platforms and combine technical methods with social engineering. Brand impersonation can occur across: - -- Websites -- Social media platforms -- Advertising networks -- Search engines -- Email and messaging apps -- Web3 and blockchain ecosystems +These attacks often span multiple platforms and combine technical methods with social engineering. Brand impersonation can occur across websites, social media platforms, advertising networks, search engines, email and messaging apps, and Web3 and blockchain ecosystems. ## Types of Impersonation - - - Attackers pose directly as the official company or product - - - - Pretending to be employees, executives, or founders - - - - Fake customer support agents exploiting users seeking help - - - - False claims of collaboration or endorsement - - - ### 1. Brand Impersonation -In brand impersonation, attackers pose directly as the official company or product. This usually involves copying branding elements such as logos, names, visual identity, and messaging to create fake websites, social media profiles, advertisements, or applications. +Attackers pose directly as the official company or product. This usually involves copying branding elements such as logos, names, visual identity, and messaging to create fake websites, social media profiles, advertisements, or applications. **Impact:** Because these assets are designed to look authentic, users often cannot distinguish them from legitimate channels. This type of impersonation directly undermines brand trust and frequently leads to financial fraud or credential theft. @@ -70,67 +45,35 @@ Partnership impersonation involves false claims of collaboration, endorsement, o Brand impersonation campaigns typically rely on a combination of technical and behavioral techniques rather than a single method. - - - Deepfake technology is increasingly used to generate convincing audio, video, or images of executives or public figures, enabling fake announcements, investment scams, or social engineering attacks that appear highly authentic. - - - - Bot-driven attacks are commonly used to create and manage large numbers of fake accounts, amplify malicious content, and artificially boost engagement. This makes impersonation campaigns appear legitimate and widely supported. - - - - Reply and comment hijacking is another frequent technique, where attackers post malicious replies under legitimate brand content. These replies often pose as support or official guidance and exploit the visibility and trust of the original post. - - - - Typosquatting remains a foundational method, involving the registration of domains that closely resemble official brand domains. These domains are typically used for phishing, malware delivery, or credential harvesting. - - - - Advertising abuse, particularly through search ads, allows attackers to place impersonation content above legitimate results. Users often assume ads are verified, which makes this channel especially effective for deception. - - - - In Web3 ecosystems, fake NFT mints and blockchain-related scams are prevalent. These attacks often combine impersonated announcements, cloned websites, and malicious smart contracts designed to drain wallets. - - - - Disinformation campaigns may not always involve direct scams but are still a form of impersonation when false information is attributed to a brand or its representatives. These campaigns aim to manipulate perception, create confusion, or erode trust. - - - - SEO spam involves generating large volumes of low-quality pages optimized for brand-related keywords. These pages redirect users to malicious destinations and are difficult to combat due to their scale. - - - - Account compromise occurs when legitimate brand or employee accounts are taken over and then used to distribute scams or malicious content. Because the account was originally authentic, detection is significantly harder. - - In more advanced cases, attackers may compromise DNS or hosting infrastructure, allowing them to redirect traffic from legitimate domains to malicious content without altering the visible URL. - - +**Deepfakes** - Deepfake technology is increasingly used to generate convincing audio, video, or images of executives or public figures, enabling fake announcements, investment scams, or social engineering attacks that appear highly authentic. + +**Bot Attacks** - Bot-driven attacks are commonly used to create and manage large numbers of fake accounts, amplify malicious content, and artificially boost engagement. This makes impersonation campaigns appear legitimate and widely supported. + +**Replies and Comment Hijacking** - Reply and comment hijacking is another frequent technique, where attackers post malicious replies under legitimate brand content. These replies often pose as support or official guidance and exploit the visibility and trust of the original post. + +**Typosquatting** - Typosquatting remains a foundational method, involving the registration of domains that closely resemble official brand domains. These domains are typically used for phishing, malware delivery, or credential harvesting. + +**Advertising Abuse** - Advertising abuse, particularly through search ads, allows attackers to place impersonation content above legitimate results. Users often assume ads are verified, which makes this channel especially effective for deception. + +**Fake NFT Mints** - In Web3 ecosystems, fake NFT mints and blockchain-related scams are prevalent. These attacks often combine impersonated announcements, cloned websites, and malicious smart contracts designed to drain wallets. + +**Disinformation** - Disinformation campaigns may not always involve direct scams but are still a form of impersonation when false information is attributed to a brand or its representatives. These campaigns aim to manipulate perception, create confusion, or erode trust. + +**SEO Spam** - SEO spam involves generating large volumes of low-quality pages optimized for brand-related keywords. These pages redirect users to malicious destinations and are difficult to combat due to their scale. + +**Account Compromise** - Account compromise occurs when legitimate brand or employee accounts are taken over and then used to distribute scams or malicious content. Because the account was originally authentic, detection is significantly harder. In more advanced cases, attackers may compromise DNS or hosting infrastructure, allowing them to redirect traffic from legitimate domains to malicious content without altering the visible URL. ## What Can You Do About Brand Impersonation? While brand impersonation cannot be fully eliminated, its impact can be significantly reduced through proactive measures. - - - Clearly define and publicly communicate which assets are official. This includes domains, social media accounts, communication channels, applications, and, where applicable, blockchain addresses or smart contracts. Making this information easy to find helps users verify authenticity. - - - - Community involvement plays a critical role in early detection. Users often encounter impersonation before internal teams do, so providing clear reporting paths and responding visibly to reports helps shorten the damage window and builds trust. - - - - Education is equally important. By teaching users what official representatives will and will not do, and by highlighting common scam patterns, organizations can reduce the effectiveness of impersonation even when attacks occur. - - - - For brands with a large digital footprint or high-risk exposure, working with specialized security vendors is often necessary. These vendors provide continuous monitoring, automated detection, coordinated takedowns, and cross-platform visibility that is difficult to achieve internally. - - +1. **Define Official Assets** - Clearly define and publicly communicate which assets are official. This includes domains, social media accounts, communication channels, applications, and, where applicable, blockchain addresses or smart contracts. Making this information easy to find helps users verify authenticity. + +2. **Enable Community Reporting** - Community involvement plays a critical role in early detection. Users often encounter impersonation before internal teams do, so providing clear reporting paths and responding visibly to reports helps shorten the damage window and builds trust. + +3. **Educate Your Users** - Education is equally important. By teaching users what official representatives will and will not do, and by highlighting common scam patterns, organizations can reduce the effectiveness of impersonation even when attacks occur. + +4. **Partner with Security Vendors** - For brands with a large digital footprint or high-risk exposure, working with specialized security vendors is often necessary. These vendors provide continuous monitoring, automated detection, coordinated takedowns, and cross-platform visibility that is difficult to achieve internally. **Ready to protect your brand?** ChainPatrol provides comprehensive monitoring, detection, and takedown services for Web3 organizations. [Schedule a demo](https://cal.com/chainpatrol) to learn more. diff --git a/getting-started/what-we-do/introduction.mdx b/getting-started/what-we-do/introduction.mdx index f28e99d..938654f 100644 --- a/getting-started/what-we-do/introduction.mdx +++ b/getting-started/what-we-do/introduction.mdx @@ -9,17 +9,7 @@ In the rapidly evolving Web3 landscape, malicious actors are constantly targetin ## Enterprise-Grade Protection for Leading Web3 Organizations -Today, ChainPatrol serves as the trusted security partner for some of the most prominent names in the blockchain industry. - - - - - - - - - - +Today, ChainPatrol serves as the trusted security partner for some of the most prominent names in the blockchain industry, including Consensys, Sui, Arbitrum, ZkSync, Curve Finance, Starknet, and Polymarket. These organizations rely on us to safeguard their communities from online impersonation and phishing attacks 24/7. @@ -37,41 +27,18 @@ When users attempt to interact with a flagged malicious site, they receive an im Our advanced detection system continuously monitors the digital landscape to identify scams impersonating your company across multiple channels: - - - We scan for lookalike domains and phishing sites using your brand - - - - Automated monitoring for fake accounts impersonating your official channels - - - - Detection of malicious servers and impersonator accounts targeting your community - - - - Comprehensive coverage across the social media ecosystem - - +- **Domains** - We scan for lookalike domains and phishing sites using your brand +- **Twitter/X** - Automated monitoring for fake accounts impersonating your official channels +- **Discord** - Detection of malicious servers and impersonator accounts targeting your community +- **Other Social Platforms** - Comprehensive coverage across the social media ecosystem ### Our Three-Step Response Process When a threat is detected, our response is swift and decisive: - - - Malicious sites are blocked across our Wallet Network within minutes of detection, preventing your users from interacting with them - - - - We don't stop at blocking—our team proceeds with full takedown procedures, working to permanently remove fraudulent domains and social media accounts - - - - Continuous surveillance ensures new threats are identified and neutralized as they emerge - - +1. **Immediate Protection** - Malicious sites are blocked across our Wallet Network within minutes of detection, preventing your users from interacting with them +2. **Complete Takedown** - We don't stop at blocking—our team proceeds with full takedown procedures, working to permanently remove fraudulent domains and social media accounts +3. **Ongoing Monitoring** - Continuous surveillance ensures new threats are identified and neutralized as they emerge ## The Cost of Inaction @@ -85,23 +52,10 @@ Traditional security measures often react too slowly, allowing scammers to victi We'd love to show you how ChainPatrol can protect your organization and community. In a brief demo, we'll walk you through: - - - See our detection capabilities in action - - - - How we protect users at the point of interaction - - - - Our takedown process and response times - - - - Stay informed of threats targeting your brand - - +- **Real-Time Detection** - See our detection capabilities in action +- **Wallet Integration** - How we protect users at the point of interaction +- **Rapid Response** - Our takedown process and response times +- **Reporting & Analytics** - Stay informed of threats targeting your brand ## Schedule Your Demo Today diff --git a/integration/canary-tokens.mdx b/integration/canary-tokens.mdx new file mode 100644 index 0000000..bdc52ac --- /dev/null +++ b/integration/canary-tokens.mdx @@ -0,0 +1,88 @@ +--- +icon: dove +title: Canary Tokens +description: Use Canary Tokens to notify ChainPatrol when your website is cloned and have them blocked immediately +--- + +## What is a Canary Token? + +Canary Tokens are a free, open-source tool that helps you discover when bad actors access your data. They can be used to detect unauthorized access to your website, documents, or other sensitive information. + +You can read more on the [Canary Tokens website](https://docs.canarytokens.org/guide/). + +## Cloned Website Tokens + +Cloned Website Tokens are a type of Canary Token that can be used to detect when your website is cloned. They work by embedding a unique token into your website that is invisible to your users. When a bad actor clones your website, they will also clone the token. When the token is accessed, you will be notified and ChainPatrol will proceed to block and takedown the malicious cloned site. + +You can read more about Cloned Website Tokens on the [Canary Tokens website](https://docs.canarytokens.org/guide/cloned-web-token.html). + +## Setup Instructions + + + + Go to the [Canary Tokens Nest](https://canarytokens.org/nest/) and select the `JS cloned website` from the list. + + Fill the fields with the information below: + + | Field | Value | + | :---- |:----- | + | Domain of protected website | `` | + | Mail me here when the alert fires | `` | + | Remind me of this when the alert fires | Any note you'd like (ex. `Token for `) | + + Next, click **Add Webhook Notification**, and fill in the following information: + + | Field | Value | + | :---- |:----- | + | Notify me here when the alert fires | `https://app.chainpatrol.io/api/v2/canary/webhook` | + + It should look something like this when you are done: + + ![Canary Generation](/images/canary.png) + + Click **Create Canarytoken**. + + + + After the token is created, you will see the modal with the token information. + + ![Canary Success](/images/canary-success.png) + + Click **Manage Canarytoken** to navigate to the token's page. + + > **Note:** You should save this current page's URL for future reference. + + + + After clicking the button, you will be redirected to the token's page. This is a uniquely generated URL containing the token that you can come back to see the history of the your Canary Token. + + Example: `https://canarytokens.org/nest/manage//` + + Next, go to your ChainPatrol dashboard and go to **Settings** > **Canary Tokens**. + + ![Canary Token ID](/images/organization-canary-tokens.png) + + In order for ChainPatrol to automatically detect cloned websites, **create new token, and paste the token ID from your token's page**. + + After creating the token, you will see the token in the list. You can delete or edit the token at any time. + + At this point, our webhook will start receiving alerts when the token is accessed. + + ![Added Canary Token](/images/organization-added-canary-token.png) + + + Finally, to complete the setup of the Canary Token, you need to add the generated JavaScript snippet to the domain that you indicated earlier. + + 1. Toggle ON the **"Obfuscate this script"** option and copy the generated code. + 2. Paste the code into your website's HTML code, preferably in the `` tag on the homepage. + + > **Note:** We recommend turning OFF **Email Alerts**, since they may include localhost URLs and other false positives. We will handle the alerts via webhook. + + + +## What happens when a cloned website is detected? + +When your website is cloned, we will create a new report in your ChainPatrol dashboard. +ChainPatrol will proceed to block and takedown the malicious cloned site. + +![Canary Report](/images/canary-report.png) diff --git a/integration/discord.mdx b/integration/discord.mdx new file mode 100644 index 0000000..8af1936 --- /dev/null +++ b/integration/discord.mdx @@ -0,0 +1,196 @@ +--- +icon: discord +title: Discord Bot +sidebarTitle: Discord +description: A Discord bot that can be used submit scam reports to ChainPatrol +--- + +![ChainPatrol Discord Bot](/images/discord-bot.png) + +If you have a **Discord server**, you can use the [ChainPatrol Discord bot](https://chainpatrol.com/bot) +to let your server members submit scam reports to **ChainPatrol**. The bot will generate new +reports that get sent to your admin dashboard for review. + +## Setup + + + If you have a dedicated `scam-reports` channel, we recommend pinning a message + in this channel and directing your server members to use the bot there for + easy reporting + + +### Install the bot + +To add the bot to your server, you need to be an admin of the server. Then, you +can use the following link to add the bot: + +[🚀 Add ChainPatrol to your server](https://chainpatrol.com/bot/install) + +Next, you need to configure the bot to send reports to your admin dashboard on ChainPatrol. Right now, +this is can be done by reaching out to us [via email](mailto:support@chainpatrol.io?subject=%5BDiscord%20Bot%5D%20Setup%20integration%20with%20ChainPatrol&body=Hi,%20I%20would%20like%20to%20link%20the%20Discord%20bot%20to%20my%20ChainPatrol%20account%20as%20described%20here:%20https://chainpatrol.io/docs/general/discord-bot.%0A%0AThanks!) +and letting us know that you want to add the bot to your server. We will create an organization +for you on ChainPatrol and you can then use the `/setup connect` slash command to link your Discord server +to your organization on ChainPatrol. + +To check that the bot is working, you can use the `/setup status` command to see if the bot is +connected to your ChainPatrol organization. + +## Features + +### Scam Reports + +The bot allows server members to submit scam reports directly to ChainPatrol. + +#### Usage + +Once the bot is added to your server, you can use the following commands: + +- `/report ` - Submit a scam report for the given URL +- `/check ` - Check if the given URL is a scam + +#### Example + +Here is an example of how to use the bot to submit a scam report: + +![Example of using the ChainPatrol Discord bot](/images/discord-bot-prompt.png) +![Loading of the ChainPatrol Discord bot](/images/discord-bot-loading.png) +![Success of the ChainPatrol Discord bot](/images/discord-bot-success.png) + +### Reports Feed + +You can create a feed channel of all reports to your organization. This feature allows you to see all scam reports submitted through the bot in a dedicated channel. + +#### Setup + +1. Create a new channel on your Discord server and name it something like `chainpatrol-reports` +2. Use the following command to link the channel to your ChainPatrol organization: + ``` + /setup feed + ``` +3. Follow the instructions in the bot's response to link the channel to your ChainPatrol organization + +![Image showing the Discord bot's response to the setup feed command](/images/discord-bot-feed-setup.png) + +You can check that the feed is connected correctly by running the `/setup status` command. If the +feed is connected correctly, you should see the channel name in the bot's response. + +![Image showing the Discord bot's response to the setup status command after setting up the feed](/images/discord-bot-feed-status.png) + +As a final test, you can try submitting a test scam report using the `/report` command. You should see a message +in the feed channel with the scam report shortly after submitting. + +![Example of the feed channel](/images/discord-bot-feed.png) + +### Link Monitoring + +ChainPatrol can monitor your Discord channels for suspicious links and automatically take action when they are detected. This feature helps protect your community from scams and malicious content. + +#### Setup + +To enable link monitoring in a channel: + +1. Navigate to the channel you want to monitor +2. Run the `/setup linkmonitoring` command +3. Confirm the setup when prompted + + + Only server administrators or users with "Manage Server" permissions can + enable link monitoring + + +#### How it Works + +Once enabled, ChainPatrol will: + +1. Monitor all messages in the configured channel for URLs +2. Check each URL against ChainPatrol's comprehensive blocklist, which includes: + - Known scam websites + - Phishing attempts + - Malicious domains + - Other security threats reported to ChainPatrol +3. Take action based on your server's configuration when suspicious links are detected + + + The blocklist is continuously updated with new threats reported by the + ChainPatrol community and security researchers. You can [search through our + blocklist](https://app.chainpatrol.io/search) to see what threats we're + protecting against. + + +#### Response Actions + +When a suspicious link is detected, ChainPatrol can be configured to: + +- **React with 🚨** - Adds a warning reaction to the message +- **Delete the message** - Automatically removes the message +- **Notify moderators** - Sends an alert to your moderator channel + + + The response action is configured by your server administrator through the + ChainPatrol dashboard + + +#### Example + +Here's what happens when a suspicious link is detected: + +![Example of link monitoring in action](/images/discord-bot-link-monitoring.png) + +## Common Issues + +![no-response](/images/discord-application-no-response.png) + +### Custom Elevated Permissions + +- Bot role may need elevated permission to interact with private channels + +- If you are adding the bot to a channel that is not normally visible to `@everyone`, then you will need to + Slash commands not visible to Discord members + + + + ![Kebab Menu](/images/discord-private-channel.png) + + + ![Report Modal](/images/discord-select-app.png) + + + +- Embed links permissions are required for your reports feed + + ![channel embeds](/images/discord-channel-embed-links.png) + +- Make application commands available to users + - Server members will not be able to use the ChainPatrol bot commands if they do not have access to application commands + + ![application commands](/images/discord-application-comands.png) + + +## Debugging Tips + +### View Server As Role + +- You can right click the ChainPatrol role in server settings to see the server as the bot role + + ![view as role](/images/discord-view-as-role.png) + + + Trying to access a feature in an inaccessible part of the server will lead to + an error. Make sure the bot's permissions can see and interact with what you + are debugging. + +Check out [Discord's Role Management 101](https://support.discord.com/hc/en-us/articles/214836687-Role-Management-101) Article for additional help! + + + +## Privacy + +The bot does not collect any personal information. It only collects the URL and +the Discord ID for the user that submitted the report (in case a moderator needs +more information about why the URL is a scam). The bot does not store any information +about the server it is added to. + +## Source Code + +The source code for the bot is available on GitHub: +[chainpatrol/discord-bot](https://github.com/chainPatrol/discord-bot) diff --git a/integration/github.mdx b/integration/github.mdx index 89ea4c2..d42e79f 100644 --- a/integration/github.mdx +++ b/integration/github.mdx @@ -1,6 +1,6 @@ --- icon: github -title: GitHub Integration +title: GitHub description: Connect your GitHub repositories to ChainPatrol to protect your community from scam links and malicious content --- diff --git a/integration/intercom.mdx b/integration/intercom.mdx index a233aa7..666890d 100644 --- a/integration/intercom.mdx +++ b/integration/intercom.mdx @@ -1,6 +1,6 @@ --- icon: square -title: Intercom Integration +title: Intercom description: Connect your Intercom workspace to ChainPatrol to report suspicious URLs and protect against phishing --- diff --git a/integration/slack.mdx b/integration/slack.mdx new file mode 100644 index 0000000..a47bede --- /dev/null +++ b/integration/slack.mdx @@ -0,0 +1,198 @@ +--- +icon: slack +title: Slack Bot +sidebarTitle: Slack +description: A Slack bot that can be used to submit scam reports to ChainPatrol +--- + +If you have a **Slack workspace**, you can use the ChainPatrol Slack Bot to let your workspace members submit scam reports to **ChainPatrol**. The bot will generate new reports that get sent to your admin dashboard for review. + +## Setup + +### Bot Installation + + + + Start by opening your dashboard on the [ChainPatrol app](https://app.chainpatrol.io/). + + ![Step 1 - Dashboard](/images/dashboard-navbar.png) + + + + In the navbar, select **Settings** to go to your **Organization Settings** page. + + ![Step 2 - Organization Settings](/images/organization-settings.png) + + + + Once you are in the organization settings, navigate to the **Integrations** tab. This section contains options for the Slack bot as well as other integrations. + + ![Step 3 - Integrations Tab](/images/settings-integrations.png) + + + + + In the Integrations tab, you will find an option to **Add to Slack**. Click this button, then you will be redirected to the Slack authorization page. Click **Allow**. + + ![Step 4 - Add Bot](/images/slack-integration-authorization.png) + + Remember to select the correct workspace at the top right of the authorization page. + + + + + + + + **Important**: Please avoid using organization-level installs for the + ChainPatrol Slack Bot. Organization-level and enterprise installs can cause + issues with the bot's functionality and may not properly integrate with your + ChainPatrol dashboard. Always use workspace-level installations to ensure + proper operation. + + +## Confirmation and Finalization + +The ChainPatrol Slack Bot should appear in your listed apps along with other allowed workspace apps. + +![Slack Apps](/images/slack-apps.png) + +### Adding ChainPatrol Bot To Your Reporting Channel + + + Remember to add the slack bot to the reporting channel! By default, the + ChainPatrol bot does not automatically read and join existing channels for + privacy. + + + + + ![Kebab Menu](/images/slack-channel-details.png) + + + ![Report Modal](/images/slack-add-bot.png) + + + ![Report Modal](/images/slack-select-bot.png) + + + +### Link Organization + + + This step needs to be done with help from ChainPatrol staff in order for the + Slack Bot to work properly. + + +**Please send ChainPatrol staff your workspace's Slack Team ID so that we can finish the automated pipeline.** + +- Follow [Slack's documentation](https://slack.com/intl/en-gb/help/articles/221769328-Locate-your-Slack-URL-or-ID#free,-pro-and-business+-subscriptions-2) to locate your Team ID. + + + Slack refers to the Team ID as "workspace or org ID". + +`https://app.slack.com/client/TXXXXXXX/CXXXXXXX` + +In the above URL, the Team ID is the slug that begins with `T`. + + + +## Usage + +Once the bot is added to your workspace and you have **sent ChainPatrol your Team ID**, you can use the following actions: + +### Slash Commands + +- `/chainpatrol ` - Submit a scam report for the given URL + +### Shortcut Actions + +For a given message, click on the kebab menu and then select the `Create Report` option. + + + + ![Kebab Menu](/images/slack-kebab.png) + + + ![Report Modal](/images/report-modal.png) + + + +## Threats Feed Configuration + +In addition to submitting reports, the ChainPatrol Slack Bot can also send automated notifications about threats and reports to your Slack channels. This creates a real-time threats feed that keeps your team informed about security activity. + +![Blocklist Update Example](/images/blocklist-update.png) + +### Setting Up Notification Settings + + + + Create a dedicated channel in your Slack workspace for receiving ChainPatrol threat notifications. This channel will serve as your organization's security feed for real-time threat intelligence. + + ![Add Bot to Channel](/images/add-to-channel.png) + + + **Important**: You must add the ChainPatrol bot to this channel for notifications to work properly. The bot cannot automatically join channels for privacy and security reasons. + + + + + Contact ChainPatrol staff with your notification channel's Channel ID to complete the integration setup. The Channel ID is a unique identifier that begins with "C" and can be found in your channel's details. + + + To find your Channel ID, right-click on the channel name and select "View channel details" or check the URL when viewing the channel in your browser. + + + + + Navigate to your ChainPatrol dashboard and go to **Settings** > **Integrations** to configure your notification preferences. + + + Within the Integrations tab, locate the **Notification Settings** section to customize which types of security alerts your team receives. + + ![Notification Settings](/images/notification-settings.png) + + + + Choose which notifications you want to receive for your organization's reports and monitored assets. Each option serves different security monitoring needs as detailed below. + + + +### Notification Options + + + + Receive notifications when new reports are created for assets that are + already on your blocklist. This helps you track ongoing threats and see when + community members are encountering known malicious content. + + + Receive notifications when new reports are created for assets that are + currently on your allowlist. This can help identify potential false + positives or assets that may need review if they're receiving multiple + reports. + + + Receive notifications when assets are confirmed as threats and added to the + blocklist. **This is the most critical notification type** - when you see + this alert, it means ChainPatrol's systems have confirmed a threat and are + actively working to process it for takedown and blocklist distribution. + + + + + **Recommended Configuration**: We recommend enabling all three notification + types for comprehensive threat monitoring. However, if you want to focus on + the most critical alerts, option 3 (Assets Added to Blocklist) provides + notifications specifically for confirmed threats rather than just reports. + + + + Notification settings only take effect if you have Discord or Slack reporting + feeds enabled through the bot integration. + + +## Privacy + +The bot does not collect any personal information. It only collects the URL and the Slack ID of the user that submitted the report (in case a moderator needs more information about why the URL is a scam). The bot does not store any sensitive information about the workspace it is added to. diff --git a/integration/telegram.mdx b/integration/telegram.mdx new file mode 100644 index 0000000..9885914 --- /dev/null +++ b/integration/telegram.mdx @@ -0,0 +1,102 @@ +--- +icon: telegram +title: Telegram Bot +sidebarTitle: Telegram +description: A Telegram bot that can be used to submit scam reports to ChainPatrol +--- + +If you have a **Telegram group**, you can use the ChainPatrol Telegram Bot to let your group members submit scam reports to **ChainPatrol**. The bot will generate new reports that get sent to your admin dashboard for review. + +## Setup + +### Bot Installation + + + + + **Beware of impersonators!** The official ChainPatrol Telegram bot is `@ChainPatrol_Bot`. If you see any other bot claiming to be the ChainPatrol bot, please report it to us. + + Start by adding the ChainPatrol Telegram Bot to your group chat. You can find the bot by searching for its username in Telegram. + + ![Step 1 - Add Bot](/images/telegram-bot-add.png) + + + + + Once the bot is added to your group chat, use the `/help` command to see the available commands. + + ![Step 2 - Setup Connect](/images/telegram-commands.png) + + + + +### Bot Configuration + +![Confirmation Message](/images/telegram-setupstatus.png) + + + + + Visit your [ChainPatrol Dashboard](https://app.chainpatrol.io/admin) and go to the **settings** page. + + + If you don't have a ChainPatrol account and want to protect your community, reach out to us directly! + + ![Step 1 - Add Bot](/images/telegram-bot-settings.png) + + + + Go to the **Integrations** on the left sidebar. + ![Step 2 - Integrations](/images/telegram-bot-integrations.png) + + + + Click on "Add New Telegram Group" and configure the group details. + + ![Step 2 - Add details](/images/telegram-bot-integration-details.png) + + + + +## Usage + + + +Use the `/setupconnect` command to confirm the connection between your group and ChainPatrol. + + + +Once the bot is added to your group and the connection process is complete, you can use the following commands: + +### Commands + +- `/report ` - Submit a scam report for the given URL with a brief description of why it's suspicious +- `/check ` - Check if a URL is on the block list +- `/setupstatus` - Find out if this chat group is associated with an organization +- `/setupconnect` - Generates the URL to link Telegram group to organization +- `/help` - Display a list of available commands and their descriptions + +## Features + +### Auto-Link Monitoring + +The ChainPatrol Telegram Bot automatically monitors all links shared in your group chat. This feature provides an additional layer of protection for your community: + +- **Real-time Scanning**: Every link posted in the group is instantly checked against ChainPatrol's extensive database of known scams and malicious URLs. +- **Automatic Alerts**: If a potentially harmful link is detected, the bot immediately notifies the group, warning members about the potential risk. +- **Proactive Protection**: This feature helps prevent scams before they can affect your community members, even if no moderators are actively monitoring the group. + + + ![Auto-Link Monitoring](/images/telegram-auto-link-monitoring.png) + + +## Privacy + +The bot does not collect any personal information. It only collects the URL and the Telegram ID of the user that submitted the report (in case a moderator needs more information about why the URL is a scam). The bot does not store any sensitive information about the group it is added to. + + + +The ChainPatrol Telegram bot is like any group user. You can adjust permissions +according to your group's needs. + + diff --git a/integration/vercel.mdx b/integration/vercel.mdx index 76d6188..b3e6d0a 100644 --- a/integration/vercel.mdx +++ b/integration/vercel.mdx @@ -1,6 +1,6 @@ --- icon: triangle -title: Vercel Integration +title: Vercel description: Connect your Vercel team to ChainPatrol to protect your deployments from impersonation --- diff --git a/mint.json b/mint.json index 0f95e6d..9707c5d 100644 --- a/mint.json +++ b/mint.json @@ -58,6 +58,10 @@ } ], "tabs": [ + { + "name": "Integrations", + "url": "integration" + }, { "name": "API Reference", "url": "external-api" @@ -94,18 +98,18 @@ "getting-started/how-it-works/takedown", "getting-started/how-it-works/watchlist" ] + }, + { + "group": "How do I get started?", + "pages": [ + "protect-your-brand/onboarding-requirements", + "protect-your-brand/who-should-be-involved", + "protect-your-brand/services-setup", + "protect-your-brand/ongoing-communication" + ] } ] }, - { - "group": "Protect Your Brand", - "pages": [ - "protect-your-brand/onboarding-requirements", - "protect-your-brand/who-should-be-involved", - "protect-your-brand/services-setup", - "protect-your-brand/ongoing-communication" - ] - }, { "group": "Concepts", "pages": [ @@ -127,13 +131,13 @@ { "group": "Integrations", "pages": [ - "bots/discord-bot", - "bots/telegram-bot", - "bots/slack-bot", + "integration/discord", + "integration/telegram", + "integration/slack", "integration/vercel", "integration/intercom", "integration/github", - "security-integration/canary-tokens", + "integration/canary-tokens", "integration/webhooks", "integration/zapier" ] @@ -298,7 +302,23 @@ }, { "source": "/general/discord-bot", - "destination": "/bots/discord-bot" + "destination": "/integration/discord" + }, + { + "source": "/bots/discord-bot", + "destination": "/integration/discord" + }, + { + "source": "/bots/telegram-bot", + "destination": "/integration/telegram" + }, + { + "source": "/bots/slack-bot", + "destination": "/integration/slack" + }, + { + "source": "/security-integration/canary-tokens", + "destination": "/integration/canary-tokens" }, { "source": "/api", @@ -310,15 +330,15 @@ }, { "source": "/bots/slack", - "destination": "/bots/slack-bot" + "destination": "/integration/slack" }, { "source": "/bots/discord", - "destination": "/bots/discord-bot" + "destination": "/integration/discord" }, { "source": "/bots/telegram", - "destination": "/bots/telegram-bot" + "destination": "/integration/telegram" } ], "backgroundImage": "/background.png", From 6adc1a139802f4c8e38f997c1d229aed5bf4d7d1 Mon Sep 17 00:00:00 2001 From: Mustafa Siddiqui Date: Thu, 1 Jan 2026 11:27:29 +0530 Subject: [PATCH 3/5] wip: improvements --- .../how-it-works/how-we-use-ai.mdx | 77 ++++++++----------- getting-started/how-it-works/review.mdx | 20 ++--- .../what-we-do/general-phishing.mdx | 2 +- 3 files changed, 41 insertions(+), 58 deletions(-) diff --git a/getting-started/how-it-works/how-we-use-ai.mdx b/getting-started/how-it-works/how-we-use-ai.mdx index 8369745..bd85183 100644 --- a/getting-started/how-it-works/how-we-use-ai.mdx +++ b/getting-started/how-it-works/how-we-use-ai.mdx @@ -17,44 +17,39 @@ We've engineered the optimal balance between speed and accuracy: | Detection Type | How It Works | | --- | --- | -| **Fully Automated** (44.74%) | Threats that meet all AI confidence thresholds are blocked instantly | -| **AI + Human Review** (55.26%) | Edge cases are flagged for immediate analyst review | +| **Fully Automated** | Threats that meet all AI confidence thresholds are blocked instantly | +| **Human Review** | Edge cases are flagged for immediate analyst review | **Why this matters:** Multiple AI and rule-based thresholds must pass before any action is taken. This layered approach prevents false positives while ensuring legitimate threats are caught quickly. -## Our AI Technology Stack +## How Our AI Detects Threats -ChainPatrol uses a multi-model approach, combining the best AI technologies for comprehensive threat detection. +ChainPatrol uses a multi-layered AI approach, combining multiple detection methods for comprehensive threat protection. -- **Large Language Models** - Advanced text and content analysis -- **Visual & Structural Analysis** - Screenshot comparison and DOM analysis -- **Custom-Trained Models** - Specialized Web3 threat detection -- **Decision Engine** - Multi-model score aggregation +### Content Analysis -### 1. Large Language Models +Our AI analyzes text content across platforms to identify threats: -We leverage state-of-the-art LLMs for content analysis: +- **Language Pattern Detection** - Identifies phishing language, scam indicators, and social engineering tactics in posts, messages, and web content +- **Context Understanding** - Recognizes subtle impersonation attempts and fraudulent claims that might fool traditional filters +- **Multi-Platform Monitoring** - Analyzes content across social media, websites, messaging apps, and more -**OpenAI GPT-4** - Analyzes text content, social media posts, and communications to identify phishing language patterns and scam indicators - -**Gemini 2.0** - Enables multi-modal analysis, processing both text and visual content simultaneously for faster, more accurate detection - -### 2. Visual & Structural Analysis +### Visual Detection Phishing sites often look identical to legitimate ones. Our visual AI catches them: -1. **Visual Similarity Detection** - Compares screenshots against your legitimate sites to catch pixel-perfect impersonation attempts -2. **Structural Analysis** - Examines DOM structure, code patterns, and page layouts to identify known phishing templates—even when visuals differ -3. **URLScan Integration** - Real-time visual and structural scanning of suspicious URLs +- **Visual Similarity Analysis** - Compares page appearance against your legitimate sites to catch pixel-perfect impersonation attempts +- **Structural Pattern Matching** - Examines page structure, code patterns, and layouts to identify known phishing templates—even when visuals differ +- **Real-Time Scanning** - Continuously monitors suspicious URLs for visual indicators of threats -### 3. Custom-Trained Models +### Web3-Specialized Detection -Our models are tuned specifically for Web3 threats: +Our models are trained specifically for Web3 threats: -- Trained on **500,000+ real threat examples** from across the ecosystem -- Continuously updated with new attack patterns +- Trained on hundreds of thousands of real threat examples from across the ecosystem +- Continuously updated with new attack patterns as they emerge - Fine-tuned for Web3-specific threats like wallet drainers, fake airdrops, and impersonation scams ## How Detection Works @@ -67,14 +62,14 @@ Here's what happens when a potential threat is identified: 4. **Action** - High-confidence threats are blocked; edge cases go to analysts 5. **Distribution** - Confirmed threats are pushed to all integrated platforms -### The Decision Engine +### The Decision Process -At the core of our system is a proprietary decision engine that: +At the core of our system is a sophisticated decision engine that: -- **Model Aggregation** - Aggregates outputs from all AI models -- **Weighted Scoring** - Applies confidence-based scoring -- **Cross-Reference** - Checks against known threat databases -- **Fast Decisions** - Makes final disposition in milliseconds +- **Multi-Signal Aggregation** - Combines outputs from all detection methods +- **Confidence-Based Scoring** - Weighs evidence to determine threat likelihood +- **Cross-Reference Validation** - Checks against known threat databases and patterns +- **Instant Decisions** - Makes final determinations in seconds **No single point of failure:** A threat must pass multiple independent checks before being actioned, ensuring accuracy while maintaining speed. @@ -93,7 +88,7 @@ Our AI monitors threats across **50+ platforms**—and we can add new integratio **Web3 Platforms:** OpenSea, ENS, IPFS, Farcaster, Blur, Magic Eden, DeBank, Bluesky, Primal, DeSo -**Need coverage for a platform we don't list?** Contact us—new integrations can be added within days. +**Need coverage for a platform we don't list?** Contact us, new integrations can be added within days. ## Real-Time Threat Distribution @@ -102,33 +97,29 @@ When our AI detects a threat, it doesn't just sit in a database. We push it dire ### Browser Protection -**Google Safe Browsing** - Integration means threats are blocked in Chrome, Edge, and Safari—reaching billions of users. We maintain a **68.32% acceptance rate**, among the highest in the industry. +**Google Safe Browsing** - Our integration means threats are blocked in Chrome, Edge, and Safari—reaching billions of users worldwide. ### Wallet Protection -Direct API integrations with leading wallets provide real-time warnings: - -- **MetaMask** - Core integration partner -- **Phantom** - Direct API for Solana ecosystem -- **WalletConnect** - Real-time threat API -- **20+ More Wallets** - Ecosystem-wide protection +Direct integrations with leading wallets provide real-time warnings at the point of transaction: -### Infrastructure Partners +- **MetaMask** - Core integration partner protecting millions of users +- **Phantom** - Protecting the Solana ecosystem +- **WalletConnect** - Real-time threat prevention +- **20+ More Wallets** - Comprehensive ecosystem coverage -- **Cloudflare** - Direct threat reporting for faster takedowns -- **Polymarket** - Moderation API integration -**The result:** Threats detected by ChainPatrol can be blocked across the entire Web3 ecosystem within seconds. +**The result:** Threats detected by ChainPatrol are blocked across the entire Web3 ecosystem within seconds. ## Continuous Learning & Improvement Our AI gets smarter every day through: -**Human-in-the-Loop Training** - Every analyst decision feeds back into our models. When our team reviews edge cases, that knowledge improves future detection accuracy. +**Human-in-the-Loop Training** - Every analyst decision feeds back into our AI. When our team reviews edge cases, that knowledge improves future detection accuracy. -**Threat Intelligence Networks** - We're core contributors to Eth-Phishing-Detect with elevated permissions, and active members of SEAL-ISAC. This gives us early access to emerging threats and allows us to share our detections with the broader security community. +**Threat Intelligence Networks** - We're active contributors to major threat intelligence communities, giving us early access to emerging threats and allowing us to share our detections with the broader security ecosystem. -**Expanding Datasets** - Our threat database grows daily with new examples, ensuring our models stay ahead of evolving attack techniques. +**Expanding Datasets** - Our threat database grows daily with new examples, ensuring our AI stays ahead of evolving attack techniques. --- diff --git a/getting-started/how-it-works/review.mdx b/getting-started/how-it-works/review.mdx index f21dbb4..82c713d 100644 --- a/getting-started/how-it-works/review.mdx +++ b/getting-started/how-it-works/review.mdx @@ -40,16 +40,8 @@ Our automated review system calculates a **risk score** to determine whether an 1. **Rule Execution** - During an Asset Scan, multiple detection rules are executed against the asset 2. **Score Calculation** - The risk score is a weighted sum of all individual scores from each successful rule execution -3. **Threshold Evaluation** - The final risk score is compared against our approval threshold (1.0) -4. **Decision** - Assets meeting the threshold are automatically approved; others are escalated - -#### Risk Score Example - -**High Risk (Auto-Approved):** -Asset has 10 rules executed. 6 rules contribute a score of 0.2 each (= 1.2 total), 4 rules contribute a score of 0.1 each (= 0.4 total). Total Risk Score: 1.6. Since 1.6 ≥ 1.0, the Proposal is automatically approved. - -**Medium Risk (Escalated):** -Asset has 10 rules executed. 4 rules contribute a score of 0.1 each (= 0.4 total), 2 rules contribute a score of 0.2 each (= 0.4 total). Total Risk Score: 0.8. Since 0.8 < 1.0, the Proposal is escalated for human review. +3. **Threshold Evaluation** - The final risk score is compared against our approval threshold +4. **Decision** - Assets meeting the threshold are automatically approved; others are escalated for human review ### Legitimacy Rules @@ -59,7 +51,7 @@ Asset has 10 rules executed. 4 rules contribute a score of 0.1 each (= 0.4 total Legitimacy Rules are special detection rules that identify when an asset is **not malicious**. If a Legitimacy Rule with "Very High" confidence passes, automation will **not** automatically approve the Proposal, regardless of the Risk Score. -**Example:** An asset might have a risk score of 1.5, but if it matches a Very High confidence Legitimacy Rule (e.g., verified official domain), the Proposal will be escalated for human review instead of being auto-blocked. +**Example:** An asset might have a high risk score, but if it matches a Very High confidence Legitimacy Rule (e.g., verified official domain), the Proposal will be escalated for human review instead of being auto-blocked. ### Automatically Approving the Proposal @@ -72,18 +64,18 @@ For a Proposal to be automatically approved, **all** of the following must be tr - No Legitimacy Rules of "Very High" confidence have passed **Approval Triggers (at least one must be true):** -- **Option 1:** Risk Score ≥ 1.0 (the overall Risk Score of the Asset is at or above 1.0) +- **Option 1:** High Risk Score (the overall Risk Score of the Asset meets our confidence threshold) - **Option 2:** Trusted Reporter (the Asset was part of a Report created by a Trusted Reporter) ## Human Review Humans are essential for making decisions about Proposals that fall outside automated approval criteria. -Since automation only handles Proposals to block Assets with a Risk Score ≥ 1.0, human analysts evaluate all other cases. +Since automation only handles Proposals to block Assets with high confidence scores, human analysts evaluate all other cases. ### When Humans Are Involved -- **Low Risk Blocks** - Proposals to Block an Asset with a Risk Score < 1.0 +- **Lower Confidence Blocks** - Proposals to Block an Asset that doesn't meet the automated threshold - **Allow Proposals** - All Proposals to Allow an Asset - **Unknown Status** - Proposals to set an Asset to Unknown diff --git a/getting-started/what-we-do/general-phishing.mdx b/getting-started/what-we-do/general-phishing.mdx index 59e8c56..3ca7d06 100644 --- a/getting-started/what-we-do/general-phishing.mdx +++ b/getting-started/what-we-do/general-phishing.mdx @@ -5,7 +5,7 @@ description: "Understanding phishing attacks and common attack vectors in Web3" ## What is Phishing? -Phishing is a malicious attack that involves someone pretending to be a legitimate actor. Phishing comes in many attack vectors, but the ultimate goal is to gain the trust of the end user and steal their information. +Phishing is a malicious attack that involves someone pretending to be a legitimate actor. Phishing comes in many forms, but the ultimate goal is to gain the trust of the end user and steal their information. This includes passwords, credit card numbers, or even a user's two factor authentication codes. In the context of Web3, common attack vectors aim to steal a user's seed phrase for their wallet, or simply all of the contents of their wallets. From d4955cfcbfc02c650bcb6af5733a7fdf8c1dcfd8 Mon Sep 17 00:00:00 2001 From: Mustafa Siddiqui Date: Thu, 15 Jan 2026 13:21:06 +0530 Subject: [PATCH 4/5] wip: simplifying docs --- concepts/allowlist.mdx | 18 +------------- concepts/asset-scans.mdx | 24 ++++--------------- concepts/blocklist.mdx | 18 ++------------ concepts/brands.mdx | 14 +---------- concepts/detections.mdx | 22 ++++------------- concepts/legal-docs.mdx | 24 +++---------------- concepts/metrics.mdx | 16 +------------ concepts/organizations.mdx | 16 +------------ concepts/reports.mdx | 14 +---------- concepts/reviews.mdx | 14 +---------- concepts/security-portal.mdx | 18 +------------- concepts/takedowns.mdx | 18 ++------------ concepts/watchlist.mdx | 18 ++------------ getting-started/how-it-works/asset-scans.mdx | 19 ++++++--------- getting-started/how-it-works/blocklist.mdx | 19 ++++++--------- .../how-it-works/detection-sources.mdx | 16 ++++++------- .../how-it-works/how-we-use-ai.mdx | 24 +++++++------------ getting-started/how-it-works/review.mdx | 13 ++++------ getting-started/how-it-works/takedown.mdx | 22 ++++++++--------- getting-started/how-it-works/watchlist.mdx | 14 +++++------ .../what-we-do/brand-impersonation.mdx | 14 +++++++---- .../what-we-do/general-phishing.mdx | 10 +++++++- getting-started/what-we-do/introduction.mdx | 19 +++++++-------- 23 files changed, 106 insertions(+), 298 deletions(-) diff --git a/concepts/allowlist.mdx b/concepts/allowlist.mdx index 95cc7d5..e4ec15c 100644 --- a/concepts/allowlist.mdx +++ b/concepts/allowlist.mdx @@ -3,7 +3,7 @@ title: "Allowlist" description: "Understanding how ChainPatrol identifies and protects legitimate assets" --- -## What Is an Allowlist? +## Overview An **allowlist** is a curated list of known, trusted assets that are explicitly recognized as legitimate within ChainPatrol. @@ -121,9 +121,7 @@ Allowlist management is restricted to **organization administrators and authoriz - **Limited Access** - Standard users cannot modify allowlists - **Audit Trail** - All allowlist changes are logged and tracked - Limiting access helps ensure that allowlists remain accurate, intentional, and aligned with security best practices. - ### Best Practices for Allowlist Management @@ -133,25 +131,11 @@ Limiting access helps ensure that allowlists remain accurate, intentional, and a 4. **Remove Compromised Assets** - Immediately remove any asset suspected of being compromised 5. **Re-add After Verification** - Only re-allowlist assets after confirming they're secure and under your control ---- - ## Key Takeaways - **Known Safe Assets** - Allowlists define what is explicitly trusted - **Dual Purpose** - Excludes from detection and serves as reference baseline -- **Any Asset Type** - Domains, social accounts, apps, blockchain addresses, and more - **Conservative Approach** - Only allowlist assets you definitively control - **Not Permanent Immunity** - Compromised assets can still be investigated and blocked - **Flexible Granularity** - Organization-level or brand-level allowlisting - **Restricted Access** - Only administrators can modify allowlists -- **Regular Maintenance** - Periodic reviews keep allowlists accurate and current - ---- - - - Access your organization settings to view and update your allowlist - diff --git a/concepts/asset-scans.mdx b/concepts/asset-scans.mdx index 4f86c46..4a2fd2e 100644 --- a/concepts/asset-scans.mdx +++ b/concepts/asset-scans.mdx @@ -3,7 +3,7 @@ title: "Asset Scans" description: "Understanding how ChainPatrol evaluates assets at specific points in time" --- -## Definition +## Overview An **asset scan** is a single security check ChainPatrol performs on an asset (like a URL, social profile, app listing, crypto address, or email) at a specific moment in time. @@ -127,25 +127,11 @@ A social profile claiming to be one of your employees is discovered. The profile - **Not a Case** - A scan can be clean or suspicious. A threat or incident record is created only when risk crosses thresholds or a human escalates it. - **Not a Configuration** - Scans use your rules, thresholds, and service settings, but they are not where you configure behavior—they are the evidence those settings produce. ---- - ## Key Takeaways - **Point-in-Time Snapshot** - Each scan captures asset state at a specific moment -- **Building Blocks** - Scans are fundamental to threat understanding - **Rich Context** - Enrichments provide comprehensive asset intelligence -- **Risk Labels** - Human-readable categorization of threats -- **Timeline History** - Multiple scans show asset evolution over time -- **Evidence Base** - Provides proof for reviews and takedowns -- **Relationship Mapping** - Links between assets reveal campaigns -- **Automated & Systematic** - Consistent, repeatable security checks - ---- - - - Access your dashboard to review asset scans and their results - +- **Labels + Scores** - Findings summarize what the scan detected and how risky it appears +- **Timeline History** - Multiple scans show how an asset evolves over time +- **Evidence Base** - Scan data supports reviews, decisions, and takedown requests +- **Relationship Mapping** - Links and redirects can reveal broader campaigns diff --git a/concepts/blocklist.mdx b/concepts/blocklist.mdx index c73a877..3acd125 100644 --- a/concepts/blocklist.mdx +++ b/concepts/blocklist.mdx @@ -3,7 +3,7 @@ title: "Blocklist" description: "Understanding ChainPatrol's threat intelligence database" --- -## What is a Blocklist? +## Overview A blocklist (also known as a denylist) is a database of confirmed malicious entities that should be blocked or flagged to protect users. In the context of web3 security, a blocklist contains verified phishing websites, scam social media accounts, fraudulent crypto addresses, and other malicious assets that pose a threat to users. @@ -155,25 +155,11 @@ Security teams protect employees and users, brand protection teams monitor and b A public API provides freely accessible blocklist data for developers and security researchers, an SDK offers developer tools for easy integration, and a web dashboard provides a search and lookup interface for manual checks. Anyone can access our blocklist data to build security tools, perform research, or check suspicious assets. ---- - ## Key Takeaways - **Real-Time Protection** - 15-30 minute response time vs. hours or days for takedowns -- **Universal Coverage** - Works regardless of hosting provider or jurisdiction -- **Network Effects** - One confirmation protects millions of users +- **Network Distribution** - One confirmation can protect users across browsers, wallets, and partner ecosystems - **Diverse Contributors** - Community, partners, automation, and expert review - **Evidence-Based** - Requires both malicious intent and confirmation - **Multi-Asset Support** - URLs, social accounts, blockchain addresses, and more -- **Broad Distribution** - Browsers, wallets, applications, and enterprises - **Publicly Accessible** - Open API and SDK for developers and researchers - ---- - - - View blocklisted assets and check suspicious content in your dashboard - diff --git a/concepts/brands.mdx b/concepts/brands.mdx index a392d50..3fd670a 100644 --- a/concepts/brands.mdx +++ b/concepts/brands.mdx @@ -3,7 +3,7 @@ title: "Brands" description: "Understanding brand protection in ChainPatrol" --- -## What Is a Brand in ChainPatrol? +## Overview A **brand** represents an identity that ChainPatrol protects. @@ -107,8 +107,6 @@ ChainPatrol keeps brand information structured and separate to ensure that each **Flexible Structure** - Add new brands as you grow, reorganize brands as needed, merge or split brands, maintain historical data. ---- - ## Key Takeaways - **Identity Protection** - Brands represent identities that need protection @@ -117,13 +115,3 @@ ChainPatrol keeps brand information structured and separate to ensure that each - **Automatic Attribution** - Threats are automatically assigned to brands - **Multiple Brands** - One organization can protect many brands - **Granular + Unified** - Individual control with organizational oversight - ---- - - - Access your organization dashboard to configure and protect your brands - diff --git a/concepts/detections.mdx b/concepts/detections.mdx index a491c9b..ecf8f94 100644 --- a/concepts/detections.mdx +++ b/concepts/detections.mdx @@ -3,9 +3,9 @@ title: "Detections" description: "How ChainPatrol automatically identifies potential security threats" --- -A **detection** is a potential security threat that has been automatically identified by ChainPatrol's monitoring system. When a detection source discovers suspicious content that may be impersonating your brand or attempting to defraud users, it creates a detection record for your security team to review. +## Overview -## What is a Detection? +A **detection** is a potential security threat that has been automatically identified by ChainPatrol's monitoring system. When a detection source discovers suspicious content that may be impersonating your brand or attempting to defraud users, it creates a detection record for your security team to review. Detections represent automated findings from ChainPatrol's continuous monitoring across the internet. @@ -89,25 +89,11 @@ The system automatically handles duplicate detections to prevent alert fatigue: **Different Assets, Same Campaign** - Related assets in the same attack campaign are linked via group IDs but maintained as separate detections. This allows you to report each asset individually, track takedown progress per asset, and understand campaign scope. ---- - ## Key Takeaways - **Automated Discovery** - Detections are automatically identified by monitoring sources -- **Comprehensive Analysis** - Multiple data types analyzed for each detection -- **Confidence Scoring** - 0-1 score indicates likelihood of being malicious -- **Rule-Based Evaluation** - Dozens of rules evaluate threat indicators +- **Analysis + Rules Engine** - Scans and rules evaluate threat indicators and evidence +- **Confidence Scoring** - A 0-1 score indicates likelihood of being malicious - **Group Tracking** - Related threats linked via group IDs - **Smart Deduplication** - Prevents alert fatigue while maintaining visibility - **Auto-Reporting** - High-confidence threats can be automatically reported -- **Lifecycle Tracking** - Full visibility from discovery to resolution - ---- - - - Access your dashboard to review and manage detections - diff --git a/concepts/legal-docs.mdx b/concepts/legal-docs.mdx index a66ab58..33f5b30 100644 --- a/concepts/legal-docs.mdx +++ b/concepts/legal-docs.mdx @@ -3,7 +3,7 @@ title: "Legal Docs" description: "Understanding legal documentation for takedown requests" --- -## What Are Legal Documents? +## Overview **Legal documents** are official documents that prove a company's ownership rights, authorization, or identity when requesting the removal of harmful or fraudulent content. @@ -69,9 +69,7 @@ A document in which the brand owner declares that ChainPatrol is authorized to s **Example Statement:** > "[Organization Name] hereby authorizes ChainPatrol to submit takedown requests, abuse reports, and content removal requests on our behalf for the purpose of protecting our brand and trademarks from impersonation, fraud, and unauthorized use." - LOAs are typically simpler and faster to obtain than Power of Attorney documents. - ### Power of Attorney (POA) @@ -97,9 +95,7 @@ A formal legal authorization allowing ChainPatrol to act for the organization in - Making binding statements on behalf of the organization - Escalating to legal authorities if needed - Some providers require a POA for escalated or high-impact takedowns such as domain suspensions. - ### Document Usage Across Platforms @@ -182,25 +178,11 @@ This approach minimizes unnecessary exposure of sensitive documents while ensuri **Track Document Usage** - Track which providers accept which documents, note any rejection reasons, update documents based on feedback, and maintain records of successful takedowns. ---- - ## Key Takeaways - **Proof of Authority** - Legal docs prove ownership and authorization - **Three Main Types** - Trademark registration, LOA, and POA - **Provider Requirements** - Different platforms require different documents -- **Secure Storage** - Protected with encryption and access controls -- **Limited Access** - Only authorized personnel can access +- **Secure Handling** - Stored and accessed with encryption and strict controls - **Used When Needed** - Applied only during submission process -- **Regular Updates** - Keep documents current and valid -- **Critical for Success** - Required for most takedown requests - ---- - - - Access your organization settings to upload and manage legal documentation - +- **Keep Current** - Up-to-date documents are critical for successful takedown requests diff --git a/concepts/metrics.mdx b/concepts/metrics.mdx index d1b82e3..3cfd924 100644 --- a/concepts/metrics.mdx +++ b/concepts/metrics.mdx @@ -3,7 +3,7 @@ title: "Metrics" description: "Understanding how ChainPatrol measures and reports threat protection" --- -## Definition +## Overview **Metrics** are the high-level numbers and charts ChainPatrol shows to summarize how many threats we're seeing, how many we've blocked or taken down, and how quickly we're responding over a chosen time period. @@ -98,25 +98,11 @@ For threat landscape analysis, you compare threat counts for the last month: Dom For provider performance review, you analyze median time to takedown by asset type: Domains (48 hours), Twitter (24 hours), Telegram (18 hours), App stores (72 hours). Insights: Social platforms respond faster than hosting providers, app stores have longest response times, Telegram is most responsive. Actions: Focus on improving domain takedown speed, investigate app store delays, document Telegram best practices. ---- - ## Key Takeaways - **High-Level Summary** - Metrics aggregate activity into readable summaries - **Organization-Specific** - Always calculated for your specific organization - **Time-Bound** - Every view uses a specific time window - **Filterable** - Break down by brand, asset type, and category -- **Volume Tracking** - Reports, threats, watchlist, and takedowns -- **Threat Breakdowns** - By asset type, brand, and category - **Speed Metrics** - Median time to takedown and daily trends - **Actionable Insights** - Identify trends and adjust protection strategies - ---- - - - Access your dashboard to explore metrics and analyze your threat landscape - diff --git a/concepts/organizations.mdx b/concepts/organizations.mdx index 5111684..fd100ed 100644 --- a/concepts/organizations.mdx +++ b/concepts/organizations.mdx @@ -3,7 +3,7 @@ title: "Organizations" description: "Understanding your workspace in ChainPatrol" --- -## Your Workspace in ChainPatrol +## Overview Everything you see and do in ChainPatrol happens inside an **Organization**. Think of it as your team's dedicated workspace where you manage your brands, track your assets, and measure how ChainPatrol is protecting you from threats. @@ -88,9 +88,7 @@ Enables ChainPatrol to file takedown requests with hosting providers, registrars Speeds up the takedown process for clear-cut cases. Once you've provided the required legal documents (like a Power of Attorney) and your main website URL, ChainPatrol can automatically submit takedown requests for approved threats without waiting for manual back-and-forth on every case. Requires Power of Attorney document, main website URL, and all other services enabled. This is an advanced feature for high-volume threat environments. - Learn more about configuring these services in our [Services Setup guide](/protect-your-brand/services-setup). - ## Members, Roles, and Permissions @@ -128,8 +126,6 @@ ChainPatrol's staff handle the day-to-day security operations, but you retain ul **Enterprise** - Large enterprises may have multiple brands, hundreds or thousands of assets, complex approval workflows, and multiple teams with different permissions. Example: A Fortune 500 company with global operations. ---- - ## Key Takeaways - **Centralized Workspace** - Everything happens within your organization @@ -138,13 +134,3 @@ ChainPatrol's staff handle the day-to-day security operations, but you retain ul - **Configurable Services** - Enable only what you need - **Granular Permissions** - Control who can do what - **You're in Control** - Final say on all critical decisions - ---- - - - Access your organization dashboard to configure services and invite team members - diff --git a/concepts/reports.mdx b/concepts/reports.mdx index ef3b968..48f07db 100644 --- a/concepts/reports.mdx +++ b/concepts/reports.mdx @@ -3,7 +3,7 @@ title: "Reports" description: "How suspicious or safe activity gets submitted to ChainPatrol for review" --- -## What is a Report? +## Overview A **Report** is how suspicious or safe activity gets submitted to ChainPatrol for review. Each report bundles together one or more assets, like websites, social profiles, or crypto addresses, along with the evidence needed to evaluate them. @@ -113,8 +113,6 @@ Creating a report in ChainPatrol is straightforward: **Group Related Assets** - If multiple assets are part of the same campaign, report them together so reviewers see the full picture for more efficient review and coordinated response. ---- - ## Key Takeaways - **Bundle Assets** - Reports can contain multiple related assets @@ -123,13 +121,3 @@ Creating a report in ChainPatrol is straightforward: - **Three Statuses** - TODO, IN_PROGRESS, CLOSED - **Easy Submission** - Simple process with automatic asset detection - **Context Matters** - More evidence = faster, better review - ---- - - - Access your dashboard to create and track reports - diff --git a/concepts/reviews.mdx b/concepts/reviews.mdx index c0ecf4b..db4c786 100644 --- a/concepts/reviews.mdx +++ b/concepts/reviews.mdx @@ -3,7 +3,7 @@ title: "Reviews" description: "How ChainPatrol evaluates and makes decisions on reported threats" --- -## What is a Review? +## Overview A **review** is a decision made on a **proposal** to either block or allow a reported asset. When someone reports a potentially malicious website, social media account, or other digital asset, ChainPatrol creates a proposal that requires review before taking action. @@ -153,8 +153,6 @@ This approach ensures we block real threats quickly while maintaining accuracy a | **Superusers** | ✅ | ✅ | ✅ | Override escalations, bypass time limits | | **Reporters/Standard Users** | ❌ | ✅ | ❌ | View only | ---- - ## Key Takeaways - **Decision Points** - Reviews approve, reject, skip, or escalate proposals @@ -163,13 +161,3 @@ This approach ensures we block real threats quickly while maintaining accuracy a - **Multiple Evidence Types** - Rules, scans, context, and history inform decisions - **Safety Window** - 5-minute revert window for mistakes - **Escalation Paths** - Complex cases go to customers or senior analysts - ---- - - - Access your dashboard to review pending proposals - diff --git a/concepts/security-portal.mdx b/concepts/security-portal.mdx index f160171..1ada22f 100644 --- a/concepts/security-portal.mdx +++ b/concepts/security-portal.mdx @@ -3,7 +3,7 @@ title: "Security Portal" description: "Understanding your organization's public-facing threat reporting page" --- -## What is the Security Portal? +## Overview The **Security Portal** is your organization's public-facing page where people outside your team can report suspicious activity directly to ChainPatrol. @@ -50,9 +50,7 @@ To locate your portal URL: 2. Look for the "Security Portal URL" card 3. Click the link to copy your unique URL and share it with your community - Add your Security Portal URL to your website footer, documentation, and community resources so users know where to report threats. - ## Where Can You Configure It? @@ -113,25 +111,11 @@ The report processing flow works as follows: From there, the report goes through the same review process as any other submission. ---- - ## Key Takeaways - **Public Reporting Page** - Branded landing page for community threat reports - **Easy Submission** - No account required for public portals - **Three Visibility Levels** - Disabled, Private, or Public access - **Optional Transparency** - Show public reports and metrics -- **Community-Powered** - Enables users to help protect your brand - **Same Review Process** - Reports flow through standard review workflow -- **Trust Building** - Demonstrates active security monitoring - **Unique URL** - Based on your organization's slug - ---- - - - Access Settings → Security Portal to enable and customize your public reporting page - diff --git a/concepts/takedowns.mdx b/concepts/takedowns.mdx index 76c5625..bfc07b5 100644 --- a/concepts/takedowns.mdx +++ b/concepts/takedowns.mdx @@ -3,7 +3,7 @@ title: "Takedowns" description: "Understanding how ChainPatrol removes malicious content from the internet" --- -## What Is a Takedown? +## Overview A **takedown** is a formal request asking an online platform to remove harmful, fraudulent, or unauthorized content. @@ -83,25 +83,11 @@ Regardless of the platform, the purpose of a takedown is the same: **to remove d **Evidence Collection** - Each takedown includes screenshots of malicious content, technical metadata (hosting, DNS, etc.), timeline of activity, and user reports and impact evidence. ---- - ## Key Takeaways - **Formal Removal Request** - Takedowns are official requests to remove content - **Multiple Platforms** - Sent to hosting, social media, app stores, and more -- **Brand Protection** - Removes impersonation, scams, and trademark abuse - **Lifecycle Tracking** - From TODO to COMPLETED with full visibility - **Complement to Blocklisting** - Works alongside blocklists for comprehensive protection - **Legal Documentation** - Requires proper authorization and evidence -- **Provider Relationships** - Established channels with 100+ providers -- **Persistent Follow-Up** - Continuous monitoring until completion - ---- - - - Access your dashboard to monitor active and completed takedown requests - +- **Provider Follow-Through** - Established channels and persistent monitoring until completion diff --git a/concepts/watchlist.mdx b/concepts/watchlist.mdx index b2e797e..77e488a 100644 --- a/concepts/watchlist.mdx +++ b/concepts/watchlist.mdx @@ -3,7 +3,7 @@ title: "Watchlist" description: "Understanding how ChainPatrol monitors assets for future action" --- -## What is the Watchlist? +## Overview The watchlist is a set of assets that we monitor to see if we can action on them further in the future. @@ -119,25 +119,11 @@ Assets are automatically removed from the watchlist when: - **Provider Suspension** - Hosting provider suspends the asset - **Manual Removal** - Analyst decides monitoring is no longer needed ---- - ## Key Takeaways - **Middle Ground** - Watchlist is for assets between blocking and allowing - **Two Main Purposes** - Inconclusive evidence and takedown monitoring - **Adaptive Monitoring** - Scan frequency adjusts based on time and status -- **Automatic for Takedowns** - All takedown assets are automatically watchlisted -- **Manual for Review** - Analysts can watchlist during inconclusive reviews +- **Automatic + Manual** - Assets can be watchlisted automatically for takedowns or manually during review - **Multiple Exit Paths** - Assets leave watchlist when status becomes clear - **Time-Based Decay** - Long-term uncertain assets are eventually removed -- **Continuous Scanning** - Regular checks detect changes and completion - ---- - - - Access your dashboard to see assets currently on your watchlist - diff --git a/getting-started/how-it-works/asset-scans.mdx b/getting-started/how-it-works/asset-scans.mdx index c2b2068..fd513de 100644 --- a/getting-started/how-it-works/asset-scans.mdx +++ b/getting-started/how-it-works/asset-scans.mdx @@ -3,7 +3,7 @@ title: "Asset Scans" description: "How ChainPatrol automatically evaluates and monitors potential threats across the web" --- -## What is an Asset Scan +## Overview An **asset scan** is an automated security check ChainPatrol runs on an online surface that could be used in a scam, like a website, a social profile, an app-store listing, or a crypto address. Each scan records what we observed at a specific moment in time and evaluates risk using a mix of detection rules and AI signals. @@ -95,9 +95,6 @@ Our platform provides comprehensive visibility into scan results and asset histo **Org/Brand Dashboards** - High-level overview showing recent activity and new threats, top-risk assets requiring attention, monitoring coverage across platforms, and trend analysis over time. **Reporting & Metrics** - Actionable insights including scan volume and frequency, detection speed metrics, number of risky assets still live, and takedown success rates. - ---- - ## Scan Efficiency & Scale - **Smart Scheduling** - Adaptive scan frequency based on asset risk and stability @@ -107,12 +104,10 @@ Our platform provides comprehensive visibility into scan results and asset histo Our scanning infrastructure processes thousands of assets daily, providing real-time threat intelligence while maintaining accuracy and minimizing false positives. ---- +## Key Takeaways - - Access detailed scan results and asset timelines in your ChainPatrol dashboard - +- Asset scans are time-stamped snapshots that help track risk and change over time +- Scans can be triggered by sources, manual/API requests, and ongoing monitoring +- The scan pipeline includes normalization, enrichment, analysis, scoring, and relationships +- Results support review decisions, automation, and ongoing monitoring hygiene +- Efficient scanning relies on adaptive scheduling and selective enrichment diff --git a/getting-started/how-it-works/blocklist.mdx b/getting-started/how-it-works/blocklist.mdx index 86c7e0f..6409c9b 100644 --- a/getting-started/how-it-works/blocklist.mdx +++ b/getting-started/how-it-works/blocklist.mdx @@ -3,9 +3,9 @@ title: "Blocklist" description: "Real-time, community-powered database of confirmed phishing sites and malicious assets" --- -ChainPatrol's Blocklist is a real-time, community-powered database of confirmed phishing sites, scams, and malicious assets that protects users across the web3 ecosystem. +## Overview -## What is the ChainPatrol Blocklist? +ChainPatrol's Blocklist is a real-time, community-powered database of confirmed phishing sites, scams, and malicious assets that protects users across the web3 ecosystem. The ChainPatrol Blocklist is a continuously updated list of **350,000+ malicious websites**, social media accounts, and blockchain addresses that have been confirmed as threats through our expert review process. When an asset is added to the blocklist, it's automatically distributed to our network of security integrations to protect users in real-time. @@ -147,8 +147,6 @@ ChainPatrol provides **immediate protection** by: This **"blocklist-first, takedown-second"** approach means users are protected within minutes, not days. ---- - ## Blocklist vs. Takedown Comparison | Aspect | ChainPatrol Blocklist | Traditional Takedown | @@ -159,12 +157,9 @@ This **"blocklist-first, takedown-second"** approach means users are protected w | **Jurisdiction** | Global | Provider-dependent | | **Success Rate** | 100% distribution | Varies by provider | ---- +## Key Takeaways - - Access your blocklist dashboard to view and manage blocked assets - +- The blocklist is a continuously updated database of confirmed malicious assets +- Blocklisted assets are distributed to integrations to protect users quickly +- Disputes and retractions help address false positives and propagate corrections +- “Blocklist-first, takedown-second” reduces user exposure during takedown delays diff --git a/getting-started/how-it-works/detection-sources.mdx b/getting-started/how-it-works/detection-sources.mdx index f82dc40..dac707e 100644 --- a/getting-started/how-it-works/detection-sources.mdx +++ b/getting-started/how-it-works/detection-sources.mdx @@ -3,6 +3,8 @@ title: "Detection Sources" description: "Automated monitoring systems that continuously scan the internet for threats to your brand" --- +## Overview + Detection sources are automated monitoring systems that continuously scan the internet for potential threats to your brand. Each source monitors a specific platform or data stream, searching for suspicious assets that may be impersonating your organization or attempting to defraud your users. ## How Detection Sources Work @@ -155,12 +157,10 @@ Detection sources are optimized for efficiency. Results are processed in batches Our infrastructure is designed to handle high-volume monitoring without impacting detection speed or accuracy. ---- +## Key Takeaways - - Log in to your dashboard to customize detection sources for your organization - +- Detection sources continuously scan specific platforms and data streams for threats +- Sources run on schedules and submit discovered assets into the analysis pipeline +- Coverage spans search engines, social platforms, app stores, and Web3 surfaces +- Configuration controls status, scope, and schedule (including custom schedules) +- Best results come from good included/excluded terms and iterative tuning diff --git a/getting-started/how-it-works/how-we-use-ai.mdx b/getting-started/how-it-works/how-we-use-ai.mdx index bd85183..99a567a 100644 --- a/getting-started/how-it-works/how-we-use-ai.mdx +++ b/getting-started/how-it-works/how-we-use-ai.mdx @@ -3,7 +3,7 @@ title: "How We Use AI" description: "Learn how ChainPatrol's AI-powered detection engine protects your brand from Web3 threats in real-time" --- -## Why AI-Powered Protection Matters +## Overview In Web3, threats move fast. Phishing sites can be spun up in minutes, targeting your community before traditional security measures can respond. That's why we built an AI-first detection engine—one that identifies and neutralizes threats **within seconds**, not hours. @@ -71,9 +71,7 @@ At the core of our system is a sophisticated decision engine that: - **Cross-Reference Validation** - Checks against known threat databases and patterns - **Instant Decisions** - Makes final determinations in seconds - -**No single point of failure:** A threat must pass multiple independent checks before being actioned, ensuring accuracy while maintaining speed. - +No single signal is enough on its own—multiple independent checks must pass before a threat is actioned, helping maintain accuracy while preserving speed. ## Platform Coverage @@ -87,9 +85,7 @@ Our AI monitors threats across **50+ platforms**—and we can add new integratio **Web3 Platforms:** OpenSea, ENS, IPFS, Farcaster, Blur, Magic Eden, DeBank, Bluesky, Primal, DeSo - -**Need coverage for a platform we don't list?** Contact us, new integrations can be added within days. - +**Need coverage for a platform we don't list?** Contact us—new integrations can be added within days. ## Real-Time Threat Distribution @@ -121,12 +117,10 @@ Our AI gets smarter every day through: **Expanding Datasets** - Our threat database grows daily with new examples, ensuring our AI stays ahead of evolving attack techniques. ---- +## Key Takeaways - - Schedule a demo to see how our AI-powered detection protects leading Web3 brands - +- AI-first monitoring helps respond to fast-moving Web3 threats in seconds +- ChainPatrol balances automation with human review for accuracy and speed +- Detection combines content, visual, and Web3-specific signals +- A decision engine aggregates signals and confidence scores to take action +- Confirmed threats can be distributed quickly to integrated platforms diff --git a/getting-started/how-it-works/review.mdx b/getting-started/how-it-works/review.mdx index 82c713d..6ab10df 100644 --- a/getting-started/how-it-works/review.mdx +++ b/getting-started/how-it-works/review.mdx @@ -96,12 +96,9 @@ Since automation only handles Proposals to block Assets with high confidence sco **Organization Settings** - Custom detection thresholds, allowlist and blocklist entries, brand protection priorities. ---- +## Key Takeaways - - Access pending proposals and review decisions in your ChainPatrol dashboard - +- Reviews evaluate proposals that change an asset’s status (blocked/allowed/unknown) +- Proposals can be approved, rejected, skipped, or escalated +- Automation handles high-confidence blocks under specific conditions +- Human reviewers handle lower-confidence cases and all allow/unknown proposals diff --git a/getting-started/how-it-works/takedown.mdx b/getting-started/how-it-works/takedown.mdx index 54df4fb..644cf2f 100644 --- a/getting-started/how-it-works/takedown.mdx +++ b/getting-started/how-it-works/takedown.mdx @@ -3,6 +3,10 @@ title: "Takedown" description: "How ChainPatrol removes malicious content through coordinated takedown requests" --- +## Overview + +A takedown is the process of requesting that a platform, host, or provider remove harmful content. This page explains how takedowns move through their lifecycle in ChainPatrol, how they’re submitted and monitored, and how retractions work when an asset is identified as legitimate. + ## Takedown Lifecycle Every takedown follows a clear lifecycle inside ChainPatrol: @@ -76,9 +80,7 @@ After submission, ChainPatrol continuously monitors the takedown to track its pr - **Provider Responses** - Reviewing and interpreting responses from the provider - **Escalation** - Automatically retrying or escalating when needed - -The takedown remains active until a final outcome is reached. Continuous monitoring ensures takedowns are not prematurely closed. - +The takedown remains active until a final outcome is reached. Continuous monitoring helps ensure takedowns are not prematurely closed. ### Final Outcome @@ -166,12 +168,10 @@ No provider guarantees removal in all cases, but ChainPatrol works to maximize s **What documentation do I need to provide?** Most takedowns require legal documents such as Letter of Authorization, Power of Attorney, Trademark registration, and Business registration documents. Requirements vary by provider and will be communicated during onboarding. ---- +## Key Takeaways - - Access your takedown dashboard to monitor all active and completed takedown requests - +- Takedowns move through clear states (TODO → IN PROGRESS → COMPLETED) with alternative outcomes +- A takedown is created automatically for blocked assets when the Takedowns service is enabled +- ChainPatrol assigns the correct provider and submits provider-specific requests with evidence +- Monitoring and follow-up continue until a final outcome is reached +- Retractions help stop or reverse takedowns for false positives or legitimate content diff --git a/getting-started/how-it-works/watchlist.mdx b/getting-started/how-it-works/watchlist.mdx index 350ec18..3e3f418 100644 --- a/getting-started/how-it-works/watchlist.mdx +++ b/getting-started/how-it-works/watchlist.mdx @@ -132,12 +132,10 @@ If an asset's liveness status changes from `DEAD` to `ALIVE` or `UNKNOWN`, we re - **Review Regularly** - Periodically review long-term watchlist items to ensure they're still relevant - **Trust the Automation** - The adaptive scan frequency optimizes monitoring without manual intervention ---- +## Key Takeaways - - Access your watchlist dashboard to see all monitored assets and their status - +- The watchlist tracks assets that aren’t blocked or allowed but need monitoring +- Assets are watchlisted for review uncertainty or to confirm takedown completion +- Eligibility is limited to asset types ChainPatrol can monitor reliably +- Adaptive scan frequency balances fast detection with efficient resource use +- Assets leave the watchlist when status becomes clear or after time-based decay diff --git a/getting-started/what-we-do/brand-impersonation.mdx b/getting-started/what-we-do/brand-impersonation.mdx index c9c64c7..440f952 100644 --- a/getting-started/what-we-do/brand-impersonation.mdx +++ b/getting-started/what-we-do/brand-impersonation.mdx @@ -3,7 +3,7 @@ title: "Brand Impersonation" description: "Understanding brand impersonation attacks and how to protect against them" --- -## What Is Brand Impersonation? +## Overview Brand impersonation is a broad category of abuse where malicious actors **pretend to be a legitimate brand or someone associated with it** in order to deceive users, steal assets, spread disinformation, or damage trust. @@ -75,6 +75,12 @@ While brand impersonation cannot be fully eliminated, its impact can be signific 4. **Partner with Security Vendors** - For brands with a large digital footprint or high-risk exposure, working with specialized security vendors is often necessary. These vendors provide continuous monitoring, automated detection, coordinated takedowns, and cross-platform visibility that is difficult to achieve internally. - -**Ready to protect your brand?** ChainPatrol provides comprehensive monitoring, detection, and takedown services for Web3 organizations. [Schedule a demo](https://cal.com/chainpatrol) to learn more. - +ChainPatrol provides monitoring, detection, and takedown services for Web3 organizations. If you'd like to learn more, you can [schedule a demo](https://cal.com/chainpatrol). + +## Key Takeaways + +- Brand impersonation uses fake identities to steal, mislead, or damage trust +- Impersonation can target brands, employees, and customer support across many platforms +- Campaigns often combine multiple techniques (typosquatting, bots, ads, compromised accounts) +- Clear official asset definitions, reporting paths, and user education reduce impact +- Continuous monitoring and coordinated takedowns help reduce attacker reach diff --git a/getting-started/what-we-do/general-phishing.mdx b/getting-started/what-we-do/general-phishing.mdx index 3ca7d06..d76b6aa 100644 --- a/getting-started/what-we-do/general-phishing.mdx +++ b/getting-started/what-we-do/general-phishing.mdx @@ -3,7 +3,7 @@ title: "General Phishing" description: "Understanding phishing attacks and common attack vectors in Web3" --- -## What is Phishing? +## Overview Phishing is a malicious attack that involves someone pretending to be a legitimate actor. Phishing comes in many forms, but the ultimate goal is to gain the trust of the end user and steal their information. @@ -90,3 +90,11 @@ Always verify: - The authenticity of support representatives - Browser extensions and applications before installation - Transaction details before signing anything + +## Key Takeaways + +- Phishing relies on impersonation and trust to steal sensitive information or assets +- Web3 phishing commonly targets seed phrases and wallet interactions +- Wallet drainers use deceptive transactions and permissions to steal funds +- Social engineering and malware distribution are common supporting tactics +- Careful verification and skepticism around urgent requests reduce risk diff --git a/getting-started/what-we-do/introduction.mdx b/getting-started/what-we-do/introduction.mdx index 938654f..8411768 100644 --- a/getting-started/what-we-do/introduction.mdx +++ b/getting-started/what-we-do/introduction.mdx @@ -3,7 +3,7 @@ title: "Introduction" description: "Protecting Web3 Communities from Phishing and Impersonation Attacks" --- -## The Threat Landscape +## Overview In the rapidly evolving Web3 landscape, malicious actors are constantly targeting crypto users through sophisticated phishing attacks, fake domains, and social media impersonation. These threats not only put your community's assets at risk but can also severely damage your brand's reputation and erode user trust. @@ -57,14 +57,13 @@ We'd love to show you how ChainPatrol can protect your organization and communit - **Rapid Response** - Our takedown process and response times - **Reporting & Analytics** - Stay informed of threats targeting your brand -## Schedule Your Demo Today +If you'd like to see ChainPatrol in action, you can [book a demo](https://cal.com/chainpatrol). - - Choose a time that works best for you - +Don't let phishing attacks compromise your community's security and your brand's reputation. -Don't let phishing attacks compromise your community's security and your brand's reputation. Let's discuss how ChainPatrol can provide the protection your organization deserves. +## Key Takeaways + +- Web3 threats move fast and can directly impact users and brand trust +- ChainPatrol provides always-on monitoring, review, and response for impersonation and phishing +- Real-time wallet integrations help protect users at the point of interaction +- Rapid response combines blocklisting, takedowns, and ongoing monitoring to reduce attacker impact From 1a293e01613df70d169c1790cb5f78279feeab0a Mon Sep 17 00:00:00 2001 From: Mustafa Siddiqui Date: Thu, 15 Jan 2026 13:45:49 +0530 Subject: [PATCH 5/5] chore: consistent voice --- concepts/allowlist.mdx | 12 +++-- concepts/asset-scans.mdx | 12 +++-- concepts/blocklist.mdx | 32 +++++++------- concepts/brands.mdx | 10 ++--- concepts/detections.mdx | 20 ++++----- concepts/legal-docs.mdx | 12 +++-- concepts/metrics.mdx | 12 +++-- concepts/organizations.mdx | 22 +++++----- concepts/reports.mdx | 10 ++--- concepts/reviews.mdx | 16 +++---- concepts/security-portal.mdx | 10 ++--- concepts/takedowns.mdx | 18 ++++---- concepts/watchlist.mdx | 14 +++--- getting-started/how-it-works/asset-scans.mdx | 19 ++++---- getting-started/how-it-works/blocklist.mdx | 44 +++++++++---------- .../how-it-works/detection-sources.mdx | 9 ++-- .../how-it-works/how-we-use-ai.mdx | 21 +++++---- getting-started/how-it-works/review.mdx | 12 ++--- getting-started/how-it-works/takedown.mdx | 17 ++++--- getting-started/how-it-works/watchlist.mdx | 11 +++-- .../what-we-do/brand-impersonation.mdx | 9 ++-- .../what-we-do/general-phishing.mdx | 9 ++-- getting-started/what-we-do/introduction.mdx | 14 +++--- 23 files changed, 166 insertions(+), 199 deletions(-) diff --git a/concepts/allowlist.mdx b/concepts/allowlist.mdx index e4ec15c..9dcc0ec 100644 --- a/concepts/allowlist.mdx +++ b/concepts/allowlist.mdx @@ -25,7 +25,7 @@ Allowlists play a critical role in improving both **detection accuracy** and **s **Reference Baseline** - Allowlisted assets are used as reference points when analyzing potentially malicious content. ChainPatrol can compare a suspected phishing page against an allowlisted official website to determine whether branding is being copied, layout is being imitated, content is being duplicated, and visual elements are being stolen. For example, a suspicious site `examp1e.com` is detected. ChainPatrol compares it against your allowlisted `example.com` and identifies 95% visual similarity, identical logo usage, and copied page structure, resulting in high-confidence brand impersonation detection. -This dual role—exclusion from detection and use as a trusted baseline—makes allowlists essential for reliable brand impersonation analysis. +This dual role (exclusion from detection and use as a trusted baseline) makes allowlists essential for reliable brand impersonation analysis. ## What Can Be Allowlisted? @@ -133,9 +133,7 @@ Limiting access helps ensure that allowlists remain accurate, intentional, and a ## Key Takeaways -- **Known Safe Assets** - Allowlists define what is explicitly trusted -- **Dual Purpose** - Excludes from detection and serves as reference baseline -- **Conservative Approach** - Only allowlist assets you definitively control -- **Not Permanent Immunity** - Compromised assets can still be investigated and blocked -- **Flexible Granularity** - Organization-level or brand-level allowlisting -- **Restricted Access** - Only administrators can modify allowlists +- Allowlisting reduces false positive noise: Adding your official assets filters them from detection sources, letting your team focus review time on actual threats +- Conservative allowlisting prevents blind spots: Only add assets you definitively control because allowlisted assets that get compromised won't trigger automatic alerts +- Domain allowlisting uses smart matching: Adding `example.com` automatically trusts all subdomains, reducing maintenance while maintaining protection +- Allowlist changes require administrator privileges: This restriction prevents accidental or malicious allowlisting that could create security gaps diff --git a/concepts/asset-scans.mdx b/concepts/asset-scans.mdx index 4a2fd2e..520074c 100644 --- a/concepts/asset-scans.mdx +++ b/concepts/asset-scans.mdx @@ -125,13 +125,11 @@ A social profile claiming to be one of your employees is discovered. The profile - **Not a Human Report** - Asset scans are system-generated. Reports are created by users or external systems raising issues. - **Not a Case** - A scan can be clean or suspicious. A threat or incident record is created only when risk crosses thresholds or a human escalates it. -- **Not a Configuration** - Scans use your rules, thresholds, and service settings, but they are not where you configure behavior—they are the evidence those settings produce. +- **Not a Configuration** - Scans use your rules, thresholds, and service settings, but they are not where you configure behavior. They are the evidence those settings produce. ## Key Takeaways -- **Point-in-Time Snapshot** - Each scan captures asset state at a specific moment -- **Rich Context** - Enrichments provide comprehensive asset intelligence -- **Labels + Scores** - Findings summarize what the scan detected and how risky it appears -- **Timeline History** - Multiple scans show how an asset evolves over time -- **Evidence Base** - Scan data supports reviews, decisions, and takedown requests -- **Relationship Mapping** - Links and redirects can reveal broader campaigns +- One asset, many scans creates a timeline: Scanning the same URL multiple times shows how threats evolve, when they go live, and when takedowns succeed +- Selective enrichment balances speed and depth: Basic scans are fast, but when risk signals appear, deeper analysis triggers automatically to gather decisive evidence +- Liveness tracking enables automated workflows: Knowing when assets change from ALIVE to DEAD lets watchlist monitoring confirm takedown success without manual checking +- Relationship extraction reveals campaigns: Links and redirects discovered during scans help trace entire threat networks instead of treating each malicious site as isolated diff --git a/concepts/blocklist.mdx b/concepts/blocklist.mdx index 3acd125..b308e9f 100644 --- a/concepts/blocklist.mdx +++ b/concepts/blocklist.mdx @@ -11,17 +11,17 @@ A blocklist (also known as a denylist) is a database of confirmed malicious enti ChainPatrol's blocklist functions as a **threat intelligence database** that's continuously updated and distributed in real-time. -Unlike traditional security databases that may update daily or weekly, our blocklist provides immediate updates as threats are confirmed, ensuring protection is deployed within **15-30 minutes** rather than hours or days. +Unlike traditional security databases that may update daily or weekly, our blocklist provides immediate updates as threats are confirmed, ensuring protection is deployed within minutes rather than hours or days. -The blocklist serves as the foundation of proactive security—instead of waiting for users to encounter threats, we identify, verify, and distribute threat intelligence to prevent exposure before it happens. +The blocklist serves as the foundation of proactive security. Instead of waiting for users to encounter threats, we identify, verify, and distribute threat intelligence to prevent exposure before it happens. ## Why Do We Use a Blocklist and Why Is It Effective? ### The Problem with Traditional Takedowns -Traditional cybersecurity approaches rely heavily on **takedowns**—requesting hosting providers or domain registrars to remove malicious content. However, this approach has critical limitations: +Traditional cybersecurity approaches rely heavily on **takedowns**, requesting hosting providers or domain registrars to remove malicious content. However, this approach has critical limitations: -- **Slow Response Times** - 4-48 hours for hosting providers, 24-72 hours for domain takedowns +- **Slow Response Times** - Hours to days for hosting providers and domain takedowns - **Incomplete Coverage** - Some providers never respond or operate in non-cooperative jurisdictions - **Attack Window** - Scammers can steal funds within minutes of launching a phishing site - **Whack-a-Mole** - Attackers quickly spin up new domains or move to different providers @@ -30,9 +30,9 @@ Traditional cybersecurity approaches rely heavily on **takedowns**—requesting ChainPatrol's blocklist provides **immediate protection** through a "blocklist-first, takedown-second" approach: -1. **Speed** - Assets are blocklisted and distributed in 15-30 minutes after confirmation +1. **Speed** - Assets are blocklisted and distributed within minutes after confirmation 2. **Universal Coverage** - Protection works regardless of hosting provider, jurisdiction, or whether the malicious content remains online -3. **Point-of-Access Protection** - Blocks are enforced at the browser, wallet, and network level—where users actually interact with threats +3. **Point-of-Access Protection** - Blocks are enforced at the browser, wallet, and network level where users actually interact with threats 4. **Persistent Protection** - Even if a scammer sets up 100 copycat sites, each one gets blocklisted as soon as it's detected @@ -41,7 +41,7 @@ In web3, where transactions are irreversible and scams can drain wallets in seco ### Network Effects -The effectiveness of our blocklist increases exponentially with distribution. One confirmation protects millions of users across browsers, 20+ wallets, enterprise networks, and partner organizations. +The effectiveness of our blocklist increases exponentially with distribution. One confirmation protects millions of users across browsers, wallets, enterprise networks, and partner organizations. ## Who Contributes to the Blocklist? @@ -53,11 +53,11 @@ Anyone can report suspicious assets through our public reporting interface. Web3 ### Partner Organizations -100+ organizations using ChainPatrol for brand protection contribute threat intelligence. Wallet providers like MetaMask, Phantom, and Coinbase Wallet share detected threats. Security alliances including SEAL-ISAC, Crypto-ISAC, and other information sharing networks contribute, as do blockchain projects and DAOs monitoring for impersonation attacks. +Organizations using ChainPatrol for brand protection contribute threat intelligence. Wallet providers like MetaMask, Phantom, and Coinbase Wallet share detected threats. Security alliances including SEAL-ISAC, Crypto-ISAC, and other information sharing networks contribute, as do blockchain projects and DAOs monitoring for impersonation attacks. ### Automated Detection -Our AI-powered scanning detection engine continuously monitors using 50+ detection rules. We perform real-time monitoring of newly registered domains through Certificate Transparency, automated detection of impersonation accounts and scam posts through social media monitoring, and use honeypots—intentional traps that identify and track attacker infrastructure. +Our AI-powered scanning detection engine continuously monitors using detection rules. We perform real-time monitoring of newly registered domains through Certificate Transparency, automated detection of impersonation accounts and scam posts through social media monitoring, and use honeypots (intentional traps that identify and track attacker infrastructure). ### Expert Review Team @@ -137,7 +137,7 @@ Google Safe Browsing powers protection in Chrome, Safari, Edge, Firefox, and oth ### Wallet Providers -MetaMask (direct integration via Eth-Phishing-Detect), Phantom (real-time API integration), Coinbase Wallet, Trust Wallet, Rainbow, Ledger, WalletConnect, and 15+ additional wallets. Wallets warn users before connecting to malicious sites or interacting with scam contracts, preventing fund loss at the point of transaction. +MetaMask (direct integration via Eth-Phishing-Detect), Phantom (real-time API integration), Coinbase Wallet, Trust Wallet, Rainbow, Ledger, WalletConnect, and additional wallets across the ecosystem. Wallets warn users before connecting to malicious sites or interacting with scam contracts, preventing fund loss at the point of transaction. ### Web3 Applications @@ -145,7 +145,7 @@ Polymarket (content moderation and user protection), Snapshot (governance platfo ### Threat Intelligence -SEAL-ISAC (600+ members), Crypto-ISAC, Eth-Phishing-Detect (ChainPatrol is a core contributor), and Polkadot Phishing List for cross-chain threat sharing. Our blocklist feeds into the broader security ecosystem, creating a network effect where threats are shared across organizations and platforms. +SEAL-ISAC, Crypto-ISAC, Eth-Phishing-Detect (ChainPatrol is a core contributor), and Polkadot Phishing List for cross-chain threat sharing. Our blocklist feeds into the broader security ecosystem, creating a network effect where threats are shared across organizations and platforms. ### Enterprise Security @@ -157,9 +157,7 @@ A public API provides freely accessible blocklist data for developers and securi ## Key Takeaways -- **Real-Time Protection** - 15-30 minute response time vs. hours or days for takedowns -- **Network Distribution** - One confirmation can protect users across browsers, wallets, and partner ecosystems -- **Diverse Contributors** - Community, partners, automation, and expert review -- **Evidence-Based** - Requires both malicious intent and confirmation -- **Multi-Asset Support** - URLs, social accounts, blockchain addresses, and more -- **Publicly Accessible** - Open API and SDK for developers and researchers +- Immediate protection beats slow removal: Blocklisting provides user protection within minutes, while traditional takedowns can take hours or days (if they succeed at all) +- Network effects multiply protection value: Each confirmed threat automatically protects users across browsers, wallets, and partner platforms without requiring separate submissions +- Evidence-based verification prevents false positives: Requiring both malicious intent and confirmation ensures blocklist accuracy while human review catches edge cases +- Public accessibility enables ecosystem security: Open API access lets any wallet, browser, or security tool integrate blocklist protection without licensing barriers diff --git a/concepts/brands.mdx b/concepts/brands.mdx index 3fd670a..6ffc996 100644 --- a/concepts/brands.mdx +++ b/concepts/brands.mdx @@ -109,9 +109,7 @@ ChainPatrol keeps brand information structured and separate to ensure that each ## Key Takeaways -- **Identity Protection** - Brands represent identities that need protection -- **Two Types** - Company brands and individual brands -- **Three Components** - Terms, images, and assets define each brand -- **Automatic Attribution** - Threats are automatically assigned to brands -- **Multiple Brands** - One organization can protect many brands -- **Granular + Unified** - Individual control with organizational oversight +- Brand structure enables targeted monitoring: Separating your company brand from product brands or executive brands lets you configure different detection rules and thresholds for each +- Automatic threat attribution provides context: When a threat targets a specific brand, automatic assignment helps prioritize response based on which identity is under attack +- Terms and images drive detection accuracy: Comprehensive brand definitions with common misspellings and visual assets improve automated detection while reducing false positives +- Multiple brands under one organization maintain central oversight: Individual brand teams can manage their protection while organization admins retain visibility and control across all brands diff --git a/concepts/detections.mdx b/concepts/detections.mdx index ecf8f94..04990bf 100644 --- a/concepts/detections.mdx +++ b/concepts/detections.mdx @@ -38,26 +38,26 @@ Each detection contains: 7. **Auto-Reporting (Optional)** - If your organization has auto-reporting enabled and the detection score exceeds your medium threshold, the system can automatically create a report with the detected asset, mark the asset as blocked, submit takedown requests (if configured), and send notifications to your team. -**Auto-Reporting Requirements:** Score must meet or exceed your medium threshold (typically 0.6-0.7), detection source must be enabled, asset must not already be blocked, and asset must not have been previously rejected multiple times. +**Auto-Reporting Requirements:** Score must meet or exceed your medium threshold, detection source must be enabled, asset must not already be blocked, and asset must not have been previously rejected multiple times. ## Confidence Levels Detections are categorized into confidence levels based on your organization's thresholds: -### None (Score 0 to Low Threshold, typically < 0.4) +### None (Score 0 to Low Threshold) Low confidence detections. May be false positives or tangentially related to your brand. Useful for monitoring trends but rarely require action. Examples include generic mention of your brand in unrelated context, weak keyword matches, and minimal similarity indicators. -### Low (Low Threshold to Medium Threshold, typically 0.4 - 0.6) +### Low (Low Threshold to Medium Threshold) Some indicators suggest a potential threat, but evidence is limited. Requires manual review to confirm. Common scenarios include domain contains your brand name but has legitimate business purpose, social media mentions your brand in neutral context, and weak visual or textual similarity. -### Medium (Medium Threshold to High Threshold, typically 0.6 - 0.8) +### Medium (Medium Threshold to High Threshold) Strong indicators of malicious intent. Multiple detection rules triggered with reasonable confidence. Common scenarios include new domain with brand name and suspicious keywords, social media account impersonating your brand with stolen logo, and token contract with similar name on blockchain. This is the typical threshold for automatic reporting and blocking. -### High (High Threshold and above, typically > 0.8) +### High (High Threshold and above) Very strong evidence of malicious activity. Multiple high-confidence rules triggered. Common scenarios include perfect visual replica of your website, domain nearly identical to yours (typosquatting), known phishing infrastructure, and contains wallet drainer code. High confidence detections require immediate attention and rapid response. @@ -91,9 +91,7 @@ The system automatically handles duplicate detections to prevent alert fatigue: ## Key Takeaways -- **Automated Discovery** - Detections are automatically identified by monitoring sources -- **Analysis + Rules Engine** - Scans and rules evaluate threat indicators and evidence -- **Confidence Scoring** - A 0-1 score indicates likelihood of being malicious -- **Group Tracking** - Related threats linked via group IDs -- **Smart Deduplication** - Prevents alert fatigue while maintaining visibility -- **Auto-Reporting** - High-confidence threats can be automatically reported +- Detection is the entry point, not the decision: A detection indicates potential threat, but review and approval are required before blocking to prevent false positives +- Group IDs reveal campaign scope: When one detection links to multiple related assets, you can identify and report entire phishing campaigns instead of blocking sites one at a time +- Threshold configuration balances coverage and noise: Lower thresholds catch more threats but require more review, while higher thresholds miss edge cases but reduce workload +- Deduplication across sources increases confidence: When multiple independent detection sources flag the same asset, it provides stronger evidence of malicious intent diff --git a/concepts/legal-docs.mdx b/concepts/legal-docs.mdx index 33f5b30..679a01d 100644 --- a/concepts/legal-docs.mdx +++ b/concepts/legal-docs.mdx @@ -156,7 +156,7 @@ Documents are used solely for the purpose of supporting takedown submissions. ### Usage Policy -Legal documents are not directly part of the takedown object—they are applied only during the submission process when a provider requires them. +Legal documents are not directly part of the takedown object. They are applied only during the submission process when a provider requires them. **How it works:** @@ -180,9 +180,7 @@ This approach minimizes unnecessary exposure of sensitive documents while ensuri ## Key Takeaways -- **Proof of Authority** - Legal docs prove ownership and authorization -- **Three Main Types** - Trademark registration, LOA, and POA -- **Provider Requirements** - Different platforms require different documents -- **Secure Handling** - Stored and accessed with encryption and strict controls -- **Used When Needed** - Applied only during submission process -- **Keep Current** - Up-to-date documents are critical for successful takedown requests +- Legal documentation gates takedown success: Most providers require proof of ownership and authority before removing content, so having documents ready accelerates response times +- Different providers demand different documents: Domain registrars typically want trademark registration, social platforms often need POA, and some hosting providers accept LOA +- Current documents prevent delays: Expired trademarks or outdated authorizations will be rejected, forcing resubmission and extending the time malicious content stays live +- Security is critical for sensitive documents: Trademark registrations and POAs contain business-critical information, so proper encryption and access controls protect against leaks diff --git a/concepts/metrics.mdx b/concepts/metrics.mdx index 3cfd924..8f1fe1e 100644 --- a/concepts/metrics.mdx +++ b/concepts/metrics.mdx @@ -82,7 +82,7 @@ Threats blocked per brand inside your organization, showing which brands are tar **Takedowns** - Takedown records power Takedowns Filed, Takedowns Completed, and Median time to takedown per asset type and category. These metrics show how quickly threats are being removed once identified. -**Brands and Services** - Metrics can be filtered by brand to show which brands are most targeted. Enabling services like detection, reviewing, takedowns, and wallet blocking typically increases visibility in metrics (more threats found, blocked, and removed). Higher threat counts don't mean you're less secure—they mean you're detecting more threats that were always there. +**Brands and Services** - Metrics can be filtered by brand to show which brands are most targeted. Enabling services like detection, reviewing, takedowns, and wallet blocking typically increases visibility in metrics (more threats found, blocked, and removed). Higher threat counts don't mean you're less secure; they mean you're detecting more threats that were always there. ## Examples @@ -100,9 +100,7 @@ For provider performance review, you analyze median time to takedown by asset ty ## Key Takeaways -- **High-Level Summary** - Metrics aggregate activity into readable summaries -- **Organization-Specific** - Always calculated for your specific organization -- **Time-Bound** - Every view uses a specific time window -- **Filterable** - Break down by brand, asset type, and category -- **Speed Metrics** - Median time to takedown and daily trends -- **Actionable Insights** - Identify trends and adjust protection strategies +- Metrics reveal protection gaps: Tracking detections by channel shows where attackers focus, helping you prioritize monitoring efforts on platforms with highest threat activity +- Time-based analysis identifies campaign patterns: Sudden spikes in detections often indicate coordinated campaigns, while steady increases suggest growing attacker interest +- Speed metrics drive operational improvements: Median time to block and takedown completion times help identify bottlenecks in your response process +- Filtering enables strategic decisions: Breaking down metrics by brand, asset type, or threat category reveals which parts of your organization face the most risk diff --git a/concepts/organizations.mdx b/concepts/organizations.mdx index fd100ed..2bebf0d 100644 --- a/concepts/organizations.mdx +++ b/concepts/organizations.mdx @@ -31,7 +31,7 @@ That said, you're not locked out of the process. If you want your team to be mor - **Approve or Decline** - Review and approve specific takedowns or blocklist decisions before they take effect - **Connect Tools** - Integrate Slack, Telegram, SSO, and other tools to fit ChainPatrol into your existing workflows -You decide how involved you want to be—from fully hands-off to deeply integrated with your team's operations. +You decide how involved you want to be, from fully hands-off to deeply integrated with your team's operations. ## Brands and Assets @@ -45,7 +45,7 @@ We use brands to detect **brand impersonation** attacks including lookalike doma ### What are Assets? -In addition to brands, your organization also has **assets**—the digital properties that actually belong to you: +In addition to brands, your organization also has **assets**, the digital properties that actually belong to you: - **Websites** - Domains and web applications - **Social Accounts** - Twitter, Discord, Telegram, etc. @@ -62,7 +62,7 @@ Each organization can turn individual services on or off depending on what you n ### Detection -Enables ChainPatrol's automated scanning across the web, social platforms, app stores, and other sources. When this is turned on, we continuously look for new threats targeting your brands. This is the foundation service—required for all other services. +Enables ChainPatrol's automated scanning across the web, social platforms, app stores, and other sources. When this is turned on, we continuously look for new threats targeting your brands. This is the foundation service (required for all other services). ### Monitoring & Reporting @@ -74,7 +74,7 @@ Turns on ChainPatrol's review workflows, where our team validates suspicious ass ### Obligatory Organization Admin Approval -Adds a final approval step for specific types of assets. When enabled, you choose which asset categories (like domains, social media, or messaging platforms) require explicit confirmation from an admin in your organization before ChainPatrol's blocklist decisions take effect. If you don't select any specific types, all asset types will require approval. This is optional—for organizations requiring internal oversight. +Adds a final approval step for specific types of assets. When enabled, you choose which asset categories (like domains, social media, or messaging platforms) require explicit confirmation from an admin in your organization before ChainPatrol's blocklist decisions take effect. If you don't select any specific types, all asset types will require approval. This is optional, for organizations requiring internal oversight. ### Wallet Blocking @@ -82,7 +82,7 @@ Allows approved crypto-related threats to be added to ChainPatrol's global block ### Takedowns -Enables ChainPatrol to file takedown requests with hosting providers, registrars, and platforms on your behalf. When this service is on, we don't just block threats—we work to get them removed from the internet entirely. Requires legal documentation (trademark proof, authorized representative details). Recommended for comprehensive protection. +Enables ChainPatrol to file takedown requests with hosting providers, registrars, and platforms on your behalf. When this service is on, we don't just block threats but work to get them removed from the internet entirely. Requires legal documentation (trademark proof, authorized representative details). Recommended for comprehensive protection. ### Automated Takedowns @@ -111,7 +111,7 @@ You control who can access your organization and what they're allowed to do. - **Member Management** - Invite, remove, or modify team members -This permission system ensures that potentially destructive actions—like turning on Wallet Blocking or Automated Takedowns—only happen with your organization's explicit permission. +This permission system ensures that potentially destructive actions (like turning on Wallet Blocking or Automated Takedowns) only happen with your organization's explicit permission. ChainPatrol's staff handle the day-to-day security operations, but you retain ultimate control over approvals, visibility, and how the platform integrates with your team. @@ -128,9 +128,7 @@ ChainPatrol's staff handle the day-to-day security operations, but you retain ul ## Key Takeaways -- **Centralized Workspace** - Everything happens within your organization -- **Fully Managed** - ChainPatrol handles day-to-day operations -- **Flexible Involvement** - Choose your level of hands-on participation -- **Configurable Services** - Enable only what you need -- **Granular Permissions** - Control who can do what -- **You're in Control** - Final say on all critical decisions +- Organizations provide centralized visibility across brands: One dashboard shows threat activity for all your brands, products, and executives instead of fragmented monitoring +- Service toggles let you start simple and expand: Begin with monitoring and manual blocking, then enable automated detection, takedowns, and API access as needs grow +- Role-based permissions balance access and security: Admins can configure settings and approve blocks, while reporters can submit threats without changing system configuration +- Managed service means no infrastructure to maintain: ChainPatrol handles detection sources, review workflows, and provider relationships so you focus on decisions, not operations diff --git a/concepts/reports.mdx b/concepts/reports.mdx index 48f07db..2d9ff8d 100644 --- a/concepts/reports.mdx +++ b/concepts/reports.mdx @@ -115,9 +115,7 @@ Creating a report in ChainPatrol is straightforward: ## Key Takeaways -- **Bundle Assets** - Reports can contain multiple related assets -- **Multiple Sources** - Created manually, via API, or automatically -- **Expert Review** - ChainPatrol team reviews every report -- **Three Statuses** - TODO, IN_PROGRESS, CLOSED -- **Easy Submission** - Simple process with automatic asset detection -- **Context Matters** - More evidence = faster, better review +- Multi-asset reports capture campaign scope: Grouping related threats in one report helps reviewers understand attack patterns and makes blocking entire campaigns more efficient +- Context accelerates review decisions: Reports with screenshots, explanations, and evidence of harm move through review faster than bare URLs with no context +- Three submission methods serve different needs: Manual reports for ad-hoc discoveries, API reports for automated detection systems, and portal reports for community submissions +- Report status tracks progress without micromanagement: TODO, IN_PROGRESS, and CLOSED states provide visibility while letting the security team work without constant updates diff --git a/concepts/reviews.mdx b/concepts/reviews.mdx index db4c786..b73dfe9 100644 --- a/concepts/reviews.mdx +++ b/concepts/reviews.mdx @@ -72,14 +72,14 @@ The ChainPatrol automation system automatically reviews proposals under specific A proposal is automatically approved when: 1. **Trusted Reporter Submissions** - Reports from trusted reporters are auto-approved if they don't trigger legitimacy warnings -2. **High Threat Score** - Reports with a threat score of 1.0 or higher are auto-approved if no legitimacy checks indicate the asset is legitimate, the organization doesn't require customer approval, and there's no active dispute on the report +2. **High Threat Score** - Reports with sufficiently high threat scores are auto-approved if no legitimacy checks indicate the asset is legitimate, the organization doesn't require customer approval, and there's no active dispute on the report ### Auto-Skip Criteria A proposal is automatically skipped (sent for manual review) when: - High-confidence rules indicate the asset appears legitimate -- The threat score is below 1.0 +- The threat score is below the auto-approval threshold - Organization settings require manual approval from their team - Someone has disputed the report - Too many auto-approvals in a short time period @@ -92,7 +92,7 @@ The automation system calculates a threat score by analyzing multiple factors. **General Phishing** indicators include credential harvesting forms, suspicious URL patterns, malicious links, social engineering tactics, and wallet connection scams (score range 0.0 - 1.0+). -**Score Calculation** - The system takes the maximum score from each category and adds them together. For example: Brand impersonation 0.6 + General phishing 0.8 = Total score 1.4 (auto-approved). This ensures multiple detections don't artificially inflate the total. +**Score Calculation** - The system combines scores from different detection categories. Multiple detections across categories increase confidence while preventing artificial score inflation. ## Evidence Reviewed @@ -155,9 +155,7 @@ This approach ensures we block real threats quickly while maintaining accuracy a ## Key Takeaways -- **Decision Points** - Reviews approve, reject, skip, or escalate proposals -- **Hybrid Approach** - Combines automation with human expertise -- **Threat Scoring** - Automated scoring determines auto-approval -- **Multiple Evidence Types** - Rules, scans, context, and history inform decisions -- **Safety Window** - 5-minute revert window for mistakes -- **Escalation Paths** - Complex cases go to customers or senior analysts +- Four decision types prevent deadlock: Unlike binary approve/reject systems, Skip and Escalate ensure unclear threats get proper attention without forcing premature decisions +- Trusted reporters enable fast response: Pre-verified security researchers can submit high-confidence reports that bypass standard review, accelerating protection for known threats +- Five-minute revert window catches mistakes: This safety buffer lets reviewers undo accidental decisions before changes propagate, balancing speed with accuracy +- Escalation paths preserve expertise: Customer escalations leverage brand context for ambiguous cases, while team escalations route complex threats to senior analysts diff --git a/concepts/security-portal.mdx b/concepts/security-portal.mdx index 1ada22f..6e0b50b 100644 --- a/concepts/security-portal.mdx +++ b/concepts/security-portal.mdx @@ -113,9 +113,7 @@ From there, the report goes through the same review process as any other submiss ## Key Takeaways -- **Public Reporting Page** - Branded landing page for community threat reports -- **Easy Submission** - No account required for public portals -- **Three Visibility Levels** - Disabled, Private, or Public access -- **Optional Transparency** - Show public reports and metrics -- **Same Review Process** - Reports flow through standard review workflow -- **Unique URL** - Based on your organization's slug +- Community reporting acts as an early warning system: Users often encounter threats before your internal team, so a public security portal captures intelligence from the front lines +- No-account submission lowers barriers: Requiring registration dramatically reduces report volume, so public portals accept submissions without login to maximize threat discovery +- Transparency builds trust with your community: Publishing metrics and showing how you respond to reports demonstrates active protection and encourages continued reporting +- Portal reports flow through the same rigorous review: Public submissions get the same expert analysis as internal detections, ensuring quality while maintaining speed diff --git a/concepts/takedowns.mdx b/concepts/takedowns.mdx index bfc07b5..36c8a63 100644 --- a/concepts/takedowns.mdx +++ b/concepts/takedowns.mdx @@ -28,9 +28,9 @@ Because digital threats appear across many parts of the internet, takedowns may ### Websites -**Hosting Providers** - Organizations that host website content (AWS, Cloudflare, Vercel, shared hosting companies, VPS and dedicated server providers). Typical response time: 4-48 hours. +**Hosting Providers** - Organizations that host website content (AWS, Cloudflare, Vercel, shared hosting companies, VPS and dedicated server providers). -**Domain Registrars** - Companies that register and manage domain names (GoDaddy, Namecheap, Google Domains, country-specific registrars, reseller networks). Typical response time: 24-72 hours. +**Domain Registrars** - Companies that register and manage domain names (GoDaddy, Namecheap, Google Domains, country-specific registrars, reseller networks). **TLD Registries** - Organizations managing top-level domains (.com, .xyz, etc.) like Verisign (.com, .net), Public Interest Registry (.org), and country-code registries. Response time varies widely. @@ -71,13 +71,13 @@ Regardless of the platform, the purpose of a takedown is the same: **to remove d - **CANCELED** - Takedown stopped (e.g., content invalid or unnecessary) - **PENDING RETRACTION** - Identified as false positive, marked for retraction - **RETRACTION SENT** - Formal retraction request submitted to provider -- **RETRACTED** - Provider confirmed retraction—takedown reversed +- **RETRACTED** - Provider confirmed retraction, takedown reversed ## What Makes Takedowns Effective **Legal Documentation** - Effective takedowns require Power of Attorney (POA) authorizing action, trademark registration documents, clear evidence of abuse or impersonation, and authorized representative details. ChainPatrol handles all legal documentation and submission on your behalf. -**Provider Relationships** - We maintain relationships with 100+ providers with known abuse contact information, established reporting procedures, track record of successful takedowns, and understanding of each provider's requirements. +**Provider Relationships** - We maintain relationships with providers across the ecosystem with known abuse contact information, established reporting procedures, track record of successful takedowns, and understanding of each provider's requirements. **Persistent Follow-Up** - We don't just submit and forget. We perform regular status checks, follow-up communications, escalation when needed, and alternative approaches if initial request fails. @@ -85,9 +85,7 @@ Regardless of the platform, the purpose of a takedown is the same: **to remove d ## Key Takeaways -- **Formal Removal Request** - Takedowns are official requests to remove content -- **Multiple Platforms** - Sent to hosting, social media, app stores, and more -- **Lifecycle Tracking** - From TODO to COMPLETED with full visibility -- **Complement to Blocklisting** - Works alongside blocklists for comprehensive protection -- **Legal Documentation** - Requires proper authorization and evidence -- **Provider Follow-Through** - Established channels and persistent monitoring until completion +- Takedowns provide permanent removal while blocklists provide immediate protection: Use both together to protect users instantly via blocklists while working toward complete threat elimination through takedowns +- Automatic retraction prevents wrongful removals: When false positives are identified, retraction requests go to providers quickly to halt or reverse takedowns before legitimate content is removed +- Provider-specific formatting increases success rates: Different platforms have different submission requirements, and using the correct format for each provider improves response times and removal rates +- Lifecycle tracking enables data-driven decisions: Complete visibility from TODO to COMPLETED helps identify which providers respond fastest and which threats are hardest to remove diff --git a/concepts/watchlist.mdx b/concepts/watchlist.mdx index 77e488a..9bddad7 100644 --- a/concepts/watchlist.mdx +++ b/concepts/watchlist.mdx @@ -8,7 +8,7 @@ description: "Understanding how ChainPatrol monitors assets for future action" The watchlist is a set of assets that we monitor to see if we can action on them further in the future. -Think of the watchlist as a "middle ground" between blocking and allowing—assets that need continued observation before a final decision can be made. +Think of the watchlist as a "middle ground" between blocking and allowing: assets that need continued observation before a final decision can be made. ## Why Would We Need to Watchlist Something? @@ -70,7 +70,7 @@ Who can do this: ChainPatrol security analysts, customer administrators (for the ### Automatic Watchlisting -Every asset is automatically added to the watchlist when a takedown is initiated. Triggers include takedown request submitted, takedown status changes to "IN_PROGRESS", and asset needs monitoring for completion. No manual intervention required—system automatically adds to watchlist, monitoring begins immediately, and removal happens automatically when offline. +Every asset is automatically added to the watchlist when a takedown is initiated. Triggers include takedown request submitted, takedown status changes to "IN_PROGRESS", and asset needs monitoring for completion. No manual intervention required: system automatically adds to watchlist, monitoring begins immediately, and removal happens automatically when offline. ## How the Watchlist Works @@ -121,9 +121,7 @@ Assets are automatically removed from the watchlist when: ## Key Takeaways -- **Middle Ground** - Watchlist is for assets between blocking and allowing -- **Two Main Purposes** - Inconclusive evidence and takedown monitoring -- **Adaptive Monitoring** - Scan frequency adjusts based on time and status -- **Automatic + Manual** - Assets can be watchlisted automatically for takedowns or manually during review -- **Multiple Exit Paths** - Assets leave watchlist when status becomes clear -- **Time-Based Decay** - Long-term uncertain assets are eventually removed +- Watchlist solves the gray area problem: When you suspect an asset might be malicious but lack evidence to block, watchlisting lets you monitor for changes without premature action +- Automatic takedown monitoring saves manual work: Every takedown automatically adds the asset to watchlist, eliminating the need to manually check if content has been removed +- Adaptive frequency optimizes resources: Recent additions scan frequently to catch rapid changes, while stable assets scan less often to avoid wasting resources on unlikely updates +- 30-day decay prevents bloat: Assets that stay UNKNOWN for a month without becoming malicious are automatically removed, keeping monitoring focused on active threats diff --git a/getting-started/how-it-works/asset-scans.mdx b/getting-started/how-it-works/asset-scans.mdx index fd513de..531d0ca 100644 --- a/getting-started/how-it-works/asset-scans.mdx +++ b/getting-started/how-it-works/asset-scans.mdx @@ -24,7 +24,7 @@ ChainPatrol supports many asset types across the digital landscape: Understanding the difference is key to how our monitoring works: -**Asset** - An asset is the thing itself—a URL, handle, listing, or address. Example: `https://fake-metamask.com` +**Asset** - An asset is the thing itself: a URL, handle, listing, or address. Example: `https://fake-metamask.com` **Asset Scan** - An asset scan is a time-stamped snapshot of that asset. The same asset may be scanned many times, and scans form a timeline of changes. Example: Scan #1 (Jan 1), Scan #2 (Jan 3), Scan #3 (Jan 5) @@ -49,12 +49,12 @@ Our scanning process follows a systematic approach to evaluate threats efficient 2. **Enrich with Context** - Depending on asset type, we collect relevant data: **Web URL / Page Enrichments:** - - HTTP fetch results (status, redirects, extracted links, basic metadata like title/description) - - Optional browser capture (screenshot/DOM signals when available) - - Network and registration context (e.g., DNS, TLS, WHOIS/RDAP when enabled) + - HTTP fetch results (status, redirects, extracted links, basic metadata like title and description) + - Optional browser capture (screenshot and DOM signals when available) + - Network and registration context (DNS, TLS, WHOIS/RDAP when enabled) **Platform/API Enrichments:** - - Profile/listing details (descriptions, author/publisher fields, follower/engagement signals, etc.) + - Profile and listing details (descriptions, author and publisher fields, follower and engagement signals) Some enrichments run only when earlier signals suggest elevated risk to keep scans efficient. @@ -106,8 +106,7 @@ Our scanning infrastructure processes thousands of assets daily, providing real- ## Key Takeaways -- Asset scans are time-stamped snapshots that help track risk and change over time -- Scans can be triggered by sources, manual/API requests, and ongoing monitoring -- The scan pipeline includes normalization, enrichment, analysis, scoring, and relationships -- Results support review decisions, automation, and ongoing monitoring hygiene -- Efficient scanning relies on adaptive scheduling and selective enrichment +- One asset, many scans: The same URL can be scanned multiple times to create a timeline showing how threats evolve or when they're taken down +- Selective enrichment saves resources: Deep analysis only triggers when initial signals suggest elevated risk, keeping scans fast for low-risk assets +- Liveness tracking enables automation: Knowing when an asset goes from ALIVE to DEAD lets us automatically confirm successful takedowns +- Relationship discovery reveals campaigns: Extracting links and redirects from scans helps you trace entire threat networks instead of blocking sites one at a time diff --git a/getting-started/how-it-works/blocklist.mdx b/getting-started/how-it-works/blocklist.mdx index 6409c9b..dc9cbbd 100644 --- a/getting-started/how-it-works/blocklist.mdx +++ b/getting-started/how-it-works/blocklist.mdx @@ -7,17 +7,17 @@ description: "Real-time, community-powered database of confirmed phishing sites ChainPatrol's Blocklist is a real-time, community-powered database of confirmed phishing sites, scams, and malicious assets that protects users across the web3 ecosystem. -The ChainPatrol Blocklist is a continuously updated list of **350,000+ malicious websites**, social media accounts, and blockchain addresses that have been confirmed as threats through our expert review process. When an asset is added to the blocklist, it's automatically distributed to our network of security integrations to protect users in real-time. +The ChainPatrol Blocklist is a continuously updated list of hundreds of thousands of malicious websites, social media accounts, and blockchain addresses that have been confirmed as threats through our expert review process. When an asset is added to the blocklist, it's automatically distributed to our network of security integrations to protect users in real-time. ### Key Features -- **Global Coverage** - Combines threat intelligence from 100+ organizations using ChainPatrol -- **Rapid Response** - Assets blocklisted and distributed in 15-30 minutes after confirmation +- **Global Coverage** - Combines threat intelligence from organizations across the ecosystem +- **Rapid Response** - Assets blocklisted and distributed within minutes after confirmation - **Freely Accessible** - Available via public API to maximize distribution and protection -- **20+ Integrations** - Automatically distributed to wallets, browsers, and security tools +- **Wide Integration** - Automatically distributed to wallets, browsers, and security tools -Traditional takedown processes take hours or days. ChainPatrol provides protection in **15-30 minutes**. +Traditional takedown processes take hours or days. ChainPatrol provides protection within minutes. ## How Assets Get Blocklisted @@ -34,7 +34,7 @@ Only assets that pass through this review and approval process are added to the ## Blocklist Integrations -ChainPatrol's blocklist is integrated with 20+ wallets, browsers, and security platforms: +ChainPatrol's blocklist is integrated with wallets, browsers, and security platforms: ### Browser Security @@ -51,9 +51,9 @@ Major integrations include: - **Rainbow Wallet** - Via WalletConnect and direct APIs - **Trust Wallet** - Via multiple blocklist sources - **Ledger Live** - Via blocklist APIs -- **WalletConnect** - Real-time API protecting 20+ wallets +- **WalletConnect** - Real-time API protecting connected wallets -And 15+ additional wallet providers. +And additional wallet providers across the ecosystem. ### Threat Intelligence @@ -107,7 +107,7 @@ If you've reported an asset that turns out to be legitimate: 2. Create an ALLOW proposal with your reasoning 3. Our team will review and update the status if appropriate -When an asset is removed from the blocklist, the update is distributed to all integration partners within the same **15-30 minute timeframe**. +When an asset is removed from the blocklist, the update is distributed to all integration partners within the same rapid timeframe. ## Blocklist Distribution @@ -128,38 +128,38 @@ In the case of a false positive, we will submit retraction requests for ChainPat ## Why Distribution Matters -Traditional cybersecurity relies on **takedowns** — requesting hosting providers or domain registrars to remove malicious content. +Traditional cybersecurity relies on **takedowns**, requesting hosting providers or domain registrars to remove malicious content. ### Traditional Takedown Timeline -- **Hosting Provider** - 4-48 hours for takedown -- **Domain Registrar** - 24-72 hours for takedown +- **Hosting Providers** - Hours to days for takedown +- **Domain Registrars** - Often longer response times - **No Response** - Some providers never respond ### ChainPatrol's Blocklist Approach -ChainPatrol provides **immediate protection** by: +ChainPatrol provides immediate protection by: - **Browser & Wallet Blocking** - Block access at the browser and wallet level - **Always-On Protection** - Protect users even if the site remains online - **Universal Coverage** - Works across all hosting providers and jurisdictions -- **15-30 Minute Response** - Users protected in minutes, not days +- **Rapid Response** - Users protected in minutes, not days -This **"blocklist-first, takedown-second"** approach means users are protected within minutes, not days. +This "blocklist-first, takedown-second" approach means users are protected within minutes, not days. ## Blocklist vs. Takedown Comparison | Aspect | ChainPatrol Blocklist | Traditional Takedown | |--------|----------------------|---------------------| -| **Response Time** | 15-30 minutes | 4-72 hours (or never) | -| **Coverage** | 20+ integrations | Single hosting provider | +| **Response Time** | Minutes | Hours to days (or never) | +| **Coverage** | Multiple integrations | Single hosting provider | | **User Protection** | Immediate | Delayed until removal | | **Jurisdiction** | Global | Provider-dependent | -| **Success Rate** | 100% distribution | Varies by provider | +| **Success Rate** | Consistent distribution | Varies by provider | ## Key Takeaways -- The blocklist is a continuously updated database of confirmed malicious assets -- Blocklisted assets are distributed to integrations to protect users quickly -- Disputes and retractions help address false positives and propagate corrections -- “Blocklist-first, takedown-second” reduces user exposure during takedown delays +- Blocklist provides immediate protection while takedowns are processed: Users are protected within minutes via wallet and browser integrations, even as takedown requests work through slower provider channels +- Distribution multiplies your protection reach: A single blocked asset automatically protects users across browsers, wallets, and platforms without separate submissions +- False positive handling is fast and coordinated: Retractions propagate through the same distribution channels as blocks, ensuring corrections reach all integrated platforms +- Public API enables ecosystem-wide protection: Making the blocklist freely accessible means any wallet, browser, or security tool can integrate and protect their users diff --git a/getting-started/how-it-works/detection-sources.mdx b/getting-started/how-it-works/detection-sources.mdx index dac707e..5060bad 100644 --- a/getting-started/how-it-works/detection-sources.mdx +++ b/getting-started/how-it-works/detection-sources.mdx @@ -159,8 +159,7 @@ Our infrastructure is designed to handle high-volume monitoring without impactin ## Key Takeaways -- Detection sources continuously scan specific platforms and data streams for threats -- Sources run on schedules and submit discovered assets into the analysis pipeline -- Coverage spans search engines, social platforms, app stores, and Web3 surfaces -- Configuration controls status, scope, and schedule (including custom schedules) -- Best results come from good included/excluded terms and iterative tuning +- Start broad, then refine: Enable core sources first (search engines and social media), then expand to specialized sources based on where your threats appear +- Quality over quantity: Well-configured included and excluded terms on fewer sources beats poorly configured monitoring across all platforms +- Different sources catch different threats: A domain might not show in Google Search but appear in Certstream, so layer your coverage for comprehensive protection +- Auto-reporting works best after calibration: Review initial detections manually to fine-tune your thresholds before enabling automatic blocking diff --git a/getting-started/how-it-works/how-we-use-ai.mdx b/getting-started/how-it-works/how-we-use-ai.mdx index 99a567a..749867b 100644 --- a/getting-started/how-it-works/how-we-use-ai.mdx +++ b/getting-started/how-it-works/how-we-use-ai.mdx @@ -5,7 +5,7 @@ description: "Learn how ChainPatrol's AI-powered detection engine protects your ## Overview -In Web3, threats move fast. Phishing sites can be spun up in minutes, targeting your community before traditional security measures can respond. That's why we built an AI-first detection engine—one that identifies and neutralizes threats **within seconds**, not hours. +In Web3, threats move fast. Phishing sites can be spun up in minutes, targeting your community before traditional security measures can respond. That's why we built an AI-first detection engine that identifies and neutralizes threats within seconds, not hours. Our approach combines the speed of automation with the precision of human expertise, ensuring your brand stays protected around the clock. @@ -41,7 +41,7 @@ Our AI analyzes text content across platforms to identify threats: Phishing sites often look identical to legitimate ones. Our visual AI catches them: - **Visual Similarity Analysis** - Compares page appearance against your legitimate sites to catch pixel-perfect impersonation attempts -- **Structural Pattern Matching** - Examines page structure, code patterns, and layouts to identify known phishing templates—even when visuals differ +- **Structural Pattern Matching** - Examines page structure, code patterns, and layouts to identify known phishing templates, even when visuals differ - **Real-Time Scanning** - Continuously monitors suspicious URLs for visual indicators of threats ### Web3-Specialized Detection @@ -71,11 +71,11 @@ At the core of our system is a sophisticated decision engine that: - **Cross-Reference Validation** - Checks against known threat databases and patterns - **Instant Decisions** - Makes final determinations in seconds -No single signal is enough on its own—multiple independent checks must pass before a threat is actioned, helping maintain accuracy while preserving speed. +No single signal is enough on its own. Multiple independent checks must pass before a threat is actioned, helping maintain accuracy while preserving speed. ## Platform Coverage -Our AI monitors threats across **50+ platforms**—and we can add new integrations within days. +Our AI monitors threats across 50+ platforms, and we can add new integrations within days. **Core Detection Types:** URLs & Domains, Web Pages, Wallet Addresses, Phone Numbers, Email Addresses, Forms & Surveys @@ -85,7 +85,7 @@ Our AI monitors threats across **50+ platforms**—and we can add new integratio **Web3 Platforms:** OpenSea, ENS, IPFS, Farcaster, Blur, Magic Eden, DeBank, Bluesky, Primal, DeSo -**Need coverage for a platform we don't list?** Contact us—new integrations can be added within days. +**Need coverage for a platform we don't list?** Contact us. New integrations can be added within days. ## Real-Time Threat Distribution @@ -93,7 +93,7 @@ When our AI detects a threat, it doesn't just sit in a database. We push it dire ### Browser Protection -**Google Safe Browsing** - Our integration means threats are blocked in Chrome, Edge, and Safari—reaching billions of users worldwide. +**Google Safe Browsing** - Our integration means threats are blocked in Chrome, Edge, and Safari, reaching billions of users worldwide. ### Wallet Protection @@ -119,8 +119,7 @@ Our AI gets smarter every day through: ## Key Takeaways -- AI-first monitoring helps respond to fast-moving Web3 threats in seconds -- ChainPatrol balances automation with human review for accuracy and speed -- Detection combines content, visual, and Web3-specific signals -- A decision engine aggregates signals and confidence scores to take action -- Confirmed threats can be distributed quickly to integrated platforms +- Speed without sacrifice: Automated detection handles high-confidence threats instantly while human review prevents false positives on edge cases +- Layered protection is stronger: Multiple AI signals must agree before action is taken, which prevents both missed threats and wrongly blocked assets +- Training on Web3-specific threats matters: Generic phishing detection misses wallet drainers and fake airdrop patterns that our specialized models catch +- Direct integrations multiply impact: A single detection can protect users across browsers, wallets, and platforms within seconds of confirmation diff --git a/getting-started/how-it-works/review.mdx b/getting-started/how-it-works/review.mdx index 6ab10df..1966f93 100644 --- a/getting-started/how-it-works/review.mdx +++ b/getting-started/how-it-works/review.mdx @@ -64,8 +64,8 @@ For a Proposal to be automatically approved, **all** of the following must be tr - No Legitimacy Rules of "Very High" confidence have passed **Approval Triggers (at least one must be true):** -- **Option 1:** High Risk Score (the overall Risk Score of the Asset meets our confidence threshold) -- **Option 2:** Trusted Reporter (the Asset was part of a Report created by a Trusted Reporter) +- High Risk Score - the overall Risk Score of the Asset meets our confidence threshold +- Trusted Reporter - the Asset was part of a Report created by a Trusted Reporter ## Human Review @@ -98,7 +98,7 @@ Since automation only handles Proposals to block Assets with high confidence sco ## Key Takeaways -- Reviews evaluate proposals that change an asset’s status (blocked/allowed/unknown) -- Proposals can be approved, rejected, skipped, or escalated -- Automation handles high-confidence blocks under specific conditions -- Human reviewers handle lower-confidence cases and all allow/unknown proposals +- Legitimacy rules protect you from overblocking: If a Very High confidence legitimacy rule passes, the proposal goes to human review regardless of risk score +- Escalate unclear cases strategically: Use "Skip" when you need more information, "Escalate to Team" for expertise, and "Escalate to Customer" when brand context matters +- Automation learns from humans: Every manual review decision feeds back into the system, improving future automatic detection accuracy +- The four-decision model prevents deadlock: Unlike binary approve/reject systems, Skip and Escalate ensure unclear threats get proper attention without forcing premature decisions diff --git a/getting-started/how-it-works/takedown.mdx b/getting-started/how-it-works/takedown.mdx index 644cf2f..15afa24 100644 --- a/getting-started/how-it-works/takedown.mdx +++ b/getting-started/how-it-works/takedown.mdx @@ -20,7 +20,7 @@ Every takedown follows a clear lifecycle inside ChainPatrol: - **CANCELED** - The takedown was stopped (e.g., content turned out to be invalid or unnecessary) - **PENDING RETRACTION** - Identified as false positive, marked for retraction but not yet sent to provider - **RETRACTION SENT** - Formal retraction request submitted to provider to halt or reverse the takedown -- **RETRACTED** - Provider confirmed retraction—takedown fully stopped or reversed +- **RETRACTED** - Provider confirmed retraction, takedown fully stopped or reversed ## How ChainPatrol Processes a Takedown @@ -45,7 +45,7 @@ ChainPatrol determines which platform, hosting company, registrar, or channel is **Hosting & Domains:** - Hosting providers (AWS, Cloudflare, Vercel, etc.) - Domain registrars (GoDaddy, Namecheap, etc.) -- TLD registrars (for top-level domains like `.com`, `.xyz`, etc.) +- TLD registries (for top-level domains like `.com`, `.xyz`, etc.) **Social Media:** Twitter/X, Facebook, Instagram, YouTube, Telegram, Discord, Reddit @@ -115,7 +115,7 @@ A retraction is typically initiated when ChainPatrol determines that the origina 1. **Identification** - Asset is identified as legitimate or false positive 2. **PENDING RETRACTION** - Takedown marked for retraction but request not yet sent 3. **RETRACTION SENT** - Formal request submitted to provider to halt or reverse the takedown -4. **RETRACTED** - Provider confirms—takedown stopped or reversed +4. **RETRACTED** - Provider confirms takedown stopped or reversed Takedown retractions are handled with the same level of care, structure, and transparency as takedown submissions. @@ -157,7 +157,7 @@ ChainPatrol ensures that all takedown-related data is handled securely and respo The takedown will move to the **COMPLETED** state, and you'll see confirmation from the provider in the takedown timeline. **Why did my takedown take longer than expected?** -Response times vary across platforms. Some act quickly, while others require legal documentation or take several days to respond. Hosting providers typically respond within 4-48 hours, while domain registrars may take 24-72 hours or longer. +Response times vary across platforms. Some act quickly, while others require legal documentation or take several days to respond. Hosting providers and domain registrars have different response times, and some platforms may take longer than others. **What happens if the content appears again?** If previously removed content reappears, the existing takedown is **reactivated** by returning to the **TODO** state. ChainPatrol will then act on it again, re-filing requests until the content is completely taken down. @@ -170,8 +170,7 @@ Most takedowns require legal documents such as Letter of Authorization, Power of ## Key Takeaways -- Takedowns move through clear states (TODO → IN PROGRESS → COMPLETED) with alternative outcomes -- A takedown is created automatically for blocked assets when the Takedowns service is enabled -- ChainPatrol assigns the correct provider and submits provider-specific requests with evidence -- Monitoring and follow-up continue until a final outcome is reached -- Retractions help stop or reverse takedowns for false positives or legitimate content +- Takedowns happen automatically after blocking: Every blocked asset with Takedowns enabled gets a takedown request without manual intervention +- Watchlist monitoring confirms success: Assets are watchlisted during takedowns so we automatically detect when they go offline +- Retractions protect against false positives: If an asset is identified as legitimate after a takedown starts, we send formal retraction requests to prevent wrongful removal +- Provider-specific formatting increases success: Different platforms require different submission formats, and we handle this automatically to maximize removal rates diff --git a/getting-started/how-it-works/watchlist.mdx b/getting-started/how-it-works/watchlist.mdx index 3e3f418..82eeb2b 100644 --- a/getting-started/how-it-works/watchlist.mdx +++ b/getting-started/how-it-works/watchlist.mdx @@ -103,7 +103,7 @@ Blocked assets are scanned less frequently since they're already protected: | < 2 months | Every 6 days | | > 2 months | Every 12 days | -**Why the difference?** UNKNOWN/ALLOWED assets need closer monitoring to catch when they become malicious. BLOCKED assets are already protected, so we primarily monitor to confirm takedown success. +**Why the difference?** UNKNOWN and ALLOWED assets need closer monitoring to catch when they become malicious. BLOCKED assets are already protected, so we primarily monitor to confirm takedown success. ## Removing Assets from the Watchlist @@ -134,8 +134,7 @@ If an asset's liveness status changes from `DEAD` to `ALIVE` or `UNKNOWN`, we re ## Key Takeaways -- The watchlist tracks assets that aren’t blocked or allowed but need monitoring -- Assets are watchlisted for review uncertainty or to confirm takedown completion -- Eligibility is limited to asset types ChainPatrol can monitor reliably -- Adaptive scan frequency balances fast detection with efficient resource use -- Assets leave the watchlist when status becomes clear or after time-based decay +- Watchlist is for the gray area: Use it when you suspect an asset might be malicious but don't have enough evidence to block yet +- Automatic takedown monitoring saves time: Every takedown automatically watchlists the asset to detect when it goes offline, eliminating manual checking +- Adaptive frequency optimizes resources: Recent additions scan hourly while stable assets scan less often, so you catch changes quickly without wasting scans +- 30-day decay prevents watchlist bloat: UNKNOWN assets that haven't become malicious after a month are automatically removed, keeping your monitoring focused diff --git a/getting-started/what-we-do/brand-impersonation.mdx b/getting-started/what-we-do/brand-impersonation.mdx index 440f952..2e0adf8 100644 --- a/getting-started/what-we-do/brand-impersonation.mdx +++ b/getting-started/what-we-do/brand-impersonation.mdx @@ -79,8 +79,7 @@ ChainPatrol provides monitoring, detection, and takedown services for Web3 organ ## Key Takeaways -- Brand impersonation uses fake identities to steal, mislead, or damage trust -- Impersonation can target brands, employees, and customer support across many platforms -- Campaigns often combine multiple techniques (typosquatting, bots, ads, compromised accounts) -- Clear official asset definitions, reporting paths, and user education reduce impact -- Continuous monitoring and coordinated takedowns help reduce attacker reach +- Impersonation is multi-platform by nature: Attackers rarely stick to one channel, so protection requires monitoring websites, social media, ads, and apps simultaneously +- Community reporting acts as an early warning system: Users often spot impersonation before internal teams because they interact with your brand across more channels +- Official asset lists reduce confusion: Publicly documenting your legitimate domains, accounts, and contracts helps users verify authenticity and report fakes +- Compromised accounts are harder to detect: When attackers take over real accounts instead of creating fake ones, standard verification methods fail and response time becomes critical diff --git a/getting-started/what-we-do/general-phishing.mdx b/getting-started/what-we-do/general-phishing.mdx index d76b6aa..66ff00b 100644 --- a/getting-started/what-we-do/general-phishing.mdx +++ b/getting-started/what-we-do/general-phishing.mdx @@ -93,8 +93,7 @@ Always verify: ## Key Takeaways -- Phishing relies on impersonation and trust to steal sensitive information or assets -- Web3 phishing commonly targets seed phrases and wallet interactions -- Wallet drainers use deceptive transactions and permissions to steal funds -- Social engineering and malware distribution are common supporting tactics -- Careful verification and skepticism around urgent requests reduce risk +- Wallet drainers exploit transaction approval flows: Unlike traditional phishing that steals passwords, wallet drainers trick users into signing legitimate-looking transactions that grant unlimited withdrawal permissions +- Seed phrases are the master key: A compromised seed phrase gives attackers complete and permanent control, which is why legitimate projects never ask for them under any circumstances +- Social engineering bypasses technical protections: Even with security tools in place, attackers who build trust through fake support interactions can convince users to voluntarily disable protections +- Developer key compromise has cascading impact: When attacker gains access to a developer's keys, they can inject malicious code into trusted applications that affect thousands of users simultaneously diff --git a/getting-started/what-we-do/introduction.mdx b/getting-started/what-we-do/introduction.mdx index 8411768..c183c0d 100644 --- a/getting-started/what-we-do/introduction.mdx +++ b/getting-started/what-we-do/introduction.mdx @@ -15,10 +15,10 @@ These organizations rely on us to safeguard their communities from online impers ## Real-Time Protection Through Wallet Integration -At the core of our solution is a **continuously updated blocklist** of malicious domains, directly integrated into over 20 leading crypto wallets. +At the core of our solution is a **continuously updated blocklist** of malicious domains, directly integrated into leading crypto wallets. -**Protected Wallets:** MetaMask, Coinbase Wallet, Phantom, and 17+ more leading wallets +**Protected Wallets:** MetaMask, Coinbase Wallet, Phantom, and many more leading wallets When users attempt to interact with a flagged malicious site, they receive an immediate warning, preventing potential losses before they happen. This proactive approach provides an essential layer of security that protects users at the point of transaction. @@ -37,7 +37,7 @@ Our advanced detection system continuously monitors the digital landscape to ide When a threat is detected, our response is swift and decisive: 1. **Immediate Protection** - Malicious sites are blocked across our Wallet Network within minutes of detection, preventing your users from interacting with them -2. **Complete Takedown** - We don't stop at blocking—our team proceeds with full takedown procedures, working to permanently remove fraudulent domains and social media accounts +2. **Complete Takedown** - We don't stop at blocking. Our team proceeds with full takedown procedures, working to permanently remove fraudulent domains and social media accounts 3. **Ongoing Monitoring** - Continuous surveillance ensures new threats are identified and neutralized as they emerge ## The Cost of Inaction @@ -63,7 +63,7 @@ Don't let phishing attacks compromise your community's security and your brand's ## Key Takeaways -- Web3 threats move fast and can directly impact users and brand trust -- ChainPatrol provides always-on monitoring, review, and response for impersonation and phishing -- Real-time wallet integrations help protect users at the point of interaction -- Rapid response combines blocklisting, takedowns, and ongoing monitoring to reduce attacker impact +- Wallet integration provides point-of-transaction protection: Unlike email security or website warnings that users might miss, wallet integrations prevent interactions with malicious sites at the moment of connection +- Blocklist-first approach eliminates the waiting game: Users are protected within minutes through blocklist distribution while takedown requests work through slower provider channels +- Multi-channel monitoring catches threats early: Attackers spread campaigns across domains, social media, and ads simultaneously, so protection requires monitoring all channels at once +- Community protection multiplies individual security: When one organization's threat is blocked, all wallet users benefit from the updated blocklist regardless of which brand was targeted