User Documentation

Crypto Audit Scanner™ [v2.1]

← Back to Scanner

1. Introduction & Version Updates

Welcome to the Crypto Audit Scanner™, a powerful forensic tool designed to analyze blockchain addresses for hidden threats. This application scans the transaction history of a given wallet address to detect potential malware, suspicious payloads, and high-risk token approvals.

1.1. What's New v2.1

  • Bitcoin (BTC) Support: The scanner now fully supports Bitcoin address scanning. You can scan Legacy, SegWit, and Bech32 addresses (e.g., 1A1z..., bc1...).
  • New UTXO Analysis Engine: A dedicated analysis engine has been added to handle Bitcoin's UTXO (Unspent Transaction Output) model, scanning inputs and outputs for illicit connections.
  • Ransomware & Darknet Detection: New definitions specifically targeting known ransomware wallets (e.g., WannaCry) and Darknet markets.
  • Peel Chain Detection: Added heuristic detection for "Peel Chain" patterns, a common money laundering technique used on Bitcoin.

1.2. What's New v2.0

  • Plan-Based Scan Timeouts: Scans now have maximum durations (e.g., 30 mins to 72 hours) based on the user's plan and will auto-stop if the time limit is exceeded.
  • Dynamic Plan UI: The dashboard now dynamically displays the user's Current Plan, Address Limit, and Bulk Upload Limit.
  • NFTVault AI Chatbot: A new floating AI assistant has been added to the interface to provide live support.
  • Trial Countdown Timer: Active '3 Day Trial' users will now see a live countdown timer showing their remaining trial time.

1.3. What's New v1.9.1

  • XPR Network (WebAuth) Support: The scanner now fully supports the XPR Network (WebAuth).
  • New Input Type: You can now enter an XPR Network username (e.g., nwosnack) directly into the address field.
  • New XPR Analysis Engine: A separate analysis engine scans the XPR Network Hyperion API for account-level threats like malicious permission changes.

1.4. What's New v1.9

  • GoPlus Security Integration: The scanner now integrates the GoPlus Security API for real-time address reputation.
  • Social Media Threat Detection: Added new payload signatures to detect threats commonly spread on X (Twitter), Telegram, and Facebook.
  • Malware Archive Detection: New detection for .zip (PK header) and .rar file archives embedded in transaction data.

1.5. Updates v1.8

  • APT Detection (Lazarus Group): Added a new, high-severity check for any interaction with OFAC-sanctioned wallets controlled by state-sponsored threat actors.
  • New Tiers: Re-structured pricing to include a 3-Day Free Trial and a new, affordable Lite Plan.

1.6. New Features v1.6

  • Security Audit Score: The post-scan summary now includes a calculated Security Audit Score to give you an immediate, high-level assessment of the wallet's risk.
  • Structured Risk Categorization: All findings are now explicitly grouped into action-oriented categories: High Risk, Medium Risk, and Attention Required.

2. Supported Blockchains

The Scanner supports three different analysis frameworks: EVM chains, the XPR Network, and Bitcoin.

EVM (Ethereum Virtual Machine) Chains

  • Ethereum Mainnet
  • Polygon PoS
  • Arbitrum One
  • Optimism
  • Base

Non-EVM Chains

  • XPR Network (WebAuth) v1.9
  • Bitcoin (BTC) v2.1

Note: EVM-compatible chains utilize smart contract payload analysis. XPR Network uses account action analysis via Hyperion. Bitcoin uses UTXO input/output analysis via Blockstream.

3. Access Tiers and Limits

Access to the Scanner's features is categorized into tiers. All licensed tiers use our internal, accelerated API key.

Plan Monthly Address Limit Daily Bulk Limit API Access
3 Day Trial Up to 10 Addresses No Internal API Key
Lite Plan Up to 100 Addresses No Internal API Key
Individual Up to 999 Addresses 1 File Upload/24h Internal API Key
Pro Analyst Up to 10,000 Addresses Unlimited Internal API Key
Forensic Team Up to 100,000 Addresses Unlimited Internal + 1 Dedicated API Key
Enterprise Compliance Up to 1,000,000 Addresses Unlimited Internal + 3 Dedicated API Keys

If you need to upgrade your plan, please use the links provided on the main scanner page.

4. API Key Modes (User vs. Dev)

The scanner operates in two modes: User Mode (default, simple) and Developer Mode (optional, for custom keys).

4.1. User Mode (Default & Licensed Access)

The scanner uses our integrated, pre-configured NFTitle Network API proxy. This is the default mode for all users (Trial, Lite, Individual, etc.).

  • Trial & Lite Tiers: Access to single-address scans using our internal API.
  • Individual & Up Tiers: Access to single-address scans AND bulk-file uploads, all using our internal, accelerated API.

4.2. Developer Mode (API Key Mode)

Developer Mode allows any user (including Trial/Lite) to use their own personal Alchemy API key. This is useful for users who want to run EVM scans without affecting their plan's address limits or for advanced testing.

Note: Developer Mode only applies to EVM chains. XPR Network and Bitcoin scans always use the internal server-side proxy.

If you wish to use Developer Mode for EVM chains, here is how you can obtain your own keys:

Alchemy API Key (for all supported EVM chains):

  1. Go to the Alchemy website and sign up for a free account.
  2. Once logged in, navigate to your Dashboard and click "+ Create App".
  3. Choose Ethereum as the chain and Mainnet as the network. This key will work across Polygon, Arbitrum, Optimism, and Base.
  4. After creating the app, click "View Key".
  5. Copy your API KEY and paste it into the "EVM API Key" field when Developer Mode is enabled.
Alchemy API key dashboard

5. How to Use the Scanner

Crypto Audit Scanner main interface
  1. Enter Address (Single Scan): Paste the full EVM address (0x...), XPR username (nwosnack), or Bitcoin address (bc1..., 1...).
  2. Upload Address List (Bulk Scan): Upload a CSV or TXT file containing one address per line. (Available on Individual plan & up. EVM chains only).
  3. Select Blockchain: Choose the correct chain (e.g., Ethereum, XPR Network, or Bitcoin).
  4. Enable Forensic Backtrace (Optional): Click the toggle switch to enable source-of-funds tracing for suspicious transactions. (EVM chains only).
  5. Enable Developer Mode (Optional): Toggle the switch and input your required API key(s) if you wish to use your own key (EVM only).
  6. Scan: Click the "Start Scan" button to begin. The button will show the scan progress.
  7. Review Audit Score and Log: After the scan, review the Security Audit Score in the summary and check the log for detailed, categorized findings.

6. Understanding the Results & Enforcement

6.1. Abuse & Ban Policy (Bulk Upload Limits)

Our plans are designed with specific limits. The Individual plan, for example, is limited to one (1) bulk file upload per 24-hour period.

  • Warning System: Repeated attempts to bypass the 24-hour bulk file upload limit will trigger an on-screen warning and log an infraction against your account.
  • Account Block: After 10 warnings, your account will be automatically blocked for 24 hours.
  • Restoration: Access can only be restored by waiting for the 24-hour period to end or by opening a support ticket at support.ubitquityx.com.

6.2. Interpreting Findings

If the scanner finds threats, they will be displayed in the results table. The "Scan Log" provides a real-time feed of the analysis.

EVM: Wallet Drainer & Phishing Signatures

  • Wallet Drainer (setApprovalForAll): Detects granting unlimited permission for a contract to move all your NFTs.
  • Unauthorized Transfer (Permit Exploit): Detects the permit function, often used to steal tokens with an off-chain signature.
  • Ice Phishing (Approve to EOA): A critical threat. This flags an approve call sent to a regular user wallet (EOA) instead of a smart contract.
  • Suspicious Claim Function: Flags transactions calling claim(), which is common in phishing scams.

Bitcoin (BTC) Threat Signatures v2.1

Bitcoin analysis focuses on the source and destination of funds (UTXOs) rather than smart contract payloads.

  • Interaction with OFAC Sanctioned Address: CRITICAL RISK: Flags any interaction with addresses sanctioned by the U.S. Treasury (e.g., Lazarus Group, Blender.io).
  • Interaction with Known Ransomware Wallet: Flags funds moving to or from known ransomware campaigns (e.g., WannaCry, Ryuk).
  • Interaction with Known Darknet Market: Flags interaction with addresses associated with illicit marketplaces (e.g., Hydra).
  • High-Volume "Peel Chain" Activity: A heuristic detection. Peel chains are a technique where a large amount of BTC is passed through a series of transactions, with small amounts "peeled off" at each step to launder funds.

XPR Network (WebAuth) Signatures v1.9

  • Account Permission Change (updateauth): CRITICAL RISK: Flags an updateauth action, which means a new key was added or an existing one was changed. This could indicate an account takeover.
  • Smart Contract Deployed (setcode): HIGH RISK: Flags a setcode action, which deploys a smart contract to the user's account. This is highly unusual and suspicious for a standard user.
  • Phishing Link in Memo (http:// or https://): Flags any transaction memo that contains a URL, a common phishing tactic on the XPR Network.

6.3. What is "Social Media Scanning"? v1.9

A key feature of v1.9 is "Social Media Scanning." This feature does not scan your actual social media accounts. Instead, it checks your EVM transaction history for payloads commonly used in social media phishing campaigns.

  1. Reading Transaction Data: The scanner fetches your transaction history from the blockchain.
  2. Converting Data: It converts the raw hexadecimal input data (e.g., 0x504b0304...) into readable ASCII text.
  3. Checking for Signatures: It checks for malicious file headers (like MZ for .exe files or PK for .zip files) hidden in transaction data, often used to deliver malware via "airdropped" transactions.

7. Security and Privacy

  • Session Protection: The entire application is protected by a secure, server-side session.
  • API Key Security: In User Mode and Licensed Tiers, the API key is proxied and is never exposed to your browser. Your keys are never stored by NFTitle Network.