search

Wallet Extraction

SSI automatically discovers cryptocurrency wallet addresses displayed on scam sites — deposit pages, payment instructions, withdrawal confirmations, and coin tab interfaces. Extracted wallets link investigations to on-chain activity and provide actionable threat indicators.

hashtag
How it works

Wallet extraction runs in three stages:

  1. Regex detection — pattern-based matching for 20+ token networks (ETH, BTC, TRX, SOL, XRP, ADA, DOGE, LTC, and more). Patterns are tuned to each network's address format and length.

  2. LLM verification — a language model confirms each candidate address, identifies the token symbol and network, and filters out false positives (base64 strings, CSS classes, etc.).

  3. Allowlist filtering — validated addresses are checked against a configurable token-network allowlist (config/wallet_allowlist.json) that defines the 26+ supported token-network pairs.

hashtag
When extraction runs

  • During active investigation — the agent checks every page transition for wallet addresses, including coin tab discovery (clicking BTC/ETH/TRX buttons to reveal deposit addresses).

  • EXTRACT_WALLETS state — a dedicated agent state performs a final sweep of all loaded content.

  • Standalone CLI scan — extract wallets from any text file or raw content without running a full investigation.

hashtag
Viewing wallets in the Console

hashtag
Investigation detail

Open any completed investigation and switch to the Results tab. The wallet table shows:

Column
Description

Address

The wallet address (truncated with copy button)

Token

Token symbol (e.g., BTC, ETH, USDT)

Network

Blockchain network (e.g., Ethereum, Tron, Bitcoin)

Confidence

Extraction confidence (high / medium / low)

Source

Where on the page the address was found

hashtag
Wallet search (cross-investigation)

Navigate to SSI → Wallets to search wallet addresses across all investigations. Filter by token, network, or address substring. This view helps identify the same wallet appearing across multiple scam sites — a strong signal of linked campaigns.

hashtag
CLI wallet commands

The ssi wallet command group provides standalone wallet tools:

hashtag
Validate an address

Output:

hashtag
Scan text for wallets

hashtag
View supported patterns

Lists every token network and its regex pattern.

hashtag
View the allowlist

hashtag
Export wallets

Export wallet data from an investigation to XLSX, CSV, or JSON:

hashtag
API endpoints

Method
Path
Description

GET

/wallets

Search wallets across all investigations (query params: token, network, address, pagination)

GET

/investigations/{id}/wallets.xlsx

Download investigation wallets as XLSX

GET

/investigations/{id}/wallets.csv

Download investigation wallets as CSV

hashtag
Customizing the allowlist

The token-network allowlist controls which token-network pairs SSI recognizes. Edit config/wallet_allowlist.json to add or remove pairs:

Restart the SSI API after editing. The CLI picks up changes immediately.

PreviousInvestigating SitesNextLive Monitoring

Last updated