Vision for Open Threat Intelligence

Blockchain technology enables a direct transfer of assets to anyone on earth without involving an intermediate entity. The benefit of transacting directly comes at the cost of increased vulnerability to bad actors. Financial intermediates can censor transactions, but they also step in to protect assets against fraudulent actions. This lack of protection leads to the theft of billions of dollars worth of digital assets every year.

Oz is building an open threat intelligence protocol to provide web3-focused cybersecurity as a public good. The protocol enables anyone to access security data to identify and avoid transacting with bad actors. Wallet developers can incorporate threat signals to protect their users from attackers. AI agents can use security data to avoid interacting with malicious endpoints or contracts. DApp developers can use threat signals to protect their users from on-chain threats.

Thousands of crypto users fall victim to preventable cyberattacks annually due to the lack of publicly available threat intelligence data. Oz delivers cybersecurity data directly to where it is needed, so users can seamlessly avoid on-chain attacks without sacrificing decentralization.

The Vulnerability of Decentralization

The same qualities that make the blockchain excel as a peer-to-peer system for transmitting value also make it an ideal tool for digital theft. Without a counterparty, transactions cannot be reversed. This prevents financial censorship but also makes theft permanent and difficult to trace.

These qualities create the perfect environment for online scams. Ransomware attacks, the most lucrative type of cyberattack, only became popular after 2012. Before the invention of Bitcoin, banks could simply reverse most financial transactions associated with hacking, eliminating the incentive to perform this type of attack.

According to the FBI, over $4B in crypto assets were lost due to online scams and hacks in 2023. Despite the prevalence of cyberattacks, well-established security best practices from the traditional tech world are not well adopted in crypto. Other than a small number of security-oriented point solutions, there are very few security options available to application developers and end-users to prevent attacks.

In traditional tech, organizations protect users from bad actors by incorporating the output of high-quality threat intelligence feeds into their products. Such feeds are provided by organizations like Mandiant, VirusTotal, and Palo Alto Networks. Application developers use the data they provide to identify malicious files, URLs, and IP addresses and transparently prevent their users from accessing these endpoints. Data provided by these feeds protect us from malicious web pages, file attachments, and email senders every day.

The Need for Open Security Data in Web3

While traditional tech’s threat feeds protect us from much harm online, none have chosen to provide coverage for web3 endpoints. The lack of crypto-focused threat intelligence data prevents us from knowing whether the wallets, contracts, and dApps with which we transact are harmful or benign.

The fog of war created by the lack of focused security data opens the door to countless novel cyberattacks.

Common Web3 Cyberattacks




Wallet Drainers

Smart Contract


Address poisoning



NFT Counterfeiting



Drive-by attack



Social engineering



Phony Exchanges

Smart Contract


P2P Trading Scams



Fake dApps

Smart Contract


Free Airdrop Scams

Smart Contract


If there was an open source of threat intelligence data for smart contracts, URLs, and wallets, each of these attacks could be prevented before they occur.

Crypto-Native Security Insights

To create a crypto-native threat feed, we need to assess the types of endpoints most commonly involved in each phase of the most common attacks. Once the participants and vectors are well understood, we can demonstrate how threat intelligence can prevent the attack when inserted at the correct point.

Let’s start by considering wallet drainers, one of the most prevalent types of attacks in all of web3.

The mechanics of this attack are as follows:

First, the attacker sends a phishing link to a broad audience via a common web3 communication channel like Twitter, Discord, or Telegram. The attacker can either compromise a project’s actual social media account, or spoof the account using a similar name.

Once the victim clicks the URL, they’re directed to a web page designed to look similar to the branding of the sender’s project. The domain name will be similar but not identical to the actual project’s domain.

Wallet Drainer Attack Sequence





Malicious URL

Twitter, Telegram, Discord


Malicious Domain

Public internet


Malicious Transaction

Public internet


Malicious Contract

Public blockchain

The airdrop claim portal will have a claim button, which will launch the user’s wallet and prompt them to interact with a malicious smart contract via a special transaction. If the user signs that transaction, all funds in their linked wallets will be stolen and sent to the drainer’s public wallet address.

Data from a crypto threat intelligence feed can be used to warn users of the elevated risk when interacting with each element of the kill chain.

Preventing Wallet Drainers - Domain Reputation

Preventing users from getting drained begins with the original phishing link. By injecting threat intelligence into the browser, the user can receive a warning when malicious URLs are present on the page.

By taking note of elevated risk, users can avoid the scam entirely.

Preventing Wallet Drainers - Contract Reputation

If the user does navigate to the malicious link and connect their wallet, open threat intelligence data can warn them before they sign the wallet drain transaction. Wallets integrating threat intel data can choose to either block these transactions altogether, or to merely warn users of elevated risk.

As of today, the most popular Web3 wallets lack any kind of user protection related to common scams like wallet drainers, even when the destination addresses are well known.

Open Threat Feed

At Oz, we’re building the first open threat intelligence feed designed specifically for web3. Intelligence from our feed can be incorporated into existing dApps and wallets using our open API to immediately protect end users from the most common cyberattacks.

The lack of accessible intelligence is the biggest barrier to protecting end users from attacks. Our threat feeds will allow any developer to easily protect their users by building security-oriented features that warn users of common threats and prevent hacks before they occur.

Threat Data Economy

The data powering the traditional cybersecurity industry is sourced from each security organization’s customer base. When an organization buys a firewall from Palo Alto Networks, for instance, that firewall is used as a data collector, routing security signals back to engineers in the Palo Alto Networks security research team.

These customer-sourced signals are then sold as a threat intelligence feed to the rest of the security company’s customer base. To bring threat intelligence to web3, we are developing a data collection mechanism that is aligned with this industry’s values.

Users will share threat signals with Oz by opting into the protocol’s data collectors, deployed locally as Chrome extensions, or integrated into popular applications. When users share threat signals with the protocol, they’ll be compensated in OZT, the protocol’s native token. To receive security signals from the protocol, users may spend OZT.

A Secure Future

It’s clear from the volume of cyberattacks in crypto that there is an urgent need for more robust security solutions in the industry. While web2’s best practices can help to inform cybersecurity in crypto, the models are not directly transferable. Oz is building an open data collection framework to enable the open, permissionless sharing of security signals.

By structuring the incentives in this way, we can create a global permissionless repository of threat intelligence data that can be used to protect every member of the web3 community.

Last updated