What we detect

BSBsec’s detection stack is built around the main loss and compliance vectors that affect exchanges and wallets. For withdrawals, we focus on address poisoning and scam destinations: similarity analysis and dust-pattern tracking catch lookalike or spoofed addresses, and we flag known scam clusters so you can warn or block before the withdrawal is signed—especially important for new or high-risk users. For deposits and compliance, we track exposure to mixers, sanctioned entities, and risky exchange clusters, and we run AML typology detection (layering, peel chains, consolidation) so you can route high-risk crediting to manual review or block. For trading, we detect honeypots via simulation and contract analysis, owner-privilege risks (minting, blacklist, upgradeability), liquidity risk (LP locks, concentration), and pump-and-dump anomalies. Every detection is designed to produce stable reason codes and evidence—transaction hashes, exposure paths, confidence levels—so your support and compliance teams can understand and act on the signal. We document detection categories, version our rulesets, and publish known limitations so you know exactly what is in scope.

How we do it

• Address poisoning: we maintain a graph of address relationships and dust-transfer patterns. For a given destination we compute similarity (e.g. Levenshtein-style and byte-level) to the user’s recent counterparties and to known poisoning patterns; we score dust flows that “seed” lookalike addresses. Output is a poisoning risk score plus reason codes (e.g. SIMILAR_TO_RECENT, DUST_PATTERN) and evidence (candidate tx hashes, similar addresses).
• Scam withdrawals: we maintain and continuously update clusters of known scam addresses (phishing, romance, investment fraud, etc.) and risky exchange/off-ramp clusters. Each destination is checked against these clusters; we also use behavioral and graph signals (e.g. age of address, inflow/outflow patterns). Response includes reason codes (e.g. SCAM_CLUSTER, HIGH_RISK_DESTINATION) and cluster or entity identifiers as evidence.
• Mixers & sanctions: we ingest and version sanctions lists and mixer/tumbler labels (including protocol-level and heuristic detection). We compute exposure of the request’s addresses to these entities over a configurable lookback (e.g. 1-hop or N-hop). Output includes exposure score, reason codes (e.g. MIXER_EXPOSURE, SANCTIONED_EXPOSURE), and evidence (tx hashes, path to the entity).
• Money laundering: we run graph-based typology detection (layering, peel chains, consolidation, round-tripping) on the subgraph relevant to the request. We use rule-based patterns and, where applicable, model-based anomaly scores. Output includes typology reason codes and evidence pointers so compliance can review the path.
• Rug pulls & pump-and-dumps: for token and LP risk we run static analysis (owner privileges, mint/blacklist/upgradeability), simulation-based honeypot checks (e.g. can-sell/can-withdraw), and liquidity/concentration metrics. We also detect pump-and-dump style volume and price anomalies. Each signal is mapped to stable reason codes and evidence (contract address, relevant txs, metrics).

Outcomes

• •Address poisoning: similarity and dust-pattern analysis to catch spoofed or lookalike addresses
• •Scam withdrawals: scam-cluster and destination risk so you can warn or block before signing
• •Mixers & sanctions: exposure scoring to mixers, sanctioned entities, and risky clusters
• •Money laundering: AML typologies via graph and behavioral signals for compliance and review
• •Rug pulls & pump-and-dumps: honeypot, owner-privilege, liquidity and anomaly detection for tokens

Challenge

Platforms need to act on risk in real time without building and maintaining their own graph intelligence, threat feeds, and detection models.

Approach

We run the detection pipeline and expose it through a single API. You send context; we return structured decisions with reason codes and evidence. You stay focused on product and policy; we stay focused on accuracy and coverage.