Crypto payment scams cost users billions annually. Address poisoning, fake recipient wallets, and social engineering attacks all exploit a fundamental gap: users can’t easily verify whether a payment is safe before sending. The Payment Risk Assessment endpoint closes that gap by analyzing 8 risk dimensions in real time - before funds leave the wallet.
This guide covers the three risk factors most relevant to scam prevention and how to build them into your payment flow.
The Three Scam-Relevant Risk Factors
Payment Risk Assessment evaluates 8 independent risk dimensions. Three are directly designed to catch common payment scams:
| Risk Factor | What It Catches | Risk Level |
|---|
| Address Poisoning Detection | Scammer creates a lookalike address that matches the first/last 4 characters of a real contact | HIGH |
| New Wallet Detection | Recipient is a freshly created wallet with no history - common in advance-fee fraud and impersonation scams | MEDIUM–HIGH |
| Interaction History | Sender has never transacted with this recipient before - flags unfamiliar counterparties | HIGH |
How Address Poisoning Works
Address poisoning is one of the most common crypto scams. Here’s the attack:
- The scammer monitors the victim’s transaction history
- They generate an address that matches the first and last 4 characters of a real recipient the victim has sent to before
- They send a small “dust” transaction from the poisoned address to the victim
- The victim later copies the address from their transaction history, unknowingly selecting the scammer’s lookalike address
- Funds are sent to the scammer instead of the intended recipient
How Payment Risk Assessment Detects It
The address_poisoning_attack factor compares the recipient address against known poison address patterns associated with the sender. If the recipient’s prefix and suffix match a poisoning pattern, it returns HIGH risk.
{
"factor": "address_poisoning_attack",
"risk_level": "high",
"description": "Potential address poisoning attack detected - recipient matches poison address pattern"
}
How New Wallet Scams Work
Many scams involve directing victims to send funds to newly created wallets:
- Impersonation scams - “Send funds to this new wallet for verification”
- Fake investment schemes - Scammer provides a brand-new deposit address
- Romance scams - Victim is given a fresh wallet address to “help” with
- Phishing - Fake dApp or site provides a newly generated receiving address
Legitimate recipients (exchanges, protocols, contacts) almost always have established wallet history. A brand-new wallet with zero transactions is a strong signal that something is wrong.
How Payment Risk Assessment Detects It
The new_wallet_recipient factor analyzes the recipient’s onchain transaction history:
| Recipient History | Risk Level | Factor |
|---|
| 0 transactions | HIGH | new_wallet_recipient |
| <3 transactions OR <7 days old | MEDIUM | new_wallet_recipient |
| ≥3 transactions AND >7 days old | LOW | established_wallet_recipient |
{
"factor": "new_wallet_recipient",
"risk_level": "high",
"description": "Recipient is a completely new wallet with no transaction history"
}
How First-Interaction Risk Works
Even without address poisoning or a new wallet, sending to someone you’ve never transacted with before carries inherent risk. Scams overwhelmingly involve first-time interactions - the victim has no prior relationship with the scammer’s address.
How Payment Risk Assessment Detects It
The first_interaction factor examines the transaction history between sender and recipient across both same-network and cross-chain indices:
| Prior Interactions | Risk Level | Factor |
|---|
| 0 (first time) | HIGH | first_interaction |
| 1–2 interactions | MEDIUM | limited_interaction_history |
| 3+ interactions | LOW | established_interaction_history |
{
"factor": "first_interaction",
"risk_level": "high",
"description": "First ever interaction between these addresses"
}
A first interaction is not inherently malicious - everyone has a first transaction. The value is in combining it with other factors. A first interaction with an established wallet is normal. A first interaction with a brand-new wallet that matches a poisoning pattern is almost certainly a scam.
Building a Scam Prevention Flow
Step 1: Check Payment Risk Before Sending
async function checkPaymentForScams(sender, recipient, amount, network) {
const params = new URLSearchParams({
sender_address: sender,
recipient_address: recipient,
amount: amount.toString(),
sender_network: network,
recipient_network: network,
});
const response = await fetch(
`https://api.range.org/v1/risk/payment?${params}`,
{ headers: { Authorization: `Bearer ${API_KEY}` } }
);
return response.json();
}
function analyzeScamRisk(paymentRisk) {
const factors = paymentRisk.risk_factors || [];
const scamIndicators = {
addressPoisoning: factors.find((f) => f.factor === "address_poisoning_attack"),
newWallet: factors.find((f) => f.factor === "new_wallet_recipient"),
firstInteraction: factors.find((f) => f.factor === "first_interaction"),
limitedHistory: factors.find((f) => f.factor === "limited_interaction_history"),
maliciousRecipient: factors.find(
(f) => f.factor === "malicious_address_recipient" && f.risk_level === "high"
),
};
// Address poisoning is always a critical warning
if (scamIndicators.addressPoisoning) {
return {
level: "critical",
warning: "Address poisoning detected",
description: "This address closely matches another address you've transacted with. " +
"Scammers create lookalike addresses to trick you into sending funds to them.",
recommendation: "Do NOT send to this address. Verify the full address character by character.",
};
}
// New wallet + first interaction = strong scam signal
if (
scamIndicators.newWallet?.risk_level === "high" &&
scamIndicators.firstInteraction
) {
return {
level: "high",
warning: "Possible scam - new wallet with no prior interaction",
description: "This recipient has no transaction history and you've never sent to them before. " +
"This pattern is common in impersonation, phishing, and advance-fee scams.",
recommendation: "Verify the recipient through a trusted channel before sending.",
};
}
// First interaction alone is a caution
if (scamIndicators.firstInteraction) {
return {
level: "medium",
warning: "First-time recipient",
description: "You've never sent to this address before. Double-check the address is correct.",
recommendation: "Consider sending a small test amount first.",
};
}
return { level: "low", warning: null };
}
Step 3: Display Warnings to Users
async function protectedSend(sender, recipient, amount, network) {
const paymentRisk = await checkPaymentForScams(
sender, recipient, amount, network
);
const scamAnalysis = analyzeScamRisk(paymentRisk);
switch (scamAnalysis.level) {
case "critical":
// Block and show red warning - do not allow without explicit override
return showCriticalWarning(scamAnalysis);
case "high":
// Show prominent warning, require confirmation
const confirmed = await showHighRiskWarning(scamAnalysis);
if (!confirmed) return { status: "cancelled" };
break;
case "medium":
// Show informational notice
await showCautionNotice(scamAnalysis);
break;
}
// Proceed with transaction
return await executeTransaction(sender, recipient, amount);
}
Scam Pattern Reference
| Scam Type | Triggered Factors | Combined Risk |
|---|
| Address poisoning | address_poisoning_attack | Critical |
| Impersonation / phishing | new_wallet_recipient + first_interaction | High |
| Advance-fee fraud | new_wallet_recipient + first_interaction | High |
| Compromised account | first_interaction + malicious_connection_recipient_high | High |
| Fake investment | new_wallet_recipient + first_interaction | High |
| Typo / wrong address | first_interaction (no poisoning) | Medium |
| Legitimate new contact | first_interaction + established_wallet_recipient | Low–Medium |
| Regular payment | established_interaction_history + established_wallet_recipient | Low |
Integration Recommendations
For Wallets
- Run Payment Risk Assessment on every send before the user signs
- Display scam warnings inline - not as a separate step users can skip
- For address poisoning: show a full-screen blocker, not a dismissable toast
- Cache results briefly (30 seconds) to avoid re-querying if the user adjusts the amount
For Payment Processors
- Check both directions: screen the sender when receiving, screen the recipient when sending
- Log all risk assessments for dispute resolution and fraud investigation
- Set automated hold policies for first-interaction payments above a threshold amount
For Exchanges
- Run Payment Risk Assessment on withdrawal requests before processing
- Flag
address_poisoning_attack results for manual review - these are almost never false positives
- Use
first_interaction + new_wallet_recipient to trigger additional verification (email confirmation, 2FA) on withdrawals to new addresses
What’s Next
