Skip to main content
Crypto payment scams cost users billions annually. Address poisoning, fake recipient wallets, and social engineering attacks all exploit a fundamental gap: users can’t easily verify whether a payment is safe before sending. The Payment Risk Assessment endpoint closes that gap by analyzing 8 risk dimensions in real time - before funds leave the wallet. This guide covers the three risk factors most relevant to scam prevention and how to build them into your payment flow.
Prerequisites: You need a Risk API key and familiarity with the Payment Risk Assessment endpoint.

The Three Scam-Relevant Risk Factors

Payment Risk Assessment evaluates 8 independent risk dimensions. Three are directly designed to catch common payment scams:
Risk FactorWhat It CatchesRisk Level
Address Poisoning DetectionScammer creates a lookalike address that matches the first/last 4 characters of a real contactHIGH
New Wallet DetectionRecipient is a freshly created wallet with no history - common in advance-fee fraud and impersonation scamsMEDIUM–HIGH
Interaction HistorySender has never transacted with this recipient before - flags unfamiliar counterpartiesHIGH
Together, these factors catch the majority of common crypto scam patterns without false-positiving on legitimate transactions to known contacts.

How Address Poisoning Works

Address poisoning is one of the most common crypto scams. Here’s the attack:
  1. The scammer monitors the victim’s transaction history
  2. They generate an address that matches the first and last 4 characters of a real recipient the victim has sent to before
  3. They send a small “dust” transaction from the poisoned address to the victim
  4. The victim later copies the address from their transaction history, unknowingly selecting the scammer’s lookalike address
  5. Funds are sent to the scammer instead of the intended recipient

How Payment Risk Assessment Detects It

The address_poisoning_attack factor compares the recipient address against known poison address patterns associated with the sender. If the recipient’s prefix and suffix match a poisoning pattern, it returns HIGH risk. 
{
  "factor": "address_poisoning_attack",
  "risk_level": "high",
  "description": "Potential address poisoning attack detected - recipient matches poison address pattern"
}
This check happens automatically - no configuration needed. Just pass the sender and recipient addresses to the Payment Risk endpoint.

How New Wallet Scams Work

Many scams involve directing victims to send funds to newly created wallets:
  • Impersonation scams - “Send funds to this new wallet for verification”
  • Fake investment schemes - Scammer provides a brand-new deposit address
  • Romance scams - Victim is given a fresh wallet address to “help” with
  • Phishing - Fake dApp or site provides a newly generated receiving address
Legitimate recipients (exchanges, protocols, contacts) almost always have established wallet history. A brand-new wallet with zero transactions is a strong signal that something is wrong.

How Payment Risk Assessment Detects It

The new_wallet_recipient factor analyzes the recipient’s onchain transaction history:
Recipient HistoryRisk LevelFactor
0 transactionsHIGHnew_wallet_recipient
<3 transactions OR <7 days oldMEDIUMnew_wallet_recipient
≥3 transactions AND >7 days oldLOWestablished_wallet_recipient
{
  "factor": "new_wallet_recipient",
  "risk_level": "high",
  "description": "Recipient is a completely new wallet with no transaction history"
}

How First-Interaction Risk Works

Even without address poisoning or a new wallet, sending to someone you’ve never transacted with before carries inherent risk. Scams overwhelmingly involve first-time interactions - the victim has no prior relationship with the scammer’s address.

How Payment Risk Assessment Detects It

The first_interaction factor examines the transaction history between sender and recipient across both same-network and cross-chain indices:
Prior InteractionsRisk LevelFactor
0 (first time)HIGHfirst_interaction
1–2 interactionsMEDIUMlimited_interaction_history
3+ interactionsLOWestablished_interaction_history
{
  "factor": "first_interaction",
  "risk_level": "high",
  "description": "First ever interaction between these addresses"
}
A first interaction is not inherently malicious - everyone has a first transaction. The value is in combining it with other factors. A first interaction with an established wallet is normal. A first interaction with a brand-new wallet that matches a poisoning pattern is almost certainly a scam.

Building a Scam Prevention Flow

Step 1: Check Payment Risk Before Sending

async function checkPaymentForScams(sender, recipient, amount, network) {
  const params = new URLSearchParams({
    sender_address: sender,
    recipient_address: recipient,
    amount: amount.toString(),
    sender_network: network,
    recipient_network: network,
  });

  const response = await fetch(
    `https://api.range.org/v1/risk/payment?${params}`,
    { headers: { Authorization: `Bearer ${API_KEY}` } }
  );

  return response.json();
}

Step 2: Extract Scam-Relevant Factors

function analyzeScamRisk(paymentRisk) {
  const factors = paymentRisk.risk_factors || [];

  const scamIndicators = {
    addressPoisoning: factors.find((f) => f.factor === "address_poisoning_attack"),
    newWallet: factors.find((f) => f.factor === "new_wallet_recipient"),
    firstInteraction: factors.find((f) => f.factor === "first_interaction"),
    limitedHistory: factors.find((f) => f.factor === "limited_interaction_history"),
    maliciousRecipient: factors.find(
      (f) => f.factor === "malicious_address_recipient" && f.risk_level === "high"
    ),
  };

  // Address poisoning is always a critical warning
  if (scamIndicators.addressPoisoning) {
    return {
      level: "critical",
      warning: "Address poisoning detected",
      description: "This address closely matches another address you've transacted with. " +
        "Scammers create lookalike addresses to trick you into sending funds to them.",
      recommendation: "Do NOT send to this address. Verify the full address character by character.",
    };
  }

  // New wallet + first interaction = strong scam signal
  if (
    scamIndicators.newWallet?.risk_level === "high" &&
    scamIndicators.firstInteraction
  ) {
    return {
      level: "high",
      warning: "Possible scam - new wallet with no prior interaction",
      description: "This recipient has no transaction history and you've never sent to them before. " +
        "This pattern is common in impersonation, phishing, and advance-fee scams.",
      recommendation: "Verify the recipient through a trusted channel before sending.",
    };
  }

  // First interaction alone is a caution
  if (scamIndicators.firstInteraction) {
    return {
      level: "medium",
      warning: "First-time recipient",
      description: "You've never sent to this address before. Double-check the address is correct.",
      recommendation: "Consider sending a small test amount first.",
    };
  }

  return { level: "low", warning: null };
}

Step 3: Display Warnings to Users

async function protectedSend(sender, recipient, amount, network) {
  const paymentRisk = await checkPaymentForScams(
    sender, recipient, amount, network
  );

  const scamAnalysis = analyzeScamRisk(paymentRisk);

  switch (scamAnalysis.level) {
    case "critical":
      // Block and show red warning - do not allow without explicit override
      return showCriticalWarning(scamAnalysis);

    case "high":
      // Show prominent warning, require confirmation
      const confirmed = await showHighRiskWarning(scamAnalysis);
      if (!confirmed) return { status: "cancelled" };
      break;

    case "medium":
      // Show informational notice
      await showCautionNotice(scamAnalysis);
      break;
  }

  // Proceed with transaction
  return await executeTransaction(sender, recipient, amount);
}

Scam Pattern Reference

Scam TypeTriggered FactorsCombined Risk
Address poisoningaddress_poisoning_attackCritical
Impersonation / phishingnew_wallet_recipient + first_interactionHigh
Advance-fee fraudnew_wallet_recipient + first_interactionHigh
Compromised accountfirst_interaction + malicious_connection_recipient_highHigh
Fake investmentnew_wallet_recipient + first_interactionHigh
Typo / wrong addressfirst_interaction (no poisoning)Medium
Legitimate new contactfirst_interaction + established_wallet_recipientLow–Medium
Regular paymentestablished_interaction_history + established_wallet_recipientLow

Integration Recommendations

For Wallets

  • Run Payment Risk Assessment on every send before the user signs
  • Display scam warnings inline - not as a separate step users can skip
  • For address poisoning: show a full-screen blocker, not a dismissable toast
  • Cache results briefly (30 seconds) to avoid re-querying if the user adjusts the amount

For Payment Processors

  • Check both directions: screen the sender when receiving, screen the recipient when sending
  • Log all risk assessments for dispute resolution and fraud investigation
  • Set automated hold policies for first-interaction payments above a threshold amount

For Exchanges

  • Run Payment Risk Assessment on withdrawal requests before processing
  • Flag address_poisoning_attack results for manual review - these are almost never false positives
  • Use first_interaction + new_wallet_recipient to trigger additional verification (email confirmation, 2FA) on withdrawals to new addresses

What’s Next

Payment Risk Assessment

Full endpoint reference with all 8 risk dimensions explained.

Wallet Integration

Add address screening and transaction simulation to your wallet.
Last modified on March 2, 2026