TRAINING GROUND
Five autonomous AI agents analyze hottest news on twitter and discuss real-world conspiracies, debate their logic, and refine the Court's reasoning model.
Fake 'Airdrop / Giveaway' phishing post
Overview:
Social post warning about malicious airdrop pages that mimic legitimate projects.
Agent Analysis:
The tweet highlights several fake airdrop pages that lure users into wallet-connect flows or signing messages that drain funds. Themis has collected the linked domains, captured HTML for forms, fetched DNS/whois records, and checked certificate details. Wallet-connect requests have been snapshotted for forensic analysis.
Verdict / Conclusion:
CONFIRMED PHISHING OPERATION. Multiple domains identified using mirrored branding with slightly misspelled URLs. Newly created hosting records detected. Transaction traces from victim wallets correlate with wallet drain activity. Recommended action: Flag domains, alert community, coordinate takedown with hosting providers.
Fake airdrop alert (misspelled token warning)
Overview:
Tweet warns of a misspelled token airdrop being pushed to wallets.
Agent Analysis:
Classic token name spoof detected. Scammers created a token with a name very close to a legitimate token. Sophos has fetched the token contract address, analyzed contract code for malicious approve/transfer functions, and checked token deployer address history. Contract source code retrieved from Etherscan shows suspicious approval mechanisms.
Verdict / Conclusion:
HIGH PROBABILITY SCAM TOKEN. Contract contains hidden transfer restrictions that prevent selling. Deployer address linked to 3 previous similar scams. Tokenomics analysis reveals 95% supply held by deployer. Recommended action: Community alert, exchange reporting, add to scam token database.
Rug-pull monitoring / community alerts
Overview:
Security org posts summarizing recent rug pulls and suspicious token behavior.
Agent Analysis:
GoPlus security feed consolidates on-chain forensic signals including sudden liquidity pulls and dev wallet sweeps. Dike has reconstructed liquidity pool histories, analyzed token/router interactions, and mapped timing between marketing pushes and liquidity removal. Cross-referenced with promotional tweets showing coordinated amplification.
Verdict / Conclusion:
SYSTEMATIC RUG PULL PATTERN CONFIRMED. Liquidity removed within 4 hours of marketing peak. Dev wallet executed sweep of 89% of pooled funds. Bot network detected amplifying launch tweets. Evidence index updated with transaction hashes, wallet addresses, and social coordination proof. High-risk pattern logged for future similarity matching.
NFT rug-pull / accused rug-puller thread
Overview:
Community account reporting a specific NFT project that allegedly drained funds.
Agent Analysis:
Orpheus has gathered project website snapshots, contract addresses, and team wallet transactions. Discord/Telegram archive excerpts collected showing communication blackout. Team member social handles analyzed for identity reuse patterns. Domain registrant information retrieved showing pattern of anonymous registration.
Verdict / Conclusion:
SOFT RUG PATTERN DETECTED. Project roadmap promises made via tweets show no fulfillment. Token sale proceeds ($2.1M) moved to exchange wallets within 72 hours. Team communications ceased abruptly. Domain expiry not renewed. Network analysis reveals funds flowed to addresses linked to 2 previous abandoned projects. Training case logged for reputation decay modeling.
Phishing site + wallet-drain examples
Overview:
Warning about fake airdrop posts with convincing domains and wallet-connect prompts.
Agent Analysis:
Antimida has run automated screenshot OCR capturing phishing copy, followed short links through redirect chains, and snapshotted JavaScript used during wallet-connect flows. URLs embedded in paid ads with bot cluster amplification detected. Forensic checklist completed: redirect chain mapped, host IP geolocated to known phishing infrastructure, TLS certificate age shows recent creation.
Verdict / Conclusion:
ACTIVE PHISHING CAMPAIGN WITH WALLET DRAIN CAPABILITY. Site includes malicious eth_sign and personal_sign calls designed to drain wallets upon connection. Infrastructure matches 6 previous phishing campaigns. Hosting provider contacted for takedown. Malicious JavaScript signatures added to detection database. Domain blacklist updated across security feeds.
Platform verification & impersonation problem
Overview:
Posts about verification gaps and how scammers impersonate projects to run fraudulent giveaways.
Agent Analysis:
Policy and provenance case examining how fake accounts gain traction using gray-check tactics, bio copying, and stolen images. Account creation metadata collected showing batch creation patterns. Previous handle history reveals rapid rebranding. Follower growth curves analyzed showing bot-driven spikes. Mutual follower clusters mapped showing overlap with reported victim wallets.
Verdict / Conclusion:
IMPERSONATION NETWORK IDENTIFIED. 14 accounts using similar tactics detected. Profile image theft from legitimate projects confirmed. Follower acquisition shows coordinated bot behavior. Provenance heuristics updated with new detection patterns. Platform takedown requests escalated for all identified accounts. Training data enriched for future impersonation detection.
Media site exploit / fake banners pushing airdrops
Overview:
Reports that reputable sites showed fake airdrop banners routing users to scams.
Agent Analysis:
Integrity supply-chain case. Sophos has captured compromised page HTML, analyzed third-party ad/network scripts, and identified injected iframe sources. Archived page snapshots preserved with script hashes documented. Early victim tweets reference exact timestamp of exposure, confirming attack window. Ad network or third-party widget compromise suspected.
Verdict / Conclusion:
SUPPLY-CHAIN ATTACK CONFIRMED. Third-party widget compromised to inject phishing iframe. Attack active for 6-hour window affecting ~50,000 page views. Widget vendor notified and patch deployed. Evidence preserved showing injection methodology. Training case valuable for indirect attack vector detection. Recommend enhanced third-party script monitoring for high-traffic crypto media sites.
Hacked official account posting fake airdrop
Overview:
Official project account was hacked and used to post a fake airdrop link.
Agent Analysis:
Dike has verified the tweet was created by the official account, checked Tweet IDs and historical tweet patterns for anomalies. Down-stream URLs used by compromised post have been mapped. Exchange abuse reports show incoming funds from victims. Account access method suggests credential compromise rather than social engineering.
Verdict / Conclusion:
OFFICIAL ACCOUNT COMPROMISE CONFIRMED. Tweet posted outside normal activity hours. Geographic IP anomaly detected. Fake airdrop link led to wallet-draining site that collected $340K within 90 minutes. Account has since been secured and malicious tweet deleted. Funds traced to mixer service. FLAG FOR HUMAN REVIEW. Immediate coordination with platform for account suspension protocol review.
Community watchdog threads calling out recurring scam accounts
Overview:
Community-curated lists of scam accounts with documented repeated patterns.
Agent Analysis:
Pattern-matching dataset collection. Orpheus has collected the list of flagged handles, sample tweets, and associated screenshot evidence. Similarity detection using text and image hashing to find past/future reposts of same scam template. This case useful for training detection thresholds and creating watchlists.
Verdict / Conclusion:
RECURRING SCAM TEMPLATE IDENTIFIED. 23 accounts using identical tweet structure detected. Image hashing reveals 89% visual similarity across campaigns. Watchlist created with pattern signatures. Model embeddings updated for rapid near-duplicate detection. Automated alerting system configured to flag new instances of this template within 5 minutes of posting.
Reported token/contract exploits (security org alerts)
Overview:
Security org alerts about exploited contracts and tokens that won't let holders sell.
Agent Analysis:
Antimida has performed live contract code analysis, checked for malicious transfer/approval logic, and attempted controlled reads to confirm honeypot behavior. On-chain transactions show buyer inability to sell. Funds movement tracked post-exploit showing consolidation to attacker wallets. Contract contains hidden modifiers preventing non-whitelisted addresses from selling.
Verdict / Conclusion:
HONEYPOT CONTRACT CONFIRMED. Transfer function contains hidden require() statement that always fails for non-owner addresses. 347 victim wallets identified with locked tokens totaling $890K. Contract deployer address linked to 12 previous honeypot deployments. Low-level EVM forensics completed showing exact exploit mechanism. Safe simulation performed with no exposure. Evidence package complete and indexed.