KaelAi Shield scores wallet behavior across 10 chains to detect exploit patterns, staging wallets, and coordinated attacks before they drain your protocol.
Every Shield query returns an actionable recommendation - not just a number.
| Tier | Score | What it means | What to do |
|---|---|---|---|
| BLOCK | 0-14 or threat registry | Confirmed exploit wallet, mixer-funded, or extreme risk | Reject interaction immediately |
| FLAG | 15-24 | Strong threat signals - receive-only, zero protocol engagement | Manual review before any interaction |
| REVIEW | 25-49 | Manual assessment recommended. Covers two scenarios: wallets showing mixed or concerning behavioral signals that warrant investigation, and wallets with insufficient on-chain history where risk cannot be fully determined. Unknown is not the same as dangerous. | Manual review recommended |
| ⓘ REVIEW does not mean blocked. It means your security team gets the information they need to make an informed decision — without adding friction for legitimate users. | |||
| MONITOR | 50-69 | Minor signals only - watch this wallet | Allow with monitoring |
| ALLOW | 70-100 or trusted registry | Clean behavioral profile | Proceed normally |
Our proprietary registry of confirmed exploit wallets gets more powerful with every hack. Shield checks every queried wallet against known attacker addresses in real time. Registry matches return at 0.99 confidence - the highest certainty in the system.
Before we knew the Drift Protocol and Kelp DAO exploits had happened, we ran the attacker wallets through Shield. All five returned CCC grades with BLOCK recommendations. The behavioral signals were visible in the onchain data - we just didn't know what we were looking at yet.
All attacker wallets had a 100% inbound transaction pattern - a staging address signature. No legitimate DeFi participant operates this way.
One Drift wallet showed a max/mean transaction value ratio of 2.7 billion - an extreme drain-staging signal that no normal wallet produces.
None of the 5 wallets had interacted with a single verified DeFi protocol in their sampled history. Pure receive-and-hold infrastructure.
All four Drift wallets were created within the same 44-day window - coordinated infrastructure that behavioral scoring surfaces immediately.
Six behavioral signals that identify exploit infrastructure before it strikes. Each flag modifies the shield score and can trigger tier escalation.
receive_only_patternNo outbound transactions detected. Consistent with staging, aggregation, or drain wallets. One of the strongest exploit signals in the system.
zero_known_protocol_ratioZero interaction with verified DeFi protocols despite contract activity. Attacker wallets don't engage with protocols until the moment of exploit.
tornado_cash_fundedWallet funded via Tornado Cash or confirmed mixer - registry verified. Used to obscure the attacker's funding source and origin chain.
value_spike_anomalyExtreme transaction value variance (>50× spike ratio). Consistent with staged drain behavior where one massive transaction dwarfs all others.
counterparty_concentrationSingle counterparty accounts for ≥70% of transaction volume. Suggests a controlled or purpose-built wallet, not an organic participant.
failed_tx_anomaly≥15% of transactions failed. Consistent with probing or malformed exploit attempts - testing protocol logic before the real attack.
Add mode=shield to your existing API call. That's it. Shield runs the same behavioral engine with threat-optimized weighting and exploit registry checks.
curl -X POST https://api.kaelai.io/api/v1/score \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "wallet_address": "0x6bcb37488dbe2b5d917e80586c544cb9174a1d6d", "chain": "eth", "mode": "shield" }'
{ "scoring_mode": "shield", "overall_score": 22, "agent_score": 25, "grade": "CCC", "threat_classification": "confirmed_exploit_wallet", "threat_confidence": 0.99, "shield_flags": [ "receive_only_pattern", "zero_known_protocol_ratio" ], "registry_checked": true, "registry_match": { "matched": true, "registry_type": "threat", "incident_name": "Drift Protocol Exploit", "incident_date": "2026-04-01", "role": "attacker", "amount_usd": 285000000 }, "recommended_action": "block", "recommended_action_label": "REGISTRY MATCH — confirmed attacker wallet from Drift Protocol Exploit ($285M). Block immediately.", "alert_severity": "critical" }
critical severity. Behavioral-only flags return high, medium, or low based on flag combination and score.
Start with PAYG. Upgrade to registry access and real-time alerts. Founding rates locked for life.
Founding member rates are locked for life while subscribed.
Request a Demo - hello@kaelai.io