// HERO · 01 / 09 — INTERCEPT LAYER SEC // ZAFU.SHIELD.OBSERVER
LIVE · v1.1.3 · paste-time protection

One final address check before you send crypto.

ZAFU checks copied vs pasted addresses, lookalikes, threat signals, and the full address before the field accepts your paste.

StayZafu: double-check the address before you trust the send.
add to chrome — free check an address
watch 30-sec demo →
· no wallet access · zero telemetry · extension source public · 3 permissions · audit source ↗
FIG.01 — VERDICT.OVERLAY
200ms · 9 CHECKS · LOCAL
app.uniswap.org/swap
ZAFU · ON
Send ETHEREUM · MAINNET
amount
2,400.00 USDC
recipient scanning…
0x71C7 656E C7ab 88b0 98de fB09 a29c 3a0f 1
scanning running 9 checks
Comparing clipboard, trusted history, and threat signals…
// 30-sec demo

Watch ZAFU stop a poisoned paste.

See the exact moment ZAFU catches a lookalike address before it reaches the wallet field, then lets a trusted contact through.

poisoned paste · clipboard hijack · trusted contact
Video not loading? Open the MP4 directly.
02 The threat is real EVIDENCE / Q1 2026

The attack happens
in half a second.
You'll never see it.

Attackers don't need your seed phrase. They send a $0 transaction from a lookalike address — same first 4, same last 4 — and wait for you to copy it from your history.

↑ trending
0.0M
Address poisoning attempts on Ethereum — January 2026
↑ 5.5× in two months
↑ trending
$0M
Lost to phishing attacks in January 2026 alone
Source — Chainalysis
↑ 2025
$0M
Drained via clipboard-hijacking browser extensions
2025 cumulative · ScamSniffer
// what your wallet shows you
Trusted → 0x71C7…a0f1
Pasted  → 0x71C7…02e4
You can't see the difference. Zafu can.
poisoned FIRST-4 LAST-4 COLLISION
03 How it works PASTE-INTERCEPT PIPELINE

Zafu intercepts
the paste.
Not the wallet.

Nine checks run between your clipboard and the input field. No keys. No signing. Local-first storage. Just a verdict — before the address ever touches your wallet.

Step 01 / 03

Copy

You copy a crypto address from anywhere — Etherscan, your friend, a contract page. Zafu silently records the chain, value and timestamp.

Step 02 / 03

Paste

You paste on any wallet or exchange. Zafu intercepts before the address reaches the input field. In under 200ms, nine detection checks run — locally.

Step 03 / 03

Verdict

Clear result. You decide. Trusted addresses auto-confirm in two seconds. Anything else stops cold.

✓ trusted
auto-confirms in 2s
⚠ danger
cancel is the only default
04 Detection states SIX VERDICTS · ONE PIPELINE

Six states.
Nothing gets through
unclassified.

Every paste resolves to exactly one verdict. The colour is the conclusion. The text is the evidence. You're never asked to "consider" — you're shown what happened.

HIJACKED01 / 06
trigger

Pasted address differs from what you copied — clipboard malware replaced it mid-paste.

user experience

Red modal. Address diff highlighted. Cancel is the only action.

POISONED02 / 06
trigger

Pasted address looks identical to a trusted contact — same start and end, different middle.

user experience

Both addresses shown in 4-char segments. Differing chunks flash red. No quick confirm.

SCAM03 / 06
trigger

Matches GoPlus Security real-time database or ScamSniffer bundled blocklist.

user experience

Red modal. Cannot be overridden. Address is blocked.

SUSPICIOUS04 / 06
trigger

Address appears in your history but you've never sent value to it — likely airdrop or dust.

user experience

Confirm modal with verification checkbox. You must explicitly verify.

KNOWN05 / 06
trigger

Exact match in your trusted contact history — you've sent value to this address before.

user experience

Green banner. Auto-confirms in 2 seconds. No friction.

UNKNOWN06 / 06
trigger

Address has never appeared in your transaction history.

user experience

Confirm modal. Full address shown in 4-char segments. You manually verify.

05 Feature spotlights POWER FEATURES · SAME SHIELD

Beyond the verdict.

Two power features that turn Zafu from a paste-checker into a ledger of trust.

A · Address book

Your trusted contacts. Auto-built.

Add a wallet, and Zafu pulls every counterparty from your on-chain history. Real recipients become trusted contacts. Lookalikes get flagged on import.

  • Auto-discovered from EVM and Solana history
  • Starred favourites ★ float to the top
  • Search, filter and export the full ledger
Address Book · 2,148 entries
auto · synced
addressnamelast seenstate
0x71C7…a0f1 Cold Storage 2 days ago KNOWN
0xe592…1564 Uniswap V3 Router 5 days ago KNOWN
0x71C7…02e4 Planted 9d POISONED
0xa0b8…4b48 airdrop · dust 12 days ago SUSPICIOUS
B · Transfer Check

One final address check.

Transfer Check shows a final review before crypto-address pastes: copied-address match, threat signals, field context, and the full address. Confirm to proceed.

  • Copied-vs-pasted address match
  • Threat and lookalike checks complete
  • Full address shown before paste
transfer check
final address review passed
0xd8dA 6BF2 6964 aF9D
7eEd 9e03 E53A 1351 1BbA 6E4c
KNOWN · sent 4× since 2024
transfer check is on · turn off in settings
06 Trust model BUILT TO BE AUDITED · NOT TRUSTED

Built to be audited.
Not trusted.

Three browser permissions. Local-first data. No advertising telemetry. The Chrome extension source is public and auditable, with a fingerprint you can verify yourself.

No wallet access

Cannot read keys, seed phrases or signing credentials. Cannot sign or initiate transfers. By architecture — not policy.

Zero telemetry

No analytics, crash reporting, usage tracking or advertising. Pasted addresses go to GoPlus for threat checks — never your wallet address, never your history.

Zero dependencies

The Chrome extension is pure vanilla JavaScript: no npm packages, no bundler, no CDN scripts. Nothing hidden in a dependency tree.

Verifiable install

Every release ships a 16-character fingerprint derived from the security-critical extension files and bundled risk data. Compare against the public release. Verify yourself.

Cross-platform

Works on MetaMask, Rabby, Coinbase Wallet, Binance, Kraken, Uniswap and 30+ more. Not locked to any single wallet or chain.

Community-powered

Manual reports and opt-in automatic threat signals feed a shared signal list that protects other users. Anonymous by default. Threshold-reviewed before it affects blocking decisions.

real product proof

This is what stops a poisoned paste.

The extension shows the actual pasted address against the trusted address, segment by segment, before the address reaches the wallet field. The design goal is clarity under pressure, not decoration.

ZAFU possible address poisoning warning showing segmented address differences
permissions audit
3 permissions total. Average extension requests 17.
verified
storage Saves your wallet list and address index locally on device. Never synced.
alarms Schedules 24h auto-refresh of wallet history and community signals.
identity Optional Google Sign-In only. Never used unless you sign in.
/ works across major chains · wallet and exchange websites
ETH
Ethereum
POL
Polygon
ARB
Arbitrum
BASE
Base
OP
Optimism
BNB
BNB Chain
SOL
Solana
MetaMask Rabby Coinbase Wallet Phantom Binance Kraken Uniswap 1inch Aave Compound Etherscan OpenSea + 30 more →
07 Frequently asked OBJECTIONS · HANDLED

Common questions.

01Does Zafu need my private key or seed phrase?
No. Impossible by architecture. Zafu only needs your public wallet address — the same one you share when receiving funds. It cannot access, request, or store private keys or seed phrases.
02Does Zafu send my addresses to any server?
Your wallet address is sent to Etherscan or Solscan only when you explicitly click "Fetch History." Pasted addresses are sent to GoPlus Security for real-time scam detection — only on paste events, never in the background. Flagged attacker addresses (not your wallet) are submitted to the community pool if you report them or opt in to automatic threat signals. Full details in the Privacy Policy.
03Why does it need the <all_urls> permission?
Crypto wallets and exchanges live on thousands of domains — including self-hosted interfaces, DAO portals and new exchanges not on any static list. Zafu must be present everywhere to catch paste events. The content script only activates address-checking logic when a valid crypto address is pasted. It does not read page content, forms, passwords or any other data.
04What's the difference between POISONED and HIJACKED?
POISONED means the pasted address looks nearly identical to one you trust — an attacker planted a lookalike in your transaction history. HIJACKED means malware on your machine silently replaced the address between when you copied it and when you pasted it. Both are attack vectors. Both get their own distinct alert.
05Does it work on Solana?
Yes. Zafu auto-detects whether an address is EVM or Solana, fetches history from Solscan, and runs a 9-step detection pipeline including system program impersonation detection. Add SOL wallets in the same form as EVM wallets.
06What is Transfer Check?
An optional setting that shows a final address check before crypto-address pastes. It summarizes copied-address match, threat signals, field context, and the full segmented address so you can review before the address reaches the field.
#StayZafu
— verify the address before you trust the send —

Check the address.
Then send.

ZAFU gives every crypto transfer a final address check before it reaches your wallet. Free. Local-first. Never touches your keys. Public extension source. Four permissions.

add to chrome — free audit extension source

Running a small crypto team? ZAFU is exploring Teams / Pro beta workflows for shared address books and transfer reviews. Contact the beta list. Paid products are not live yet.

v1.1.3 · MIT license · github.com/jimozo/zafu-extension