Overview Demo How It Works States Features Trust FAQ Install
// HERO · 01 / 09 — INTERCEPT LAYER SEC // ZAFU.SHIELD.OBSERVER
LIVE · v1.1.7 · address confidence extension

One final address
check before you send crypto.

ZAFU helps you build a local trusted address memory, preserve source evidence, review warning signals, and run Transfer Check before the field accepts your paste.

ZAFU is not only looking for scams. It helps you use trusted address memory before every send.
Install - Free Check Address
Watch 30-Second Demo →
· no wallet access · optional anonymous counts · trusted contacts · protected wallets · Telegram Web evidence · local TRON support · extension source public · 3 permissions · Audit Source ↗
FIG.01 — VERDICT.OVERLAY
200ms · 9 CHECKS · LOCAL
app.uniswap.org/swap
ZAFU · ON
Send ETHEREUM · MAINNET
amount
2,400.00 USDC
recipient scanning…
0x71C7 656E C7ab 88b0 98de fB09 a29c 3a0f 1
scanning running 9 checks
Comparing clipboard, trusted history, and threat signals…
02 Address confidence MEMORY · SOURCE · REVIEW · CHECK

Address book, source evidence, then final Transfer Check.

The extension's final check is powered by local trusted contacts, protected wallets, browser source evidence, and full-address review.

01 · Trusted Address Book

Repeat recipients become easier to recognize.

Save trusted contacts and use history-backed context for EVM and Solana, with manual TRON contacts in v1.1.7.

02 · Protected Wallets

Keep your own wallets out of the confusion.

Mark wallets you control so ZAFU can distinguish your protected addresses from external recipients.

03 · Secure Copy Evidence

See whether the paste still matches the copy.

Telegram Web source evidence is address-only and local, with no chat text, sender, group, or message IDs stored.

04 · Transfer Check

One last review in the send flow.

Review copied-address match, warning signals, field context, and segmented full address before the field accepts it.

// 30-sec demo

Watch ZAFU stop a poisoned paste.

See the exact moment ZAFU catches a lookalike address before it reaches the wallet field, then lets a trusted contact through.

poisoned paste · clipboard hijack · trusted contact
Video not loading? Open the MP4 directly.
03 The threat is real EVIDENCE / Q1 2026

The attack happens
in half a second.
You'll never see it.

Attackers don't need your seed phrase. They send a $0 transaction from a lookalike address — same first 4, same last 4 — and wait for you to copy it from your history.

↑ trending
0.0M
Address poisoning attempts on Ethereum — January 2026
Source - Blockaid via imToken
↑ trending
$0M
Lost to phishing attacks in January 2026 alone
Source - PeckShield / CertiK coverage
↑ 2025
$0M
Drained via clipboard-hijacking browser extensions
Source - ScamSniffer · 2025 cumulative
// what your wallet shows you
Trusted → 0x71C7…a0f1
Pasted  → 0x71C7…02e4
You can't see the difference. Zafu can.
poisoned FIRST-4 LAST-4 COLLISION
04 How it works PASTE-INTERCEPT PIPELINE

Zafu intercepts
the paste.
Not the wallet.

Nine checks run between your clipboard and the input field. No keys. No signing. Local-first storage. Just a verdict — before the address ever touches your wallet.

Step 01 / 03

Copy

You copy a crypto address from a browser workflow. When it comes from Telegram Web, ZAFU stores recent address-only source evidence locally for Transfer Check.

Step 02 / 03

Paste

You paste on a wallet, exchange, dapp, or Telegram Web address field. ZAFU checks before the address reaches the input field.

Step 03 / 03

Verdict

Clear result. You decide. Trusted addresses auto-confirm in two seconds. Anything else stops cold.

✓ trusted
auto-confirms in 2s
⚠ danger
cancel is the only default
05 Detection states SIX VERDICTS · ONE PIPELINE

Six states.
Nothing gets through
unclassified.

Every paste resolves to exactly one verdict. The colour is the conclusion. The text is the evidence. You're never asked to "consider" — you're shown what happened.

HIJACKED01 / 06
trigger

Pasted address differs from what you copied — clipboard malware replaced it mid-paste.

user experience

Red modal. Address diff highlighted. Cancel is the only action.

POISONED02 / 06
trigger

Pasted address looks identical to a trusted contact — same start and end, different middle.

user experience

Both addresses shown in 4-char segments. Differing chunks flash red. No quick confirm.

SCAM03 / 06
trigger

Matches GoPlus Security real-time database or ScamSniffer bundled blocklist.

user experience

Red modal. Cannot be overridden. Address is blocked.

SUSPICIOUS04 / 06
trigger

Address appears in your history but you've never sent value to it — likely airdrop or dust.

user experience

Confirm modal with verification checkbox. You must explicitly verify.

KNOWN05 / 06
trigger

Exact match in your trusted contact history — you've sent value to this address before.

user experience

Green banner. Auto-confirms in 2 seconds. No friction.

UNKNOWN06 / 06
trigger

Address has never appeared in your transaction history.

user experience

Confirm modal. Full address shown in 4-char segments. You manually verify.

06 Core product surfaces POWER FEATURES · SAME SHIELD

Address confidence in practice.

The live workflow pieces behind the final check: trusted address memory, secure copy evidence, and full transfer review.

A · Trusted Address Book

Your trusted contacts. Auto-built.

Add a wallet, and ZAFU pulls EVM/Solana counterparties from on-chain history. Real recipients become trusted contacts; TRON contacts and protected wallets work locally in v1.1.7.

  • Auto-discovered from EVM and Solana history
  • Manual TRON contacts and protected wallets
  • Starred favorites float to the top
Address Book · 2,148 entries
auto · synced
addressnamelast seenstate
0x71C7…a0f1 Cold Storage 2 days ago KNOWN
0xe592…1564 Uniswap V3 Router 5 days ago KNOWN
0x71C7…02e4 Planted 9d POISONED
0xa0b8…4b48 airdrop · dust 12 days ago SUSPICIOUS
B · Transfer Check

One final full-address review.

Transfer Check shows a final review before crypto-address pastes: copied-address match, Telegram Web source evidence when available, threat signals, field context, and the full address.

  • Copied-vs-pasted address match
  • Telegram Web match or mismatch evidence
  • Threat and lookalike checks complete
transfer check
final address review passed
0xd8dA 6BF2 6964 aF9D
7eEd 9e03 E53A 1351 1BbA 6E4c
KNOWN · sent 4× since 2024
transfer check is on · turn off in settings
C · Secure Copy Evidence

Source context for stablecoin workflows.

v1.1.7 adds address-only source matching for Telegram Web and local TRON validation/comparison for TRC-20 transfer flows. No chat text, sender, group, or message IDs are stored.

  • Copied from Telegram Web 18s ago
  • Pasted address matches or differs from source
  • TRON Base58Check validation runs locally
Source Evidence · local
telegram_web
signalevidencestate
source copied 18s ago MATCH
chain TRON local VALID
privacy address only LOCAL
07 Trust model BUILT TO BE AUDITED · NOT TRUSTED

Built to be audited.
Not trusted.

Three browser permissions. Local-first data. No advertising telemetry. The Chrome extension source is public and auditable, with a fingerprint you can verify yourself.

No wallet access

Cannot read keys, seed phrases or signing credentials. Cannot sign or initiate transfers. By architecture — not policy.

No advertising telemetry

Optional Network Mode shares anonymous aggregate counts only. Pasted EVM addresses can go to GoPlus for threat checks — never your wallet address, never your history.

Zero dependencies

The Chrome extension is pure vanilla JavaScript: no npm packages, no bundler, no CDN scripts. Nothing hidden in a dependency tree.

Verifiable install

Every release ships a 16-character fingerprint derived from the security-critical extension files and bundled risk data. Compare against the public release. Verify yourself.

Cross-platform

Works across EVM, Solana, and local TRON transfer workflows on wallet, exchange, dapp, and Telegram Web address fields.

Shared reports

Manual reports and opt-in automatic threat signals feed a shared warning list that protects other users. Anonymous by default. Threshold-reviewed before it affects blocking decisions.

real product proof

This is what stops a poisoned paste.

The extension shows the actual pasted address against the trusted address, segment by segment, before the address reaches the wallet field. The design goal is clarity under pressure, not decoration.

ZAFU possible address poisoning warning showing segmented address differences
permissions audit
3 permissions total. Average extension requests 17.
verified
storage Saves your wallet list and address index locally on device. Never synced.
alarms Schedules 24h auto-refresh of wallet history and community report data.
identity Optional Google Sign-In only. Never used unless you sign in.

Chrome may say Zafu can "read and change all your data on all websites" because Zafu has to see crypto-address paste events before the destination field accepts them. Zafu does not request tab history, does not run advertising analytics, and only activates address-checking logic when a crypto address is pasted in a relevant context.

/ works across major chains · wallet and exchange websites
ETH
Ethereum
POL
Polygon
ARB
Arbitrum
BASE
Base
OP
Optimism
BNB
BNB Chain
SOL
Solana
TRX
TRON local
MetaMask Rabby Coinbase Wallet Phantom Binance Kraken Uniswap 1inch Aave Compound Etherscan OpenSea + 30 more →
08 Frequently asked OBJECTIONS · HANDLED

Common questions.

01Does Zafu need my private key or seed phrase?
No. Impossible by architecture. Zafu only needs your public wallet address — the same one you share when receiving funds. It cannot access, request, or store private keys or seed phrases.
02Does Zafu send my addresses to any server?
Your wallet address is sent to Etherscan or Solscan only when you explicitly click "Fetch History." Pasted addresses are sent to GoPlus Security for real-time scam detection — only on paste events, never in the background. Flagged attacker addresses (not your wallet) are submitted to the community pool if you report them or opt in to automatic threat signals. Full details in the Privacy Policy.
03Why does Chrome say Zafu can read and change data on websites?
Chrome shows that warning because Zafu's content script can run on websites where you might paste a crypto address. That access lets Zafu stop address poisoning and clipboard hijacking before the pasted address reaches a wallet or exchange field. Zafu does not request tab history, does not use tabs or activeTab, does not run advertising analytics, and gates checks to crypto-address paste events in relevant contexts.
04What's the difference between POISONED and HIJACKED?
POISONED means the pasted address looks nearly identical to one you trust — an attacker planted a lookalike in your transaction history. HIJACKED means malware on your machine silently replaced the address between when you copied it and when you pasted it. Both are attack vectors. Both get their own distinct alert.
05Which chains does the extension support?
ZAFU supports EVM and Solana workflows with history-backed address intelligence, plus local TRON address validation and comparison in v1.1.7. TRON support is local-only today: no Tronscan enrichment or TRC-20 token verification claim.
06What is Transfer Check?
An optional setting that shows a final address check before crypto-address pastes. It summarizes copied-address match, threat signals, field context, and the full segmented address so you can review before the address reaches the field.
#StayZafu
— verify the address before you trust the send —

Check the address.
Then send.

ZAFU gives every crypto transfer a final address check before it reaches your wallet. Free. Local-first. Never touches your keys. Public extension source. Three permissions.

Install - Free Audit Extension Source

Running a crypto team, OTC desk, or stablecoin operation? ZAFU is researching shared address-book and transfer-review workflows. Contact Us. Paid products are not live yet.

v1.1.7 · MIT license · github.com/jimozo/zafu-extension