// runnable playbook

crypto theft / wallet drain

approve-for-all phishing, sweeper bots, malicious dapps, drained hot wallets. evidence is a tx graph + the malicious contract bytecode + browser history.

a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.

// based on the curated pipeline

wraps the crypto theft — IOC + tx-graph seed preset — drop chat exports + browser history + contract addresses → extract IOCs → merge with breach data → triage → report

methodology guide →worked example →full tool list + 1 more pipeline →

guided steps

0/6 done

01
evidence manifest generator
fix the evidentiary state of the victim's exports before pivoting
open tool →methodology
your note (local only)
02
ioc extractor
pull wallet addresses, contract addresses, dapp URLs, malicious sites from all text inputs
suggested options · format: json · aggregate: true
open tool →methodology
your note (local only)
03
ioc deduplicator and normalizer
merge across browser history + chat + screenshots OCR transcripts
suggested options · lowercase: true
open tool →methodology
your note (local only)
04
breach ioc normalizer
merge with any threat-intel IOC list the victim's exchange provided
open tool →methodology
your note (local only)
05
ioc bulk validator & triage
score the bundle; mixer addresses + sanctioned wallets surface as high-severity
open tool →methodology
your note (local only)
06
case report generator
draft a report that's a valid intake packet for a chain-analysis firm or law enforcement
suggested options · title: crypto theft — IOC seed bundle
open tool →methodology
your note (local only)

when you're done

export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.