DEV.co
Open-Source Security · MyEtherWallet

ethereum-lists

Ethereum-lists is a community-maintained repository of curated lists for Ethereum security, including phishing URLs, fake token addresses, and malicious smart contracts. Contributors submit additions and corrections via pull requests, which are reviewed before inclusion.

Source: GitHub — github.com/MyEtherWallet/ethereum-lists
711
GitHub stars
1.3k
Forks
JavaScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryMyEtherWallet/ethereum-lists
OwnerMyEtherWallet
Primary languageJavaScript
LicenseMIT — OSI-approved
Stars711
Forks1.3k
Open issues94
Latest releaseUnknown
Last updated2025-11-11
Sourcehttps://github.com/MyEtherWallet/ethereum-lists

What ethereum-lists is

A JavaScript-based data repository structured as JSON files organized by asset type (addresses, tokens, contracts, URLs) across multiple blockchain networks. Includes optional metadata like token logos, ABIs, and decimal precision; supports validation via npm scripts (linting, token/contract checks).

Quickstart

Get the ethereum-lists source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/MyEtherWallet/ethereum-lists.gitcd ethereum-lists# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Wallet and Exchange Integrations

Display warnings for addresses in the darklist, auto-complete legitimate URLs from the lightlist, and prevent users from interacting with known phishing or scam addresses.

Security Tooling and Threat Intelligence

Feed phishing URLs and malicious addresses into threat detection systems, SIEM platforms, or security dashboards for real-time alerting and incident response.

Token Metadata and Contract Lookup

Retrieve canonical token information (decimals, logo, support contact), contract ABIs, and whitelisted addresses for DApps, portfolio trackers, and on-chain analysis tools.

Implementation considerations

  • Validate token metadata (decimals, symbol) and contract ABIs against on-chain state before caching or displaying to prevent stale or incorrect data from being served to users.
  • Implement versioning and checksum validation (e.g., git commit hash) to track which snapshot of the repository your application is using, especially if phishing lists are critical to security.
  • Plan for local mirroring or caching; do not assume real-time availability. Use a periodic sync job (hourly or daily) to fetch updates from the repository.
  • Establish internal review and testing for high-risk entries (darklist addresses/URLs) before deployment to production; community-sourced lists can contain false positives.
  • Monitor open issues and PR activity for corrections or retractions of previously listed addresses or URLs, and provide a mechanism to update cached lists accordingly.

When to avoid it — and what to weigh

  • Requiring Real-Time, High-Frequency Updates — The repository relies on volunteer contributions and PR review cycles. It is not designed for millisecond-level threat feeds or automated real-time detection without additional infrastructure.
  • Need for Guaranteed Accuracy or Liability Coverage — README explicitly states the list 'may not always be up to date, and may occasionally get it wrong.' No formal SLA, verification process, or indemnification exists for false positives or omissions.
  • Proprietary or Closed-Source Workflows — All contributions and data are public and open-source. If you require confidential threat intelligence or cannot publish security findings, this is not suitable.
  • High-Volume, Automated Submission Pipelines — The project is designed for manual PR submission with peer review. Bulk or programmatic ingestion of data would require custom tooling and is not natively supported.

License & commercial use

MIT License. Permits commercial use, modification, and redistribution with attribution and liability disclaimer. No patent indemnity or trademark rights granted.

MIT is an OSI-approved permissive license permitting commercial use. However, review the README liability disclaimer carefully: the project makes no guarantees of accuracy. Commercial products relying on this data should implement independent verification, document the limitations, and obtain appropriate legal review before deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

This is a crowdsourced security list; consider it a heuristic aid, not a complete security solution. False positives (legitimate addresses flagged as phishing) and false negatives (new threats not yet listed) are possible. Recommend complementary checks (DNS reputation, contract bytecode analysis, threat feeds). Verify critical entries against multiple sources before taking blocking action. No cryptographic signatures or attestation of list integrity are provided; validate checksums or use HTTPS + certificate pinning if deploying at scale.

Alternatives to consider

OpenPhish / PhishTank

Focused exclusively on phishing URLs with automated detection and broader web ecosystem coverage, but less Ethereum-specific and less blockchain address/token data.

MetaMask Token Lists (tokenlists.org)

Community token metadata and whitelist service with broader DApp ecosystem integration; does not include phishing or darklist data.

Chainalysis / TRM Labs API

Commercial threat intelligence with real-time phishing/scam detection, compliance-grade accuracy, and SLA; significantly higher cost and closed-source.

Software development agency

Build on ethereum-lists with DEV.co software developers

Use ethereum-lists to protect your users from phishing and scams. Build your security integration with our open data—or let us help you design a compliant, scalable solution.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

ethereum-lists FAQ

How often is the list updated?
No formal update schedule is documented. Updates are committed as PRs are merged by volunteers. Check the last commit timestamp and monitor activity; expect delays during low-activity periods.
Can I get an automated feed of changes?
Not natively. You can subscribe to the GitHub repository watch notifications, use GitHub Actions to poll for changes, or build a custom webhook listener to your integration.
What if I find an error in a listed address or URL?
Open a GitHub issue or submit a PR with evidence. The README encourages corrections; provide links to proof (tweets, screenshots, reports) to speed review.
Are there separate lists for different blockchains?
Yes. The repository includes separate directories for Ethereum, Polygon, BSC, and other chains. Ensure your integration targets the correct network directory.

Custom software development services

DEV.co helps companies turn open-source tools like ethereum-lists into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Integrate Real-Time Ethereum Threat Data

Use ethereum-lists to protect your users from phishing and scams. Build your security integration with our open data—or let us help you design a compliant, scalable solution.