This is a submission for the Gemma 4 Challenge: Build with Gemma 4
What I Built
OCTIO (On-Chain Threat Intelligence Oracle) is a system that monitors live phishing and malware feeds, runs each threat indicator through Gemma 4 for analysis and classification, and stores verified intelligence in a format that blockchain protocols can query before executing sensitive operations.
The problem it solves is real. Around 80% of funds stolen from Web3 projects come not from smart contract exploits but from attacks on surrounding Web2 infrastructure such as phishing campaigns, DNS hijacking, frontend supply chain compromise, and cloud misconfiguration. The Ronin Network hack ($625 million) started with a phishing email. The Ledger Connect Kit attack ($600,000) came from a poisoned npm package. The Curve Finance DNS hijack redirected legitimate users to a malicious server for hours.
In every case, observable signals existed before significant losses occurred. OCTIO is the infrastructure to collect, analyse, and distribute those signals with Gemma 4 at the core of the intelligence layer.
Demo
DemoGitHub: github.com/James-Kabingu/octio
Running the full system takes five commands:
python3 monitor.py # fetch and classify live phishing URLs
python3 registry.py # submit validated indicators to registry
python3 oracle.py # run protocol query interface
python3 correlation.py # correlate against documented incidents
python3 dashboard.py # display full system dashboard
Sample oracle output:
[BLOCK ] [CRITICAL ] http://www.dpdlocoqu.cyou/com
[PROCEED] [SAFE ] https://uniswap.org
[CAUTION] [SUSPICIOUS] http://metamask-security-alert.com/connect
[PROCEED] [SAFE ] https://aave.com
[BLOCK ] [CRITICAL ] http://instagram.com.universal-api.org/
Code
GitHub: github.com/James-Kabingu/octio
The repository includes:
monitor.py: Live phishing feed monitoring with Gemma 4 threat classification.
registry.py: On-chain registry simulation with keccak256 hash storage.
oracle.py: DeFi protocol query interface with Gemma 4 risk assessment.
correlation.py: Incident correlation against documented real-world hacks.
dashboard.py: Terminal dashboard for live threat visibility
contracts/ThreatRegistry.sol. Solidity contract for Sepolia testnet deployment.
The smart contract implements the full indicator submission, validation, and query interface described in the system architecture. Target domains are stored as keccak256 hashes rather than plaintex, reducing storage costs by 60 to 90% and preventing the registry from being used as a phishing directory.
How I Used Gemma 4
I chose the Gemma 3 27B Instruct model (google/gemma-3-27b-it) via OpenRouter. The 27B model has the reasoning depth needed to make nuanced security judgements, not just pattern matching.
Gemma 4 powers three distinct functions inside OCTIO:
- Threat Classification (monitor.py): OCTIO pulls live URLs from OpenPhish, a real phishing feed updated continuously. Each URL is sent to Gemma 4 with a structured prompt asking it to classify the threat, assess severity, identify the impersonation target, and explain its reasoning. Given the URL http://www.dpdlocoqu.cyou/com, Gemma 4 returned:
{
"is_threat": true,
"threat_type": "PHISHING",
"severity": "HIGH",
"target": "DPD (Delivery Service)",
"reasoning": "The URL uses a misspelling of DPD and a suspicious domain extension to impersonate the legitimate delivery service, likely to steal credentials potentially leading to crypto access."
}
This is not keyword matching. Gemma 4 understood the typosquatting pattern, identified the impersonated brand, and connected it to the crypto threat context from the URL alone.
Risk Assessment (oracle.py):
When a protocol queries the oracle, Gemma 4 produces a final risk assessment combining registry data with its own domain pattern analysis. For http://metamask-security-alert.com/connect, which was not in the registry, Gemma 4 returned SUSPICIOUS/CAUTION based on the domain pattern alone. A rule-based system would have returned CLEAN. Gemma 4 understood the social engineering intent from the URL structure.Incident Correlation (correlation.py):
Gemma 4 analyses the current indicator set against a database of documented real-world Web3 hacks. Given five live phishing URLs, it correctly correlated them with the Ronin Network hack ($625M), Curve Finance DNS hijack ($570K), and MyEtherWallet BGP attack ($17M), and produced actionable recommendations for DeFi protocols.
Why the 27B model:
The 27B model was necessary for this task. Smaller models returned surface-level classifications without the reasoning depth needed to distinguish between a legitimate security alert and a phishing site designed to look like one. What Gemma 4 unlocked was a system that gets smarter as the threat landscape evolves, without retraining or updating rule sets.
Limitations and Next Steps
This is a working prototype, not a production system. The current limitations are worth being clear about:
The on-chain registry is simulated in Python. The Solidity contract (ThreatRegistry.sol) is written and ready but not yet deployed to Sepolia testnet. A live deployment requires testnet ETH and a Foundry deployment script.
The monitoring layer currently pulls from OpenPhish only. The full architecture specifies Certstream for certificate transparency monitoring, PassiveDNS for DNS change detection, SecurityTrails, and npm audit feeds. These are the next integrations.
The prototype auto-validates every indicator Gemma 4 flags. The whitepaper describes a multi-party validation mechanism where registered researchers vote on submitted indicators before they reach the active registry. That governance layer is not yet implemented.
Gemma 4 can produce false positives. The model occasionally flags legitimate domains as suspicious. Human review before on-chain submission is essential in a production deployment.
The oracle interface simulates Chainlink integration. A real deployment requires a running Chainlink node and a registered External Adapter.
Despite these limitations, the core thesis is demonstrated: Gemma 4 can perform nuanced threat classification, catch suspicious domains not yet in any registry, and correlate current indicators against historical incidents, all in real time. The prototype shows the system works. The remaining work is engineering, not concept validation.
Top comments (0)