Skip to main content
Export cryptocurrency wallet records captured from infected machines — MetaMask, Exodus, and similar browser-extension or desktop wallets. Use to identify exposed wallet addresses, assess seed-phrase/private-key exposure risk, or feed blockchain-monitoring tooling.

Request

POST /v1/data/wallets · Required scope: view:wallets (pro and ultra tiers) At least one of wallet_type, chain_primary, start_date, or end_date is required.
ParameterTypeRequiredDefaultDescription
wallet_typestring | nullOne of the four requiredWallet application name, e.g. "MetaMask", "Exodus"
chain_primarystring | nullSee abovePrimary chain, e.g. "ethereum", "bitcoin", "solana"
start_datestring (date-time) | nullSee aboveInclusive start filter, clamped by query_window_days
end_datestring (date-time) | nullSee aboveInclusive end filter
sort_directionasc | descNodescMust stay constant across pages
cursorstring | nullNoPagination token
limitintegerNo251–500, clamped to your tier’s max_rows

Example request

curl -X POST https://api.vantaprism.me/v1/data/wallets \
  -H "api-key: $VANTAPRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "wallet_type": "MetaMask", "chain_primary": "ethereum", "limit": 25 }'

Response

200 OK — array of WalletRecord, cursor-paginated. 
{
  "data": [
    {
      "victim_id": "a3f1c9e8b2d4567890abcdef1234567890abcdef1234567890abcdef123456",
      "family": "RedLine",
      "wallet_type": "MetaMask",
      "wallet_kind": "browser_extension",
      "browser": "Chrome",
      "profile": "Default",
      "extension_id": "nkbihfbeogaeaoehlefnkodbefgpgknn",
      "source_dir": "Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn",
      "wallet_storage_format": "vault_json",
      "chain_primary": "ethereum",
      "evm_addresses": ["0x52908400098527886E0F7030069857D2E4169EE"],
      "btc_addresses": [],
      "tron_addresses": [],
      "solana_addresses": [],
      "cosmos_addresses": [],
      "ton_addresses": [],
      "other_addresses": [],
      "vault_kdf": "pbkdf2",
      "vault_iterations": 10000,
      "password_hint": null,
      "windows_username": "jdoe",
      "has_wallet_files": true,
      "has_seed_phrase": true,
      "has_private_key": false,
      "has_encrypted_vault": true,
      "inserted_at": "2026-05-02T14:22:31Z"
    }
  ],
  "nextCursor": null,
  "meta": {
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE",
    "took_ms": 47.8,
    "tier": "pro",
    "masked_fields": []
  }
}
FieldDescription
victim_idSHA-256 victim ID — use with Victim Profiles
familyStealer family that captured this wallet
wallet_typeWallet application, e.g. "MetaMask", "Exodus"
wallet_kindbrowser_extension, desktop_app, etc.
browser / profileBrowser the extension was installed in, if applicable
extension_idBrowser extension ID, may be null for desktop wallets
source_dirPath/directory the wallet data was harvested from
wallet_storage_formatStorage format of the wallet vault
chain_primaryPrimary chain, e.g. "ethereum", "bitcoin", "solana"
evm_addresses, btc_addresses, tron_addresses, solana_addresses, cosmos_addresses, ton_addresses, other_addressesWallet addresses extracted per chain
vault_kdf / vault_iterationsKey-derivation parameters for the encrypted vault, may be null
password_hintUser-set password hint, may be null
windows_usernameOS username the wallet was found under
has_wallet_filestrue if raw wallet files were captured
has_seed_phrasetrue if a seed phrase was captured
has_private_keytrue if a private key was captured
has_encrypted_vaulttrue if an encrypted vault file was captured
inserted_atWhen the record was ingested

Pagination

Cursor-paginated — see Pagination.

Errors

StatuscodeCause
400VALIDATION_ERRORNone of wallet_type, chain_primary, start_date, end_date provided
400INVALID_CURSORTampered or stale cursor
403FORBIDDEN_SCOPEKey lacks view:wallets (free tier)
See Errors for the full catalog.

Tier notes

This endpoint requires view:wallets, which is not included on the free tier — a free-tier key receives 403 FORBIDDEN_SCOPE. seed_phrase, private_key, encrypted_vault, and wallet_files are never returned as raw values — they are always reduced to has_seed_phrase, has_private_key, has_encrypted_vault, and has_wallet_files boolean flags on free/pro tiers. See Data Masking.