Defimon detects DeFi attacks across 8 chains and streams them as structured JSON over WebSocket — raw and LLM-confirmed. Built for DeFi incident response.
Just want the free alerts? Join the public Telegram channel
From handshake to action in three steps — and a few lines of code.
Open a WebSocket to the feed with your API key. One key works for both streams across all 8 networks.
Receive every detected attack as a single JSON object the instant it's found — or subscribe to the curated, LLM-confirmed stream for lower noise.
Parse the payload and route it into your own systems — hedge a position, snapshot state, page on-call, or trigger a circuit breaker. No scraping, no parsing Telegram.
const ws = new WebSocket(
"wss://ws.defimon.xyz/ws/attacks?api_key=YOUR_API_KEY"
);
ws.onmessage = (event) => {
const attack = JSON.parse(event.data);
// Machine-readable: act on it however you like
if (attack.balance_change > 100_000) {
hedge(attack.victim_address, attack.network);
}
};No parsing screenshots. No scraping a channel. Structured, enriched payloads your code can act on in milliseconds.
Raw, real-time. Fires the instant a suspicious transaction is detected — fully enriched with the victim protocol, TVL, and per-address balance changes.
Every second counts in DeFi. Get the edge you need.
Exploits are detected within milliseconds of execution and pushed straight to your socket — the fastest signal in the industry.
Every payload carries the victim protocol, TVL, token symbols, and per-address USD balance changes — no extra lookups required.
A second, curated stream where an LLM pipeline filters out MEV and arbitrage false positives and attaches a human-readable explanation.
Defimon runs on QuickNode Streams — here's the story behind the speed, straight from our infrastructure provider.

How Defimon cut block-to-detection latency 4x — from ~2 seconds to under 0.5 seconds — while scaling coverage from 3 to 8 EVM chains on QuickNode Streams.

Our CTO walks through the pipeline behind the feed: push-based Streams with JavaScript filters at the node level, and millions of tracked addresses in a Key-Value Store.
From a free public channel to a real-time machine-readable feed.
Public Telegram channel
No account needed.
Premium Telegram channel
Prefer Telegram for the WebSocket feed? Pay with Telegram Stars in the bot →
Designed for DeFi protocol teams and incident response.
| Defimon WebSocket | Any public source such as X | Build your own | |
|---|---|---|---|
| Detection latency | <300ms | Up to ~24h delay | Varies — high effort |
| Machine-readable JSON | |||
| LLM-confirmed stream | |||
| Protocol & TVL enrichment | Partial | ||
| Per-address balance changes | |||
| Networks covered | 8 | 8 | Per-chain infra |
| Maintenance burden | None | None | Constant |
| Cost | $200/mo | Free | $$$ infra + eng |
In-depth reports on the latest DeFi security incidents
A production integration guide for the Defimon WebSocket feed: raw vs confirmed streams, reconnect handling, filtering alerts against your contracts and exposure, and what to automate versus page a human for.
How cross-chain bridges get drained: validator key compromise, message verification bugs, false deposit events and custody failure, from Ronin and Wormhole to Shibarium and KelpDAO.
How DeFi price oracles get manipulated: spot-reserve pricing, missing update authorization, stale feeds and donation attacks, with real incidents and the on-chain patterns that expose them in real time.
In DeFi, a small delay costs millions.
Get the threat intelligence to rely on.