Developed by Team Scriptix
PhantomClick is an intelligent scam detection and forensic investigation platform that helps users identify and analyze fraudulent SMS messages, phishing URLs, and scam attempts before falling victim to them. Using AI-powered analysis, secure sandboxing, and forensic evidence generation, PhantomClick transforms scam detection into actionable cyber intelligence.
India faces a ₹10,000+ Crore annual loss from digital fraud (NCRB). SMS scams exploit:
- Financial Fraud: Fake KYC updates, reward claims, account suspension alerts
- Government Impersonation: Fake electricity bills, traffic challans, tax refunds
- Psychological Pressure: Urgent messages like "30 minutes left", "Account blocked"
Current Protection Gaps:
- ⚡ Detection lag as scam numbers rotate hourly
- 🎭 Perfect impersonation of trusted banks (SBI, HDFC, ICICI)
⚠️ Generic warnings without proof or explanation- 📋 No way to safely verify or collect evidence for reporting
Extract intelligence from suspicious SMS screenshots using advanced text recognition and psychological pressure mapping.
Capabilities:
- OCR Processing: Automatically extracts text, URLs, and phone numbers from SMS images
- Psychographic Analysis: Detects urgency, manipulation tactics, and emotional pressure
- AI Categorization: Classifies scam type (financial fraud, government impersonation, etc.)
- Visual Heatmap: Color-coded pressure mapping to visualize threat psychology
Multi-layered URL analysis combining heuristics and machine learning to detect malicious patterns.
Detection Methods:
- Uses Levenshtein Distance Algorithm
- Compares against 57 legitimate Indian domains
- Detects typosquatting (e.g.,
sbi-kyc-update.invssbi.co.in) - Risk Weight: 30%
- WHOIS lookup for creation date
- Age-based risk scoring:
- < 3 days = 100% risk
- < 30 days = 70% risk
- < 1 year = 40% risk
- Risk Weight: 25%
- Shannon entropy calculation
- Measures randomness in URL structure
- Entropy scale:
- > 4.5 = 80% risk (high randomness)
- 4.0-4.5 = 60% risk (moderate)
- Risk Weight: 15%
- Random Forest classifier (100 trees)
- Trained on PhishTank datasets + legitimate Indian domains
- 18 extracted features per URL
- Performance: 99.84% accuracy (9984 TP, 13 TN, 1 FP, 3 FN)
Zero-trust execution environment that safely opens and interacts with suspicious links.
How It Works:
- Disposable Sandbox: Playwright + Chromium headless browser in isolated Docker environment
- AI-Powered Interaction: Gemini Vision identifies and interacts with form fields using synthetic data
- Forensic Capture: Screenshots, DOM snapshots, network logs, and redirect chains
- Zero User Exposure: Link never touches user's device
Threats Detected:
- Credential theft attempts
- OTP interception
- Malware distribution
- Unauthorized redirects
- Data exfiltration
Step-by-step visual reconstruction of the complete scam journey.
Features:
- Timeline Reconstruction: Shows entire attack flow from first click to data theft
- User's Perspective: Displays exactly what the victim would see at each stage
- Educational Value: Helps users recognize scam patterns for future awareness
- Real Screenshots: Instant visual playback with actual captured evidence
Court-ready documentation for cybercrime reporting.
Report Includes:
- Executive Summary: High-level threat overview
- Incident Details: Timeline, URLs, and entities involved
- Technical Analysis: Sandbox behavior, network activity, IOCs
- Indicators of Compromise: Domains, IPs, patterns
- Impact Assessment: Risk level and potential damage
- Recommendations: Actionable security guidance
Technology:
- Google Gemini Flash for AI-driven narrative synthesis
- PDFKit for standardized forensic document generation
- Ready for submission to National Cyber Crime Reporting Portal (cybercrime.gov.in)
┌─────────────────┐
│ Frontend │ Vite + React
│ (Port 5173) │
└────────┬────────┘
│
┌────┴────┐
│ │
┌───▼────┐ ┌──▼─────────┐
│ Node │ │ Python │
│ Server │ │ Server │
│ (5000) │ │ (8001) │
└───┬────┘ └──┬─────────┘
│ │
│ ┌────▼─────┐
│ │Tesseract │
│ │ OCR │
│ └──────────┘
│
┌───▼──────────────┐
│ Playwright │
│ Sandbox │
│ + Gemini AI │
└──────────────────┘
| Component | Requirement |
|---|---|
| Node.js | v18.0.0 or higher |
| Python | v3.8 or higher |
| RAM | 4GB minimum (8GB recommended) |
| Storage | 2GB free space |
| OS | Windows 10+, macOS 10.15+, Ubuntu 20.04+ |
- Node.js 18+ installed
- Python 3.8+ installed
- Tesseract OCR installed
- Google Gemini API key obtained
- Git installed
git clone <repo-url>
cd PhantomClick- Download: tesseract-ocr-w64-setup-5.5.0.20241111.exe
- Install to:
C:\Program Files\Tesseract-OCR - Add to PATH:
C:\Program Files\Tesseract-OCR - Verify:
tesseract --version
brew install tesseractsudo apt update
sudo apt install tesseract-ocrcd server/python-server
# Create virtual environment
python -m venv venv
# Activate virtual environment
# Windows:
venv\Scripts\activate
# macOS/Linux:
source venv/bin/activate
# Install dependencies
pip install -r requirements.txtCreate .env file:
GEMINI_API_KEY=your_gemini_api_key_hereRun server:
uvicorn main:app --host 0.0.0.0 --port 8001 --reloadcd server/node-server
# Install dependencies
npm installCreate .env file:
PORT=5000
PYTHON_URL=http://localhost:8001
GOOGLE_API_KEY=your_gemini_api_key_hereRun server:
# Development (with auto-reload)
npm run dev
# Production
npm startcd extension
# Install dependencies
npm installCreate .env file:
VITE_NODE_API=http://localhost:5000
VITE_PYTHON_API=http://localhost:8001Build the extension:
# Development build with watch mode (rebuilds on file changes)
npm run build:watch
# Production build
npm run buildThe compiled extension will be output to the
client/dist/folder.
- Navigate to
chrome://extensionsin your browser - Enable Developer Mode using the toggle in the top-right corner
- Click "Load unpacked"
- Select the
client/distfolder - The PhantomClick icon will appear in your browser toolbar
- Navigate to
about:debugging#/runtime/this-firefox - Click "Load Temporary Add-on"
- Select any file inside the
client/distfolder - The extension stays active until the browser is restarted
💡 Tip: After making frontend changes, re-run
npm run buildand click the reload icon on your extension card atchrome://extensionsto apply updates. In watch mode, only a manual extension refresh is needed after each rebuild.
- Access the application: Open
http://localhost:5173in your browser - Upload SMS screenshot: Drag and drop or select an image of a suspicious SMS
- View Risk Analysis: Get instant psychographic analysis and risk score
- Trigger Sandbox Investigation: For high-risk URLs (score ≥ 60)
- Review Scam Replay: See step-by-step visualization of the attack
- Download Forensic Report: Generate PDF evidence for cybercrime reporting
- Framework: React + Vite
- State Management: React Hooks
- HTTP Client: Axios
- Styling: Tailwind CSS / Custom CSS
- Runtime: Node.js + Express
- Browser Automation: Playwright (Chromium)
- AI Integration: Google Generative AI (Gemini)
- Proxy: http-proxy-middleware
- PDF Generation: PDFKit
- Framework: FastAPI
- OCR Engine: Pytesseract + Tesseract
- Image Processing: PIL/Pillow
- Async Support: uvicorn
- Model: Random Forest (100 trees)
- Features: 18 URL-based risk signals
- Training Data: PhishTank + 57 legitimate Indian domains
- Performance: 99.84% accuracy
| Metric | Value |
|---|---|
| Accuracy | 99.84% |
| True Positives | 9,984 |
| True Negatives | 13 |
| False Positives | 1 |
| False Negatives | 3 |
| Average Analysis Time | < 5 seconds |
| Sandbox Execution Time | 10-15 seconds |
- Banking & Mobile Apps: Scan suspicious links before login/transactions
- UPI & Digital Payments: Detect fake payment requests and KYC scams
- SMS Platforms: Real-time message screening
- Cybercrime Investigation: Generate forensic evidence for NCCRP
- Digital Literacy Programs: Educational demonstrations of scam tactics
- Live Threat Investigation: Actively opens links in isolated sandboxes
- Explainable Scam Replay: Visual step-by-step attack reconstruction
- Intent-Aware AI: Detects psychological manipulation, not just keywords
- Evidence-Ready Forensics: Automated report generation for law enforcement
- SDK Integration: Plug-and-play security for UPI and banking apps
- Telecom-Level Protection: SMS gateway filtering before delivery
- Real-Time Forensics Engine: Dedicated tool for police and cybercrime units
- National Awareness Programs: Educational platform for digital literacy
- All link analysis happens in isolated Docker containers
- Zero user data exposure - synthetic data used for interactions
- No link caching - sandboxes destroyed after each analysis
- End-to-end encryption for API communications
- GDPR compliant - no personal data storage
# Verify installation
tesseract --version
# Add to PATH (Windows)
setx PATH "%PATH%;C:\Program Files\Tesseract-OCR"# Find and kill process (Windows)
netstat -ano | findstr :5000
taskkill /PID <PID> /F
# macOS/Linux
lsof -ti:5000 | xargs kill -9# Install browsers
npx playwright install chromium- Divyanshi Pal
- Atreyi Prasad
- Ananya Sharma
- Avwal Kaur
- National Cyber Crime Reporting Portal (NCCRP) for cybercrime data insights
- PhishTank for phishing URL datasets
- Google Generative AI for AI capabilities
- Microsoft Playwright for browser automation
- Tesseract OCR community for text extraction tools
PhantomClick is an educational and research tool designed for scam detection and awareness. Users should:
- Never interact with suspicious links on their personal devices
- Report confirmed scams to cybercrime.gov.in
- Use the tool responsibly and ethically
- Not use it for unauthorized security testing
Made with ❤️ for a safer digital India
Last Updated: March 2026









