Paste any Lightning address (alice@domain) and we'll fetch its LNURL-pay endpoint, validate the response, and cross-check against known providers. All client-side.
Why this matters
A Lightning address — alice@walletofsatoshi.com — looks like email and works like email, which is exactly why it’s a phishing-friendly format. As Lightning adoption grew through 2024-2026, so did the number of typosquatted domains designed to drain a payment that was meant for a real provider. A user who types walletofsatoshis.com (extra s) instead of walletofsatoshi.com is sending sats to whoever bought the typo domain, not to the wallet provider.
This tool does the basic verification that nobody does manually: it parses the address, calls the LNURL-pay endpoint at https://<domain>/.well-known/lnurlp/<user>, validates the response shape against the LUD-06 spec, and cross-checks the domain against a curated list of known-good providers and known phishing patterns. Everything happens in your browser — there’s no telemetry, and the address you check is not sent to any server other than the one you’re checking.
What “verified” means here
Three things are checked, and they are not equivalent in strength:
- Endpoint exists and returns a valid LNURL-pay response. This means the domain operates a Lightning-payment server and isn’t just a bare HTTP host. Most fraud sites won’t bother running a real LNURL-pay endpoint, so this is a useful filter — but a determined attacker could absolutely run one.
- Domain is on our known-providers list. This is the strongest signal, because the list is curated to legitimate Lightning-address providers operating in 2026. If the domain matches, you’re almost certainly sending to the real provider — just be sure you typed the user part correctly.
- No suspicious typo-squat pattern detected. The tool flags domains that look like typo variants of well-known providers (
walletofsatoshis.comvswalletofsatoshi.com, etc.), or that use phishing-suggestive subdomains like*-secureor*-verify. These are heuristics — not exhaustive — so absence of a flag does not mean the domain is clean.
A domain that’s not on our list and doesn’t match a typo pattern is unknown rather than verified. That’s an honest result, not a “trust” result.
What the tool can’t tell you
- Whether the operator of the LNURL-pay endpoint is the actual person you intended to pay. The protocol can’t tell you that — only the recipient can confirm via an out-of-band channel. If you want to send sats to a specific person (not a wallet provider), confirm the address with them via a verified channel like Signal, in-person, or a signed Nostr note.
- Whether the LNURL-pay endpoint is genuinely the same operator as the rest of the domain. Some providers run their LNURL-pay infrastructure on a separate subdomain — that’s fine — but a phishing site could in principle do the same. The reputation list partially mitigates this.
- Domain age, WHOIS data, and SSL certificate details. Browsers don’t expose these to JavaScript, so they can’t be checked from the client without a server proxy. Future versions of this tool may add a server-side enrichment step; for now, treat the LNURL-pay validation + reputation list as the boundaries of what we can guarantee.
Common typosquat patterns we’ve seen
walletofsatoshi.com→walletofsatoshis.com/walletof-satoshi.com/walletofsatoshi.iogetalby.com→get-alby.com/getalby.io/getalby.netstrike.me→strikeme.com/strike.app/strike-app.com- Any domain with
secure-,verify-,-confirm,-supportis a textbook phishing pattern
If you receive a Lightning address from a stranger or an unverified source, run it through this tool before sending anything, and confirm the recipient via a separate channel.
How to do this manually
curl 'https://walletofsatoshi.com/.well-known/lnurlp/alice'The response should be a JSON object with tag: "payRequest", a callback URL, minSendable and maxSendable in millisats, and a metadata field. If the response is HTML or 404, the address is invalid.