Skip to content

Live threat intelligence · 23+ forums monitored

API Access

Free 1-Year Elite Website Subscription Included Every API key now comes with full Elite site access at no extra cost, starting June 30th, 2026.

Enterprise-grade threat intelligence API for public-sector organizations, journalists, security teams, researchers, and analysts requiring programmatic access to dark web monitoring data. Every API key now includes a free 1-year Elite website subscription, starting June 30th, 2026.

Real-time threat feed Ransomware intelligence IOC tracking JSON/CSV exports STIX 2.1 available 43+ Endpoints 23+ forums tracked & growing Free 1-year Elite subscription (starting June 30th, 2026)

$3,000/year · one-time annual payment · no auto-renewal · includes 1-year Elite subscription (starting June 30th, 2026)

By purchasing, you agree to the Terms of Service, Acceptable Use Policy, Refund Policy, and Privacy Policy.

Used by security teams across

International law enforcement
Government & public-sector research networks
CERT, SOC & threat intelligence teams
Global telecommunications & enterprise
Cybersecurity vendors, consultancies & independent practitioners

Subscriber identities are not disclosed.

By the numbers - live intelligence at scale

131,000+

Threat Feed Alerts

29,700+

Ransomware Alerts

174K+

Indicators of Compromise

850+

New Threat Feed Alerts Daily

Dataset grows in real time as threat actors publish new claims

Production-Ready Intelligence API

Direct integration into SIEM platforms, threat intelligence tools, security dashboards, and automated enrichment workflows.

43+

API Endpoints

Real-time

Threat Updates

850+

Daily Alerts (avg.)

23+

Forums Tracked & Growing

$3,000/year

One-time annual payment • No auto-renewal • Monthly plans not available • Contact for multi-year pricing
Reminder emails are sent at 30 and 7 days before expiration, no surprise charges, ever.

Everything here is public before you pay: pricing, rate limits, quotas, sample data, and uptime history. A full changelog of what's shipped is included on the docs page after purchase.

Purchase below

Optional Paid Add-ons

Higher Daily Quota

Increase the default daily request limit for SIEM polling, automated enrichment, dashboards, and higher-volume research workflows.

Available by request before or after purchase.

Additional API Keys

Add separate keys for production, testing, SIEM integrations, analyst tooling, or separate internal teams while keeping access under one organization.

Useful for cleaner monitoring, rotation, and revocation.

Common Use Cases

SIEM Integration

Ingest threat actor alerts directly into Splunk, Sentinel, or QRadar for correlation and alerting

Threat Hunting

Query IOC history and ransomware victim data to identify targeting patterns and infrastructure overlaps

Dashboard Automation

Build real-time executive dashboards showing active threat actors, victim statistics, and trending groups

Research & Analysis

Export bulk datasets for academic research, threat landscape analysis, and model training

Built for your security stack

JSON-native REST API for platforms that support scripted HTTP requests or dynamic request headers. STIX 2.1 format for the threat feed, ransomware feed, and IOC feed is now available.

Sample Request: GET get_stats

NONCE="$(date +%s):$(openssl rand -hex 8)"

curl -s -D - \
  'https://██████████████████████████/get_stats' \
  -H 'Accept: application/json' \
  -H 'X-API-Key: YOUR_API_KEY' \
  -H "X-Nonce: $NONCE"

Standard REST with header-based authentication. Every request requires X-API-Key and a single-use X-Nonce (Unix timestamp + random suffix, 120-second window) for replay protection. Base URL redacted; full endpoint paths are provided in your post-purchase documentation.

Sample Response: /get_latest

{
  "uuid": "25bfa746-99c3-43bb-bb12-484e6a5e428a",
  "id": "25bfa746-99c3-43bb-bb12-484e6a5e428a",
  "title": "Sale of CCs and Fullz for BIN 559888",
  "category": "Carding",
  "content": "A forum post advertises CCs and Fullz tied to BIN 559888, with
              the content hidden behind a reaction-gated reply requirement.
              No specific victim organization or record count is disclosed.",
  "date": "2026-07-01T23:20:51Z",
  "network": "openweb",
  "priority": null,
  "data_type": "Financial Records",
  "threat_actors": "██████████",
  "forum": "██████████",
  "forum_code": "██████████",
  "forum_domain": "██████████",
  "forum_section": "██████████ - Carding Tutorials Tools Cardable Websites Free CCs BINs",
  "board": "Carding Tutorials Tools Cardable Websites Free CCs BINs",
  "actor_rank": "Infinity Member",
  "actor_reputation": "",
  "actor_posts": "3,862",
  "actor_threads": "",
  "actor_joined": "March 2, 2026",
  "actor_points": "83",
  "actor_reaction_score": "264",
  "actor_vouches": "",
  "actor_credits": "",
  "victim_country": "Unknown",
  "victim_industry": "Finance",
  "victim_organization": "Unknown",
  "victim_site": "Unknown",
  "published_url": "https://██████████.██/threads/██████████",
  "screenshot_match_url": "",
  "screenshot_source_url": "",
  "screenshots": [
    "https://██████████/██████████.png"
  ]
}

Live data from the Dark Web Informer threat feed, updated in real time as threat actors publish new content. Screenshot URLs are included where available for threat feed and ransomware feed entries.

Sample Response: /check_compromise?domain=adobe.com

{
  "query": {
    "domain": "adobe.com",
    "org": null,
    "search_terms": ["adobe"]
  },
  "ransomware_victims": {
    "found": false,
    "count": 0,
    "groups": [],
    "first_seen": null,
    "last_seen": null,
    "victims": []
  },
  "threat_feed_alerts": {
    "found": true,
    "count": 7,
    "alerts": [
      {
        "category": "Data Breach",
        "title": "Alleged data breach of Adobe exposing 150M+ user records",
        "date": "2026-06-25T13:30:03Z",
        "threat_actors": "██████████",
        "victim_organization": "Adobe",
        "victim_site": "adobe.com"
      }
      // ...additional alerts truncated for brevity
    ]
  },
  "stealer_logs": {
    "found": true,
    "consumer_count": 10714450,
    "corporate_count": 34809,
    "computer_count": 0,
    "source": "whiteintel"
  },
  "hibp_breaches": {
    "found": true,
    "count": 1,
    "breaches": [
      {
        "Name": "Adobe",
        "BreachDate": "2013-10-04",
        "PwnCount": 152445165,
        "DataClasses": [
          "Email addresses", "Password hints",
          "Passwords", "Usernames"
        ],
        "IsVerified": true,
        "IsSensitive": false
      }
    ],
    "earliest": "2013-10-04",
    "latest": "2013-10-04",
    "error": null
  },
  "verdict": {
    "compromised": true,
    "confidence": "high",
    "sources_matched": [
      "threat_feed", "stealer_logs", "hibp"
    ],
    "summary": "Found in 7 threat feed alerts,
                10,749,259 stealer log records, 1 HIBP breach."
  }
}

A single request synthesizes findings across DWI ransomware leaks, the DWI threat feed, WhiteIntel stealer-log exposure, and the Have I Been Pwned breach catalogue, with a unified confidence verdict.

Sample Response: /ioc/lookup?value=██████████[.]com

{
  "query": {
    "value": "██████████[.]com",
    "normalized": "██████████.com",
    "type": "domain"
  },
  "found": true,
  "count": 1,
  "matches": [
    {
      "date": "2026-07-10T22:38:40.000Z",
      "type": "domain",
      "indicator": "██████████.com",
      "confidence": 100,
      "malware": "js.clearfake",
      "source": "██████████",
      "tags": ["ClearFake", "██████████", "windows"]
    }
  ],
  "index": {
    "built_at": "2026-07-10T23:47:01.951Z",
    "days_covered": 365,
    "unique_indicators": 15235
  }
}

Single-indicator enrichment for SOAR/SIEM playbooks. Hashes, IPs, domains, URLs, and emails are supported, defanged input is normalized automatically, and every response includes index freshness metadata.

Sample Response: /get_ransomware_by_group?group=████

[
  {
    "group_name": "██████████",
    "post_title": "Keywest Projects",
    "discovered": "2026-07-01T22:24:37.993Z",
    "description": "██████████.ca zoominfo.com/c/keywest-projects-ltd/354074136
                    KeyWest Projects Ltd. is a Canadian EPCM (Engineering,
                    Procurement, Construction Management) company headquartered
                    in Calgary, Alberta. It specializes in full-cycle project
                    delivery for the energy sector - including oil and gas
                    facilities, pipelines, and industrial infrastructure -
                    primarily across Western Canada.",
    "link": "http://██████████.onion/blog/?post_uuid=██████████",
    "screenshot": null,
    "country": "CA"
  },
  {
    "group_name": "██████████",
    "post_title": "International Freight Services",
    "discovered": "2026-07-01T22:24:32.996Z",
    "description": "██████████.com zoominfo.com/c/ifs-sfocom/348198952 IFS
                    (International Freight Services, Inc.) is a logistics company
                    headquartered at San Francisco International Airport (SFO).
                    It provides international air and ocean freight forwarding,
                    customs brokerage, warehousing, and end-to-end supply chain
                    solutions.",
    "link": "http://██████████.onion/blog/?post_uuid=██████████",
    "screenshot": null,
    "country": "US"
  }
  // ...additional victims in this group truncated for brevity
]

Per-group ransomware victim feeds with discovery timestamps, leak-site links, and country attribution. Available for every actively tracked ransomware group.

API Capabilities

  • Live threat intelligence feed with endpoints for latest alert, recent alerts, and per-actor timelines
  • Full feed access with unredacted breach/leak data across dedicated ransomware and threat feed endpoints
  • Searchable archive for titles and descriptions to pivot on keywords across the dataset
  • Aggregated stats for threat actors, categories, victim countries, industries, networks, and organizations
  • IOC (Indicator of Compromise) history with JSON and CSV export options
  • Ransomware victim intelligence with per-group feeds, statistics, and exportable JSON
  • Compromise Check: cross-source verdict endpoint that checks a domain or organization across DWI ransomware leaks, DWI threat feed alerts, WhiteIntel stealer-log exposure (stats against a domain), and the Have I Been Pwned (HIBP) public breach catalogue in a single request, returning a unified confidence rating
  • Actor Profile: one-call aggregated dossier for any threat actor - alert totals with first/last seen, top breakdowns by category, victim country, victim industry, and network, a 90-day activity timeline, the most recent alerts, and the ransomware angle with known-group matches and victim-leak statistics
  • IOC Point Lookup: exact-match lookup of a single indicator (MD5/SHA-1/SHA-256 hash, IPv4/IPv6, domain, URL, or email) against the DWI IOC index, built for SOAR/SIEM enrichment pipelines - defanged input (hxxp://, evil[.]com) is accepted and normalized automatically
  • API Key Status: self-service key and quota introspection endpoint that never consumes your daily quota
  • Bulk JSON and CSV exports for threat feed, IOC history, and ransomware data
  • STIX 2.1 format support is available for the threat feed, ransomware feed, and IOC feed.
  • Screenshots are included for threat feed and ransomware feed entries only; no screenshot data is provided for other data types (e.g. IOCs, stats endpoints)
  • Access to more than 43 production-grade endpoints built for automation, dashboards, and research
  • Commercial Use License: API access includes commercial internal use for security operations, monitoring, research, and defensive cybersecurity within your organization. Resale, redistribution, or third-party access, including MSP/MSSP client-facing services such as monitoring, alerting, or reporting delivered to your own customers, is prohibited without a separate agreement.

Technical Details

  • Authentication requires X-API-Key and X-Nonce headers for all requests
  • Additional API keys are available as a paid add-on for separate production, testing, SIEM, and analyst workflows.
  • Integrations must generate a fresh X-Nonce per request; static feed URL importers may require a script, connector, or automation workflow.
  • Nonce system: 120-second window, single-use per request to prevent replay attacks
  • Rate limits: 5 requests per minute (per IP and per API key), 2 per minute for exports, 8 per minute for upstream/R2 operations
  • Daily quota: 150 requests per day by default (resets at 00:00 UTC). Higher daily quotas are available as a paid add-on or custom plan.
  • Ransomware screenshot rate limit: 60 requests per 20 minutes per API key. Screenshots are served via a proxied endpoint. This separate rate limit applies to ransomware feed screenshots only; threat feed screenshots are not separately rate limited. Screenshots are available for threat feed and ransomware feed entries only.
  • Standard rate-limit headers included in all responses (RateLimit-* and X-RateLimit-Day-*)
  • Self-service key introspection via a dedicated key-status endpoint - returns live daily and per-minute quota state, scopes, and expiry, does not count against your daily quota, and stays reachable even when the quota is exhausted
  • Full endpoint documentation, examples, and schema descriptions provided automatically after purchase.
  • Screenshots served via the API are delivered with watermarks; this may be subject to change at Dark Web Informer's discretion. You can purchase an add-on if you want screenshots to show without a watermark.
  • Image content may be redacted at Dark Web Informer's discretion for compliance or safety reasons.

Now included: Starting June 30th, 2026, every API key comes with a free 1-year Elite website subscription. Note that the reverse does not apply, a website subscriber plan does not include API Access, which remains a separate product.

By purchasing, you agree to the Terms of Service, Acceptable Use Policy, Refund Policy, and Privacy Policy.

One analyst. Automated infrastructure.

Dark Web Informer is researched and operated by a single independent analyst, the same one cited by the publications above. The platform itself doesn't depend on one person: collection, processing, and credential delivery run on automated pipelines across globally distributed, managed cloud infrastructure, with live status on the uptime page.

Being independent means no sales layer and no outsourced support. Questions and integration help go straight to the person who built the system.

Frequently Asked Questions

How quickly will I receive API access after purchase?

API credentials and full documentation are automatically sent to your email within 5 minutes of payment confirmation. If you don't receive access within 15 minutes, contact support immediately.

Is a website subscription included with API access?

Yes. Starting June 30th, 2026, every API key purchase includes a free 1-year Elite website subscription at no extra cost, giving you full site access alongside the API. For now the Elite upgrade is applied manually after purchase rather than instantly, until automated provisioning is in place. Your API credentials still arrive automatically; the Elite access may take a little longer to appear. Once your Elite access is in place, you'll receive a separate email with the login details for your account, and whether you're receiving Elite for the first time or having time added to an existing subscription, you can always see your current expiration date under Account. This bundle is one-directional, a website subscriber plan does not include API access.

I'm already an Elite website subscriber. What happens when I buy API access?

You won't lose any time you've already paid for, and you won't be charged twice for Elite. Because Elite access is currently applied by hand, your included year is arranged manually so it doesn't overlap wastefully with your existing subscription, and in most cases your current Elite term is left to run and the included year is added around it. Just use the same email for your API purchase as your Elite account so it can be matched up correctly. As with all Elite provisioning right now, this may take a little longer to appear than your API credentials, which still arrive automatically. Once the time is added, you can confirm your new expiration date under Account.

What is your refund policy?

Due to the immediate access nature of digital API credentials, all sales are final. No refunds are provided after credentials are issued. See the full Refund Policy for details.

What happens when my annual subscription expires?

API access automatically terminates at the end of your 365-day period. We do not auto-renew subscriptions. You'll receive email reminders at 30 days and 7 days before expiration with instructions to renew if desired.

Do you offer monthly plans or payment by cryptocurrency?

No. API access is offered on an annual basis only, with no cryptocurrency payments.

Do you offer free trials or discounts?

No. API access is offered at a flat annual rate with no trials or promotional pricing. A discount would only be offered when paying for multiple years. The initial rate is the same for all customers.

Can my organization pay by invoice, bank transfer, and have a different billing contact than the API user?

Yes. If your organization needs an invoice for procurement or accounting, send a pre-purchase message before paying by card. The billing or purchasing contact can be different from the person who will use the API. Please include the organization name, billing contact email, designated API user email, and any purchase order or invoice details your team requires. Dark Web Informer will not provide personal residential details or other personal information to satisfy invoice-processing requirements. Bank transfers, when accepted, are processed directly through the payment processor and not through personally shared bank account details. Bank transfer payments may take a few business days to fully clear, unlike card payments which are usually confirmed much faster. For invoice or bank-transfer payments, API credentials and documentation are not issued automatically. Payment must fully clear first, then credentials and documentation will be sent manually to the designated API user.

Can I purchase higher daily quotas or additional API keys?

Yes. Higher daily request quotas and additional API keys are available as paid add-ons. Additional keys are useful when your organization wants separate keys for production, testing, SIEM ingestion, analyst tools, or different internal workflows. Send a pre-purchase message or contact support after purchase to discuss the add-on you need.

Can MSPs or MSSPs use the API to serve their clients?

The standard license covers internal use within a single organization only. Using the data to deliver services to your own clients, such as monitoring their domains, sending them alerts, or including the data in client-facing reports, counts as third-party access and requires a separate agreement. If you're an MSP or MSSP interested in this, send a pre-purchase message describing your use case. Internal use of the API within your own MSP, for example securing your own infrastructure, is covered by the standard license.

Can I share my API key with team members?

No. API keys are licensed for single-organization internal use only. Credential sharing, reselling data, or providing access to third parties violates the Terms of Service and will result in immediate termination without refund. If your organization needs separate keys for different workflows or internal teams, purchase additional API keys instead.

What constitutes API abuse or excessive usage?

Abuse includes: exceeding rate limits through distributed requests, credential sharing, scraping for resale, automated bulk downloading beyond normal operational needs, or any activity that degrades service for other users. Normal security operations, SIEM ingestion, and research queries are fully permitted within rate limits.

Do you provide technical support for API integration?

Yes. The email support address is included in the email that provides you with your API key. Typical response time is 1 business day for technical questions and troubleshooting. Support only covers clarifying API usage, expected behavior, and endpoint documentation. Building, maintaining, or integrating custom scripts and application-specific code is the customer's responsibility.

How far back does the historical data go?

The API provides access to a broad and continuously expanding Dark Web Informer intelligence dataset, offering a searchable collection of threat actor activity, ransomware disclosures, and related intelligence tracked by the platform. The platform currently processes an average of 850+ alerts per day across the threat feed alone, though daily counts naturally fluctuate with threat actor activity. The dataset currently includes over 131,000+ threat feed alerts and 29,700+ ransomware feed alerts, sourced from 23+ forums tracked and growing, updated in real time as threat actors publish new content. Screenshots are available for threat feed and ransomware feed entries where captured; no screenshot data is provided for other data types. It also includes a comprehensive historical repository of more than 174,000+ indicators of compromise (IOCs) sourced from a trusted third-party vendor. Additional capabilities include exports to most major intelligence feeds, an expanding curated cybersecurity news feed from reliable outlets, and more.

Will the API support STIX format?

Yes. STIX 2.1 format support for the threat feed, ransomware feed, and IOC feed is available. JSON and CSV exports remain available for supported feeds.

What is your service availability?

The API is actively maintained and monitored. While we don't guarantee specific uptime percentages, the service is designed for 24/7 operation with redundancy built in. Any extended outages or maintenance windows are communicated via all socials and via the uptime page.

What happens if the API goes down?

Interruptions are rare and usually brief. The API is actively monitored, and current status and incident history are visible on the uptime page; extended outages or planned maintenance are announced there and on all social channels. Collection and processing pipelines run independently of the API layer, so a brief interruption to the API does not create a gap in the underlying dataset: alerts continue to be gathered and are available as soon as service resumes. There is no auto-renewal, so you are never silently billed during a disruption, and API-key holders can reach support directly by email. Specific uptime percentages are not guaranteed; see the service availability answer above.

API access is governed by Dark Web Informer's Terms of Service, Acceptable Use Policy, Refund Policy, and Privacy Policy. API data may be used within your own internal tools, platforms, and security infrastructure but may not be resold, republished, or shared with third parties outside your organization. Violations including fraud, abuse, excessive scraping, or credential sharing will result in immediate termination without refund. By purchasing, you agree to use this intelligence exclusively for lawful security research, threat detection, and defensive cybersecurity purposes.

Still have a question?

If something about the API isn't covered above or in the FAQ above, send a message. This form is for pre-purchase questions only, not support-related questions. Please check the page and FAQ first.

No trials, demos, presentations, or phone calls are offered. The page above describes the product in full, including pricing, capabilities, endpoints, rate limits, and sample responses. Requests for trial access, live demos, sales calls, or phone conversations will not be accommodated.

Pre-purchase questions Higher quotas / rate limits Additional API keys Endpoint clarifications Use-case feasibility

A quick note before you send: this is run by one person. Please treat me with respect, the same way you'd want to be treated, and give me a bit of time to reply. I read every message and I'll get back to you as soon as I can.

I only use your details to respond to this inquiry. No marketing emails, no third-party sharing. See the Privacy Policy for how your data is handled.

Latest