API Access
Enterprise-grade threat intelligence API for public-sector organizations, journalists, security teams, researchers, and analysts requiring programmatic access to dark web monitoring data.
$3,000/year · one-time annual payment · no auto-renewal
Cited by leading publications
and countless others
Used by security teams across
Subscriber identities are not disclosed.
Production-Ready Intelligence API
Direct integration into SIEM platforms, threat intelligence tools, security dashboards, and automated enrichment workflows.
40+
API Endpoints
Real-time
Threat Updates
700+
Daily Alerts (avg.)
22+
Forums Tracked & Growing
$3,000/year
One-time annual payment • No auto-renewal • Monthly plans not available • Contact for multi-year pricing
Reminder emails are sent at 30 and 7 days before expiration, no surprise charges, ever.
Optional Paid Add-ons
Increase the default daily request limit for SIEM polling, automated enrichment, dashboards, and higher-volume research workflows.
Available by request before or after purchase.
Add separate keys for production, testing, SIEM integrations, analyst tooling, or separate internal teams while keeping access under one organization.
Useful for cleaner monitoring, rotation, and revocation.
Common Use Cases
Ingest threat actor alerts directly into Splunk, Sentinel, or QRadar for correlation and alerting
Query IOC history and ransomware victim data to identify targeting patterns and infrastructure overlaps
Build real-time executive dashboards showing active threat actors, victim statistics, and trending groups
Export bulk datasets for academic research, threat landscape analysis, and model training
Built for your security stack
JSON-native REST API for platforms that support scripted HTTP requests or dynamic request headers. STIX 2.1 format for the threat feed, ransomware feed, and IOC feed is now available.
Sample Request: GET get_stats
NONCE="$(date +%s):$(openssl rand -hex 8)" curl -s -D - \ 'https://██████████████████████████/get_stats' \ -H 'Accept: application/json' \ -H 'X-API-Key: YOUR_API_KEY' \ -H "X-Nonce: $NONCE"
Standard REST with header-based authentication. Every request requires X-API-Key and a single-use X-Nonce (Unix timestamp + random suffix, 120-second window) for replay protection. Base URL redacted; full endpoint paths are provided in your post-purchase documentation.
Sample Response: /get_latest
{
"uuid": "4b370da5-39c6-4da8-9be3-4f33d5a1f83b",
"title": "Alleged Data Leak of Actradis French Business Compliance Database",
"category": "Data Leak",
"content": "A threat actor operating under the alias ██████████ has freely shared
a scraped database dump from Actradis, a French business compliance
and procurement platform. The leaked dataset contains 82,611 client
records in JSONL format, including SIREN numbers, VAT identifiers,
company names, addresses, NAF activity codes, invoice details,
supplier relationships, and subscription statuses. The actor claims
the data was scraped approximately one day prior to posting and has
not been previously published.",
"date": "2026-05-03T15:46:52Z",
"network": "openweb",
"threat_actors": "██████████",
"victim_country": "France",
"victim_industry": "Business Compliance & Procurement Services",
"victim_organization": "Actradis",
"victim_site": "actradis.fr",
"published_url": "https://██████████.██/Thread-██████████",
"screenshots": [
"https://██████████/██████████.png",
"https://██████████/██████████.png",
"https://██████████/██████████.png"
]
}
Live data from the Dark Web Informer threat feed, updated in real time as threat actors publish new content. Screenshot URLs are included where available for threat feed and ransomware feed entries.
Sample Response: /check_compromise?domain=acme.com
{
"query": {
"domain": "acme.com",
"org": null,
"search_terms": ["acme"]
},
"ransomware_victims": {
"found": true,
"count": 2,
"groups": ["██████████", "██████████"],
"first_seen": "2024-11-14T11:28:41.669Z",
"last_seen": "2026-04-24T07:58:41.887Z",
"victims": [
{
"group_name": "██████████",
"post_title": "Acme, Inc. (acme.com)",
"discovered": "2026-04-24T07:58:41.887Z",
"description": "Over 10M records containing PII and other internal corporate data...",
"country": "US"
}
// ...additional victims truncated for brevity
]
},
"threat_feed_alerts": {
"found": true,
"count": 7,
"alerts": [
{
"category": "Data Leak",
"title": "Alleged Data Leak of Acme, Inc.",
"date": "2026-05-01T15:03:19Z",
"threat_actors": "██████████",
"victim_organization": "Acme, Inc.",
"victim_site": "acme.com"
}
// ...additional alerts truncated for brevity
]
},
"stealer_logs": {
"found": true,
"consumer_count": 10389,
"corporate_count": 1935,
"computer_count": 1834,
"source": "whiteintel"
},
"hibp_breaches": {
"found": true,
"count": 1,
"breaches": [
{
"Name": "Acme",
"BreachDate": "2026-04-20",
"PwnCount": 5488888,
"DataClasses": [
"Dates of birth", "Email addresses", "Names",
"Partial government issued IDs", "Phone numbers",
"Physical addresses"
],
"IsVerified": true,
"IsSensitive": false
}
],
"earliest": "2026-04-20",
"latest": "2026-04-20",
"error": null
},
"verdict": {
"compromised": true,
"confidence": "high",
"sources_matched": [
"ransomware", "threat_feed", "stealer_logs", "hibp"
],
"summary": "Found in 2 ransomware leaks, 7 threat feed alerts,
14,158 stealer log records, 1 HIBP breach."
}
}
A single request synthesizes findings across DWI ransomware leaks, the DWI threat feed, WhiteIntel stealer-log exposure, and the Have I Been Pwned breach catalogue, with a unified confidence verdict.
Sample Response: /get_ransomware_by_group?group=████
[
{
"group_name": "██████████",
"post_title": "fatbrands.com",
"discovered": "2026-04-27T13:53:02.694Z",
"description": "FAT Brands is a leading global franchising company that
strategically acquires, promotes, and develops quick-service,
fast-casual, and casual dining concepts around the world.",
"link": "http://██████████.onion/blog/?post_uuid=██████████",
"screenshot": null,
"country": "US"
},
{
"group_name": "██████████",
"post_title": "milliondollarbabyco.com",
"discovered": "2026-04-14T13:09:08.388Z",
"description": "Million Dollar Baby Co. was founded in 1990 and is a proudly
family-owned business based in Los Angeles. Since then, MDB
has grown to include seven distinct children's furniture
brands, each with its own style, aesthetic, and price point,
while offering some of the most eco-friendly and award-winning
designs in the industry.",
"link": "http://██████████.onion/blog/?post_uuid=██████████",
"screenshot": null,
"country": "US"
}
// ...additional victims in this group truncated for brevity
]
Per-group ransomware victim feeds with discovery timestamps, leak-site links, and country attribution. Available for every actively tracked ransomware group.
API Capabilities
- Live threat intelligence feed with endpoints for latest alert, recent alerts, and per-actor timelines
- Full raw unredacted feed access with dedicated ransomware and threat feed endpoints
- Searchable archive for titles and descriptions to pivot on keywords across the dataset
- Aggregated stats for threat actors, categories, victim countries, industries, networks, and organizations
- IOC (Indicator of Compromise) history with JSON and CSV export options
- Ransomware victim intelligence with per-group feeds, statistics, and exportable JSON
- Compromise Check: cross-source verdict endpoint that checks a domain or organization across DWI ransomware leaks, DWI threat feed alerts, WhiteIntel stealer-log exposure (stats against a domain), and the Have I Been Pwned (HIBP) public breach catalogue in a single request, returning a unified confidence rating
- Bulk JSON and CSV exports for threat feed, IOC history, and ransomware data
- STIX 2.1 format support is now available for the threat feed, ransomware feed, and IOC feed.
- Screenshots are included for threat feed and ransomware feed entries only; no screenshot data is provided for other data types (e.g. IOCs, stats endpoints)
- Access to more than 40 production-grade endpoints built for automation, dashboards, and research
- Commercial Use License: API access includes commercial internal use for security operations, monitoring, research, and defensive cybersecurity within your organization. Resale, redistribution, or third-party access is prohibited without a separate agreement.
Technical Details
- Authentication requires X-API-Key and X-Nonce headers for all requests
- Additional API keys are available as a paid add-on for separate production, testing, SIEM, and analyst workflows.
- Integrations must generate a fresh X-Nonce per request; static feed URL importers may require a script, connector, or automation workflow.
- Nonce system: 120-second window, single-use per request to prevent replay attacks
- Rate limits: 5 requests per minute (per IP and per API key), 2 per minute for exports, 8 per minute for upstream/R2 operations
- Daily quota: 150 requests per day by default (resets at 00:00 UTC). Higher daily quotas are available as a paid add-on or custom plan.
- Ransomware screenshot rate limit: 60 requests per 20 minutes per API key. Screenshots are served via a proxied endpoint. This separate rate limit applies to ransomware feed screenshots only; threat feed screenshots are not separately rate limited. Screenshots are available for threat feed and ransomware feed entries only.
- Standard rate-limit headers included in all responses (RateLimit-* and X-RateLimit-Day-*)
- Full endpoint documentation, examples, and schema descriptions provided automatically after purchase.
- Screenshots served via the API are delivered with watermarks; this may be subject to change at Dark Web Informer's discretion. You can purchase an add-on if you want screenshots to show without a watermark.
- Image content may be redacted at Dark Web Informer's discretion for compliance or safety reasons.
⚠️ Important: Website subscription access is not included with API Access. API Access is a separate product and is not included with website subscriber plans.
Frequently Asked Questions
How quickly will I receive API access after purchase?
API credentials and full documentation are automatically sent to your email within 5 minutes of payment confirmation. If you don't receive access within 15 minutes, contact support immediately.
What is your refund policy?
Due to the immediate access nature of digital API credentials, all sales are final. No refunds are provided after credentials are issued.
What happens when my annual subscription expires?
API access automatically terminates at the end of your 365-day period. We do not auto-renew subscriptions. You'll receive email reminders at 30 days and 7 days before expiration with instructions to renew if desired.
Do you offer monthly plans or payment by cryptocurrency?
No. API access is offered on an annual basis only, with no cryptocurrency payments.
Do you offer free trials or discounts?
No. API access is offered at a flat annual rate with no trials, or promotional pricing. A discount would only be offered when paying for multiple years. The initial rate is the same for all customers.
Can my organization pay by invoice, bank transfer, and have a different billing contact than the API user?
Yes. If your organization needs an invoice for procurement or accounting, send a pre-purchase message before paying by card. The billing or purchasing contact can be different from the person who will use the API. Please include the organization name, billing contact email, designated API user email, and any purchase order or invoice details your team requires. Dark Web Informer will not provide personal residential details or other personal information to satisfy invoice-processing requirements. Bank transfer is also accepted, but it may take a few business days to fully clear, unlike card payments which are usually confirmed much faster. For invoice or bank-transfer payments, API credentials and documentation are not issued automatically. Payment must fully clear first, then credentials and documentation will be sent manually to the designated API user.
Can I purchase higher daily quotas or additional API keys?
Yes. Higher daily request quotas and additional API keys are available as paid add-ons. Additional keys are useful when your organization wants separate keys for production, testing, SIEM ingestion, analyst tools, or different internal workflows. Send a pre-purchase message or contact support after purchase to discuss the add-on you need.
Can I share my API key with team members?
No. API keys are licensed for single-organization internal use only. Credential sharing, reselling data, or providing access to third parties violates the Terms of Service and will result in immediate termination without refund. If your organization needs separate keys for different workflows or internal teams, purchase additional API keys instead.
What constitutes API abuse or excessive usage?
Abuse includes: exceeding rate limits through distributed requests, credential sharing, scraping for resale, automated bulk downloading beyond normal operational needs, or any activity that degrades service for other users. Normal security operations, SIEM ingestion, and research queries are fully permitted within rate limits.
Do you provide technical support for API integration?
Yes. The email support address is included in the email that provides you with your API key. Typical response time is 1 business day for technical questions and troubleshooting. Support only covers clarifying API usage, expected behavior, and endpoint documentation. Building, maintaining, or integrating custom scripts and application-specific code is the customer's responsibility.
How far back does the historical data go?
The API provides access to a broad and continuously expanding Dark Web Informer intelligence dataset, offering a searchable collection of threat actor activity, ransomware disclosures, and related intelligence tracked by the platform. The platform currently processes an average of 700+ alerts per day across the threat feed alone, though daily counts naturally fluctuate with threat actor activity. The dataset currently includes over 94,000+ threat feed alerts and 28,600+ ransomware feed alerts, sourced from 22 forums tracked and growing, updated in real time as threat actors publish new content. Screenshots are available for threat feed and ransomware feed entries where captured; no screenshot data is provided for other data types. It also includes a comprehensive historical repository of more than 174,000+ indicators of compromise (IOCs) sourced from a trusted third-party vendor. Additional capabilities include exports to most major intelligence feeds, an expanding curated cybersecurity news feed from reliable outlets, and more.
Will the API support STIX format?
Yes. STIX 2.1 format support for the threat feed, ransomware feed, and IOC feed is now available. JSON and CSV exports remain available for supported feeds.
What is your service availability?
The API is actively maintained and monitored. While we don't guarantee specific uptime percentages, the service is designed for 24/7 operation with redundancy built in. Any extended outages or maintenance windows are communicated via all socials and via the uptime page.
API access is governed by Dark Web Informer's Terms of Service and Acceptable Use Policy. API data may be used within your own internal tools, platforms, and security infrastructure but may not be resold, republished, or shared with third parties outside your organization. Violations including fraud, abuse, excessive scraping, or credential sharing will result in immediate termination without refund. By purchasing, you agree to use this intelligence exclusively for lawful security research, threat detection, and defensive cybersecurity purposes.
Still have a question?
If something about the API isn't covered above or in the FAQ above, send a message. This form is for pre-purchase questions only, not support-related questions. Please check the page and FAQ first.
No trials, demos, presentations, or phone calls are offered. The page above describes the product in full, including pricing, capabilities, endpoints, rate limits, and sample responses. Requests for trial access, live demos, sales calls, or phone conversations will not be accommodated.
Latest
