API Swagger

🚀 More endpoints are being added in the coming weeks. Stay tuned.
📣 Be sure to follow @DarkWebInformer on X for any and all updates.

STIX 2.1 endpoints are now available under STIX 2.1 Exports. Threat intel can now be retrieved as STIX 2.1 bundles for direct ingestion into TIP and SIEM platforms that support the standard. Production exports are server-generated, with enriched Dark Web Informer source fields preserved as x_dwi_* custom properties. Separate bundles are available for the full combined dataset, the threat feed, ransomware, and IOCs, plus a status endpoint and a small on-demand preview.

GET /api/stix/export.json
GET /api/stix/export_feed.json
GET /api/stix/export_ransomware.json
GET /api/stix/export_iocs.json
GET /api/stix/status
GET /api/stix.json

NOTE: The four /stix/export*.json endpoints return the complete production bundles; /stix.json is a capped on-demand preview of the same object graph. Use /stix/status for generation time, object counts, file sizes, and SHA-256 hashes. Recommended validation: stix2_validator --version 2.1 --disable 103,111,215,302,401 --verbose file.json.

The API daily request limit has been increased from 50 requests per day to 150 requests per day. An optional add-on is available for customers who need higher limits.

As of Saturday, May 16, Threat Feed screenshots will contain a DWI watermark. This is being added due to users tracking, reposting, and using DWI images without attribution or a commercial license. This has always been subject to change at Dark Web Informer's discretion via the API subscription page. If you would like to use a non-watermarked image you can purchase an add-on.

NOTE: All use of Threat Feed screenshots remains subject to the Terms of Service, including restrictions on redistribution, removal of attribution, and unauthorized commercial use.

On Monday, May 18, the API request limit will be increased. Stay tuned to this changelog or @DarkWebInformer on X for updates.

Ransomware screenshots in API responses are now served via time-limited signed URLs. Screenshot URLs returned by the Ransomware feed and export endpoints are valid for 3 days and are refreshed on every API call. This is the same method that the threat feed has always had. No changes are required on your end, URLs are automatically included in all ransomware endpoints and exports.

NOTE: This replaces the previous ?key=your-api-key hotlinking method. You no longer need to append your API key to image URLs, which keeps your key out of browser history, referer headers, and logs. Signed URLs work in browsers, dashboards, and scripts. For long-term storage, download images on your end rather than hotlinking. All use of screenshots remains subject to the Terms of Service.

🚀 More endpoints are being added in the coming weeks. Stay tuned.
📣 Be sure to follow @DarkWebInformer on X for any and all updates.

New endpoint available under Compromise Check. Get a unified verdict on whether a domain or organization has been compromised, synthesized across four intel sources: DWI ransomware victim leaks, DWI threat feed alerts, WhiteIntel stealer-log exposure, and the Have I Been Pwned (HIBP) public breach catalogue. Each source is queried independently, so a partial outage doesn't block the others.

GET /api/check_compromise?domain=acme.com
GET /api/check_compromise?org=Acme%20Corp

NOTE: The response includes a verdict object with a confidence rating (none, medium, high) based on how many sources matched. HIBP is queried only for domain-based lookups.

🚀 More endpoints are being added in the coming weeks. Stay tuned.
📣 Be sure to follow @DarkWebInformer on X for any and all updates.

New endpoint available under IOC → Retrieval. Get ransomware IOCs by group for 200+ actively tracked ransomware groups, aggregated from multiple sources. Call without parameters to retrieve an index of all available groups with last-updated timestamps, or pass ?group=NAME to fetch IOCs for a specific group (BTC addresses, file hashes, domains, IPs, and more, depending on the group).

GET /api/get_ransomware_iocs
GET /api/get_ransomware_iocs?group=akira

NOTE: The endpoint is also available in the API Sandbox with a searchable group selector that auto-populates from the live index. Counts and group lists update automatically as new groups are tracked.

Threat feed screenshots are now served from DWI infrastructure via time-limited signed URLs. Screenshot URLs in API responses are valid for 3 days and are refreshed with each API call. No changes are required on your end, URLs are automatically included in all feed endpoints and exports.

NOTE: Signed screenshot URLs expire after 7 days and are refreshed with each API call. For long-term storage, download and store images on your end rather than hotlinking. All use of screenshots remains subject to the Terms of Service, including restrictions on redistribution, removal of attribution, and unauthorized commercial use.

API consumers can now hotlink ransomware screenshots directly by appending ?key=your-api-key to any image URL returned in the Ransomware feed/export. This allows embedding threat intel screenshots in dashboards, reports, and external tools without downloading them first.

https://dwi.darkwebinformer.com/dwi/screenshots/insomnia/Copier%20Careers.png?key=your-api-key

SUPERSEDED: This hotlinking method has been replaced by signed URLs. See today's update at the top for details. The ?key= method still works for backwards compatibility, but signed URLs are the recommended approach going forward.

Added 277 new alerts to the threat feeds under the Cyber Attack category, primarily consisting of news articles covering recent cyber attacks.

New export endpoint available under IOC → Exports. Provides a full IOC history export in JSON format. Recommended to use scripts to download, the file is very large.

New export endpoint available under News → Exports. Provides cybersecurity news in NDJSON format, aggregated from 9 trusted cybersecurity news sources. Additional sources will be added gradually.