System Info

directory

Description

Retrieve the complete list of monitored and crawled sources across Clearnet, Onion, and I2P.

Supported filters:

  • page: page number of the result

  • network: all, onion, i2p, clearnet

  • index: all, general, leak, defacement, chat, exploit, twitter, reddit

  • content_type: all, general, forums, news, stolen, drugs, hacking, marketplaces, cryptocurrency, leaks, adult, tracking, chat, social

  • daterange: optional date range (e.g., 2025-12-03,2025-12-18)

Results include URL, detected content type(s), index classification, network layer, and last-update metadata.

Response

Paginated directory results containing fields:

  • url — source address

  • content_type — detected source categories

  • index_type — assigned indexing group

  • leak_model_last_update / generic_model_last_update — last time parsed

  • network_type — clearnet / onion / i2p

  • name — resolved source identifier (if applicable)

Example response:

{
  "total": 12345,
  "page": 1,
  "results": [
    {
      "url": "http://exampleonionforumabcdef.onion/",
      "content_type": ["forums", "hacking"],
      "index_type": "general",
      "leak_model_last_update": "2025-12-05T10:15:00Z",
      "generic_model_last_update": "2025-12-04T09:00:00Z",
      "network_type": "onion",
      "name": "Example Darknet Forum"
    }
  ]
}

dumps

Description

Retrieve the complete catalog of breach dumps collected from Telegram channels and monitored websites.

Supported filters:

  • page: page number of the result set

  • source: all, telegram, websites (origin of the leak, e.g., Telegram or monitored websites)

  • group: leak group or channel name derived from the source (e.g., Telegram channel name)

  • status: all, parsed, unparsed

  • daterange: optional date range string (e.g., 2025-01-01,2025-01-15)

  • q: free-text search query applied to leak_url, source, group, and other indexed fields (default: *)

Common use-cases include identifying newly leaked dumps, retrieving unparsed dumps for analysis, or filtering dumps from specific threat groups or Telegram channels.

Response

Paginated dump catalog response containing:

  • total_count — total number of dumps matching filters

  • page — current page number

  • mDumpCallbackLinks — list of dump entries, each containing:

    • leak_url — raw dump reference or asset URL

    • source — origin of the leak (e.g., telegram, websites)

    • group — associated leak group or channel name derived from the source (e.g., Telegram channel name)

    • link — direct reference link to the dump message or file

    • parsed_status — whether the dump has been parsed/processed

    • created_at — first-seen timestamp of the dump

Example response:

{
  "total_count": 152,
  "page": 1,
  "mDumpCallbackLinks": [
    {
      "leak_url": "https://t.me/example_leaks/1234",
      "source": "telegram",
      "group": "example_leak_group",
      "link": "https://t.me/example_leaks/1234",
      "parsed_status": "parsed",
      "created_at": "2025-12-03T21:15:23Z"
    }
  ]
}

insight

Description

Retrieve system-wide analytics and high-level intelligence metrics across all monitored data sources.

This endpoint does not take any parameters and returns pre-aggregated insights computed by Orion.

Returned analytics include (per data type such as general, leak, defacement):

  • Document volume and activity over time (document_count, updated_5_days_ago, updated_9_days_ago)

  • Freshness indicators (most_recent, oldest_update)

  • Enrichment density (url_document_count, archive_document_count, email_document_count, phone_document_count, clearnet_document_count)

  • Common content characteristics (common_types, top_team, common_server, unique_base_urls, dumps_document_count, etc.)

Each metric is returned as an object containing:

  • key — human-readable label

  • value — current metric value

  • change_weekly — weekly change percentage (string)

  • change_daily — daily change percentage (string)

It also returns latest documents discovered across leak, generic and defacement sources, as well as graph-style aggregations such as top teams, locations, and hashtags.

Response

System-wide insight payload with three main sections:

  • insights — aggregated metrics grouped by data type (e.g. general, leak, defacement), each containing objects of the form:

    • document_count — { key, value, change_weekly, change_daily }

    • most_recent / oldest_update — { key, value, change_weekly, change_daily }

    • updated_5_days_ago / updated_9_days_ago — { key, value, change_weekly, change_daily }

    • average_score — { key, value, change_weekly, change_daily } (where applicable)

    • url_document_count, archive_document_count, email_document_count, phone_document_count, clearnet_document_count — enrichment metrics

    • common_types, dumps_document_count, unique_base_urls, top_team, common_server — category-specific metrics

  • latestDocument — latest crawled documents by model type:

    • leak_model, exploit_model, chat_model, generic_model, defacement_model — each is a list of documents with:

      • title — document title or caption

      • date — human-readable discovery or publish date

      • location — optional geo/location field

      • phoneNumber — extracted phone numbers (if any)

      • url — list of associated URLs

      • source — origin (e.g. onion, XYZ)

      • hash — internal document hash identifier

  • graph_insight — graph and aggregation-oriented insights represented as a 2-element array:

    • index 0 — boolean flag indicating graph availability

    • index 1 — list of aggregation objects, each including:

      • aggregation_name — e.g. ‘Top Teams (Leak)’, ‘Top Teams (Defacement)’, ‘Top Locations (Defacement)’, ‘Top Hashtags (Social)’

      • index — underlying model/index (e.g. leak_model, defacement_model, chat_model)

      • buckets — list of key/count pairs representing the top entities (teams, locations, hashtags, etc.)

Example response:

{
  "insights": {
    "general": {
      "document_count": {
        "key": "Document Count",
        "value": 57,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "most_recent": {
        "key": "Most Recent",
        "value": "26 Nov",
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "oldest_update": {
        "key": "Oldest Update",
        "value": "26 Nov",
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "updated_5_days_ago": {
        "key": "Updated 5 Days ago",
        "value": 0,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "updated_9_days_ago": {
        "key": "Updated 9 Days ago",
        "value": 0,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "average_score": {
        "key": "Average Score",
        "value": 50.75,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "url_document_count": {
        "key": "URL/Document",
        "value": 451,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "archive_document_count": {
        "key": "Archive/Document",
        "value": 5,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "email_document_count": {
        "key": "Email/Document",
        "value": 3,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "phone_document_count": {
        "key": "Phone/Document",
        "value": 0,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "clearnet_document_count": {
        "key": "Clearnet/Document",
        "value": 68,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "common_types": {
        "key": "Common Type",
        "value": "Adult",
        "change_weekly": "0%",
        "change_daily": "0%"
      }
    },
    "leak": {
      "document_count": {
        "key": "Document Count",
        "value": 3,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "url_document_count": {
        "key": "URL/Documents",
        "value": 0,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "dumps_document_count": {
        "key": "Dumps/Document",
        "value": 8,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "updated_5_days_ago": {
        "key": "Updated 5 Days ago",
        "value": 3,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "updated_9_days_ago": {
        "key": "Updated 9 Days ago",
        "value": 3,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "most_recent": {
        "key": "Most Recent",
        "value": "03 Dec",
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "oldest_update": {
        "key": "Oldest Update",
        "value": "03 Dec",
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "unique_base_urls": {
        "key": "Unique Base URLs",
        "value": 3,
        "change_weekly": "0%",
        "change_daily": "0%"
      }
    },
    "defacement": {
      "document_count": {
        "key": "Document Count",
        "value": 12,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "updated_5_days_ago": {
        "key": "Updated 5 Days ago",
        "value": 6,
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "top_team": {
        "key": "Top Team",
        "value": "Alpha Wolf",
        "change_weekly": "0%",
        "change_daily": "0%"
      },
      "common_server": {
        "key": "Common Server",
        "value": "Litespeed",
        "change_weekly": "0%",
        "change_daily": "0%"
      }
    }
  },
  "latestDocument": {
    "leak_model": [
      {
        "title": "Announcement",
        "date": "December 03, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "http://brohoodyaifh2ptccph5zfljyajjabwjjo4lg6gfp4xb6ynw5w7ml6id.onion/"
        ],
        "source": "onion",
        "hash": "ca1c7476db86b66c05773f62b85ea5ab0042cd356744ad189f218d16b29db344"
      }
    ],
    "exploit_model": [],
    "chat_model": [],
    "generic_model": [
      {
        "title": "shop pirated content - best hacked accounts, stolen credit cards and other hacker stuff.",
        "date": "November 26, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "http://2222222dk552uwysu3xjaotjmf7basqqrhxrjundlmnzhp6yauj6puqd.onion/shop/cards/mastercard"
        ],
        "source": "onion",
        "hash": "2e3fbb01cb946b9afc5c67e249ffe5431985a05e3b79c5359f2b420231257a71"
      },
      {
        "title": "coin swap",
        "date": "November 26, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "http://2222222m7dzmk7wffagz7cduawmrciml67s3brw2pmvjihhhuf3hukid.onion/convert/?amount_from=0.01012&from_coin=BTC&to_coin=XMR"
        ],
        "source": "onion",
        "hash": "ed72d568d19e1fc76e6d6102b465fd27f244771e97927766b40bf284d3700ca7"
      },
      {
        "title": "shop pirated content - best hacked accounts, stolen credit cards and other hacker stuff.",
        "date": "November 26, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "http://2222222dk552uwysu3xjaotjmf7basqqrhxrjundlmnzhp6yauj6puqd.onion/shop/cards/visa"
        ],
        "source": "onion",
        "hash": "ed2f9550a258229c7c7f4db6df457a34c98392c8a7178bca41dda9413c721ab9"
      },
      {
        "title": "coin swap",
        "date": "November 26, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "http://2222222m7dzmk7wffagz7cduawmrciml67s3brw2pmvjihhhuf3hukid.onion/convert/?amount_from=0.00164&from_coin=BTC&to_coin=DOGE"
        ],
        "source": "onion",
        "hash": "649845a2c6c8d0bc13a88582ff822caf5e9fc745f47d162c3185ffac1e5b4849"
      }
    ],
    "defacement_model": [
      {
        "title": "http://phaoboi.vn/",
        "date": "December 03, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "http://phaoboi.vn/"
        ],
        "source": "XYZ",
        "hash": "31d109a231bfdaa36fc757a7c749253021f04fad0c54d08455c516007c7feabb"
      },
      {
        "title": "https://www.phdfpakistan.com/index.html",
        "date": "December 03, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "https://www.phdfpakistan.com/index.html"
        ],
        "source": "XYZ",
        "hash": "599e8416b67e070178ccbfd0b727abe01150f17a3c50dc20446c72825bf8c523"
      },
      {
        "title": "https://monsite-wp.net/index.html",
        "date": "December 03, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "https://monsite-wp.net/index.html"
        ],
        "source": "XYZ",
        "hash": "50440bc0e8994252e3fac7299bd110afc3086bb54f171468a55e246778b8c170"
      },
      {
        "title": "https://www.arc9.us/",
        "date": "December 03, 2025",
        "location": "",
        "phoneNumber": [],
        "url": [
          "https://www.arc9.us/"
        ],
        "source": "XYZ",
        "hash": "fbee8ab2e997183dc9bc2580a99f8ac6a70744fc8f51ff5ea69d7d600ca367e9"
      }
    ]
  },
  "graph_insight": [
    true,
    [
      {
        "aggregation_name": "Top Teams (Leak)",
        "index": "leak_model",
        "buckets": [
          {
            "key": "BROTHERHOOD",
            "count": 3
          }
        ]
      },
      {
        "aggregation_name": "Top Teams (Defacement)",
        "index": "defacement_model",
        "buckets": [
          {
            "key": "Alpha Wolf",
            "count": 6
          },
          {
            "key": "BONDOWOSO BLACK HAT",
            "count": 4
          },
          {
            "key": "Death Networks",
            "count": 1
          }
        ]
      },
      {
        "aggregation_name": "Top Locations (Defacement)",
        "index": "defacement_model",
        "buckets": []
      },
      {
        "aggregation_name": "Top Hashtags (Social)",
        "index": "chat_model",
        "buckets": []
      }
    ]
  ]
}

Reports

defacement

Description

Search defacement intelligence reports for hacked or phishing websites; returns a paginated list of defacement events and their metadata.

Request body (search_defacement_param_model):

  • q — free-text search over URL, IP, team, attacker handle and content fields (default: empty string)

  • category — optional category filter (default all)

  • page — page number of the paginated result set (1-based)

  • network — one of: all, clearnet, onion, i2p (default all)

  • daterange — optional leak/observation date range in YYYY-MM-DD,YYYY-MM-DD format; empty string means no date filter

  • attacker — attacker nick/handle to match against m_attacker

  • team — defacement crew or group name to match against m_team

  • content — optional content/type string (for example an IOC/incident label) depending on configuration

  • must — when true, values in entity_filter are treated as mandatory (must) filters

  • matchtype — logical operator for combining query / attacker / team / entity_filter clauses (and or or)

  • entity_filter — IOC-style filter map of field → list of values. Example valid payload:

{
  "entity_filter": {
    "m_ip": ["103.218.122.8"],
    "m_attacker": ["XYZ"],
    "m_team": ["Alpha Wolf"]
  }
}

Commonly supported fields include m_ip, m_domain, m_country, m_location, m_attacker, m_team, m_ioc_type, m_web_server, m_social_media_profiles, m_scrap_file and other IOC-style keys depending on deployment.

Minimal example request:

{
  "q": "defacer.net",
  "page": 1,
  "attacker": "XYZ",
  "team": "Alpha Wolf",
  "entity_filter": { "m_ip": ["103.218.122.8"] },
  "matchtype": "or",
  "daterange": "2025-11-28,2025-12-03"
}

Response

Defacement search results containing a paginated list of hacked/defaced or phishing websites.

The response is a JSON object with:

  • Result — list of defacement report objects

  • Suggestions — optional list of suggested queries or corrections (may be empty)

  • Page_Count — number of pages available for the given query and filters (may be fractional depending on backend calculation)

Each entry in Result typically contains:

  • m_location — geo-location or region for the affected asset, when available

  • m_attacker — list of attacker nicknames/handles claiming the defacement

  • m_team — defacement crew or group name

  • m_hash — internal hash of the event/document used for deduplication

  • m_web_server — list of observed web-server banners (for example LiteSpeed, Apache, Cloudflare, unknown)

  • m_ioc_type — high-level classification such as hacked, phishing, etc.

  • m_content — extracted HTML/text content or landing page text when captured

  • m_base_url — base/source platform (for example https://defacer.net)

  • m_url — URL of the defaced or phishing page

  • m_ip — list of IP addresses associated with the defaced host

  • m_leak_date — date the defacement was first recorded/observed

  • m_source_url — list of source pages describing the defacement (for example the defacer.net view URL)

  • m_screenshot — screenshot reference when available, otherwise null

  • m_mirror_links — list of mirror/screenshot links for the defacement entry

Example response:

{
  "Result": [
    {
      "m_location": null,
      "m_attacker": ["XYZ"],
      "m_team": "Alpha Wolf",
      "m_hash": "31d109a231bfdaa36fc757a7c749253021f04fad0c54d08455c516007c7feabb",
      "m_web_server": ["LiteSpeed"],
      "m_ioc_type": ["hacked"],
      "m_content": null,
      "m_base_url": "https://defacer.net",
      "m_url": "http://phaoboi.vn/",
      "m_ip": ["103.218.122.8"],
      "m_leak_date": "2025-12-03",
      "m_source_url": ["https://defacer.net/view/54543/"],
      "m_screenshot": null,
      "m_mirror_links": ["https://defacer.net/sc/54543"]
    }
  ],
  "Suggestions": [],
  "Page_Count": 1.2
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

stix

Description

Return a STIX 2.1 bundle for a single document.

This endpoint converts an Orion document into a STIX 2.1 bundle (spec_version 2.1) containing:

  • TLP marking definitions (AMBER and RED)

  • a primary report object

  • optional infrastructure describing the source/service (e.g., onion market/forum)

  • extracted SCO observables (e.g., url, domain-name, ipv4-addr, ipv6-addr, email-addr, autonomous-system, directory, user-agent)

  • an observed-data object referencing extracted SCOs

  • optional indicator objects with STIX patterns for extracted observables

Request:

  • doc_id — required. Orion document identifier.

  • lang — optional. Language variant requested from backend.

Notes:

  • Missing fields are skipped (no empty objects are emitted).

  • report.object_refs links all generated objects (indicators, infrastructure, observed-data, etc.).

  • report.external_references includes the source URL (when available) and Orion content hash.

  • Custom Orion metadata is exported using x_orion_* properties on relevant objects.

Minimal example request:

{
  "doc_id": "4856ea0a54f79ddb5ad8377ecf3b08f16491441208aaab95c095dcb0b46266a1",
  "lang": "en"
}

Response

A STIX 2.1 bundle matching the structure below.

Top-level response fields:

  • type: bundle

  • id: bundle--<uuid>

  • spec_version: 2.1

  • objects: array of STIX objects

Objects you will commonly see in objects:

  1. marking-definition (TLP AMBER / TLP RED)

  2. infrastructure (optional) — e.g., onion/clearnet service context

  3. SCOs (optional) — url, domain-name, ipv4-addr, ipv6-addr, email-addr, etc.

  4. observed-data (optional) — references SCOs via object_refs

  5. indicator (optional) — one per IOC category with pattern_type: stix

  6. report — the primary object that ties everything together via object_refs

Example response:

{
  "type": "bundle",
  "id": "bundle--9b9910f5-1d12-5908-bcfc-862ad032bcf7",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "marking-definition",
      "spec_version": "2.1",
      "id": "marking-definition--...",
      "created": "2025-12-09T03:35:41.659Z",
      "definition_type": "tlp",
      "definition": {"tlp": "amber"}
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--...",
      "created": "2025-12-09T03:35:41.659Z",
      "modified": "2025-12-09T03:35:41.659Z",
      "name": "fast card service - credit cards, transfers, gift",
      "description": "...",
      "infrastructure_types": ["anonymization"],
      "first_seen": "2025-12-09T03:35:41.659Z",
      "last_seen": "2025-12-09T03:35:41.659Z",
      "labels": ["leaks", "marketplaces", "onion", "orion:general"],
      "object_marking_refs": ["marking-definition--..."],
      "x_orion_network": "onion"
    },
    {
      "type": "url",
      "id": "url--...",
      "value": "http://example.onion"
    },
    {
      "type": "domain-name",
      "id": "domain-name--...",
      "value": "example.onion"
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--...",
      "created": "2025-12-09T03:35:41.659Z",
      "modified": "2025-12-09T03:35:41.659Z",
      "first_observed": "2025-12-09T03:35:41.659Z",
      "last_observed": "2025-12-09T03:35:41.659Z",
      "number_observed": 1,
      "object_refs": ["domain-name--...", "url--..."],
      "object_marking_refs": ["marking-definition--..."]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--...",
      "created": "2025-12-09T03:35:41.659Z",
      "modified": "2025-12-09T03:35:41.659Z",
      "name": "Domains",
      "indicator_types": ["malicious-activity"],
      "pattern_type": "stix",
      "pattern": "[domain-name:value IN ('example.onion')]",
      "valid_from": "2025-12-09T03:35:41.659Z",
      "labels": ["leaks", "marketplaces", "onion", "orion:general"],
      "object_marking_refs": ["marking-definition--..."]
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--...",
      "created": "2025-12-09T03:35:41.659Z",
      "modified": "2025-12-09T03:35:41.659Z",
      "name": "fast card service - credit cards, transfers, gift",
      "description": "...",
      "report_types": ["threat-report"],
      "published": "2025-12-09T03:35:41.659Z",
      "labels": ["leaks", "marketplaces", "onion", "orion:general"],
      "lang": "en",
      "external_references": [
        {"source_name": "source", "url": "http://example.onion"},
        {"source_name": "content-hash", "external_id": "<hash>"}
      ],
      "object_refs": [
        "indicator--...",
        "infrastructure--...",
        "observed-data--..."
      ],
      "object_marking_refs": ["marking-definition--..."],
      "x_orion_doc_id": "<hash>",
      "x_orion_network": "onion"
    }
  ]
}

breach

Description

Get a specific breach monitoring report for a tracked website or asset by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the breach report document

  • lang (query, optional) — language code for localized narrative content when available.

No request body is required.

Response

Single breach monitoring report document, returned as a JSON object representing the tracked website or asset and associated breach data.

Example response:

{
  "m_title": "Columbus Regional Healthcare System",
  "m_url": "http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion/",
  "m_screenshot": "69993154316451142028569605097804",
  "m_base_url": "http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion",
  "m_content": "Columbus Regional Healthcare System has one of the highest volume and most experienced robotic surgical programs in Southeastern North Carolina. http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion/",
  "m_important_content": "Columbus Regional Healthcare System has one of the highest volume and most experienced robotic surgical programs in Southeastern North Carolina.",
  "m_network": "onion",
  "m_content_type": ["leaks"],
  "m_weblink": ["https://crhealthcare.org/"],
  "m_dumplink": ["https://crhealthcare.org/"],
  "m_company_name": "Columbus Regional Healthcare System",
  "m_location": ["US"],
  "m_team": "diaxin",
  "m_scrap_file": "_7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd",
  "m_language": ["en"],
  "m_domain": [
    "7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion",
    "crhealthcare.org"
  ],
  "m_hash": "1a17b87ad12262b38a81419c3d1cc8c57868ce62b9e32e042ff1b20a9aefacc0",
  "m_update_date": "2025-12-03T20:46:34.909368+00:00",
  "m_creation_date": "2025-12-03T20:46:34.909391+00:00",
  "content_type": ["ddos", "darkweb"]
}

Common fields and their meaning:

  • m_title — human-readable title of the victim or breached asset

  • m_url — leak or post URL on the darkweb/dump source

  • m_screenshot — screenshot identifier (use /api/search/breach/screenshot/{m_screenshot})

  • m_base_url — base onion/clearnet URL of the leak site

  • m_content — full textual content of the breach announcement

  • m_important_content — condensed summary of the breach

  • m_network — network type (e.g. onion)

  • m_content_type — internal category labels (e.g. leaks)

  • m_weblink — URLs pointing to the victim’s clearnet web presence

  • m_dumplink — URLs referencing claimed leaked data

  • m_company_name — normalized company/organization name

  • m_location — list of associated country/region codes

  • m_team — threat actor or ransomware group name

  • m_scrap_file — internal scraper identifier

  • m_language — detected language(s)

  • m_domain — domains associated with the leak site and victim

  • m_hash — internal hash used for deduplication and correlation

  • m_update_date — last update timestamp

  • m_creation_date — ingestion timestamp

  • content_type — high-level classification tags (e.g. ddos, darkweb)

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

news

Description

Get a specific breach-related news intelligence report generated from external news feeds by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the news report document

  • lang (query, optional) — language code to localize narrative sections when supported.

No request body is required.

Response

News intelligence report document describing breach- or threat-related events from external news sources, returned as a single JSON object.

Core response fields typically include:

  • m_title — title of the article or report

  • m_url — direct URL of the article

  • m_base_url — base URL of the source site

  • m_content — normalized article text, including extracted narrative content

  • m_important_content — summary or extracted key snippet

  • m_network — usually clearnet

  • m_content_type — internal classification labels such as news

  • m_team — publishing organization or referenced entity

  • m_weblink — list of related article URLs

  • m_dumplink — list of referenced dump or external resources

  • m_organization — organizations mentioned or discussed in the article

  • m_language — detected language(s)

  • m_domain — domains associated with the source

  • m_hash — internal hash for deduplication

  • m_update_date — last update timestamp

  • m_creation_date — ingestion timestamp

  • content_type — high-level classification tags used by other modules

Example response:

{
  "m_title": "Turning Intelligence Into Action with Threat-Informed Defense",
  "m_url": "https://thehackernews.com/expert-insights/2025/09/turning-intelligence-into-action-with.html",
  "m_base_url": "https://thehackernews.com/",
  "m_content": "Jean-Philippe Salles — Head of Product at Filigran Sept 22, 2025  Cybersecurity is undergoing a necessary transformation from reacting to threats as they arise to proactively anticipating and addressing them through Threat-Informed Defense (TID). This shift emphasizes operational discipline over accumulating more tools. It involves using threat intelligence to streamline existing technologies, enhance the quality of security signals, and focus efforts on the threats most relevant to each organization. The goal is to continuously identify and close security gaps by combining insights from external threat data with internal defense capabilities.  How do you put TID into practice? The team at Filigran has broken down the TID framework into a six-stage pipeline to develop actionable chunks for cybersecurity leaders. In this article, we share the details so that your security teams can leverage it too to support TID.  What is Threat-Informed Defense?#  First advocated by MITRE, Threat-Informed Defense (TID) leverages MITRE ATT&CK framework to map how real threat actors operate and align defenses accordingly. It rests on three pillars:  Cyber threat intelligence: First gather, ingest and process all of your threat intelligence to make it contextual and relevant for you. Go beyond IOCs to understand adversary behaviors and intent, which are more durable and more costly for attackers to change. Defensive measures: Translate prioritized threat intelligence into detections, hardening, response playbooks, and configurations; utilize it properly and make it do the work for you. Adapt controls to the threats most likely to target you. Testing and evaluation: Plan adversary emulation and run continuous breach-and-attack simulations to verify coverage and avoid regressions. Gain granular level visibility into the effectiveness of your security programs. Automate and scale for continuous security posture validation and improvement.  Security teams today are facing tighter budgets and limited resources. As a result, many CISOs are shifting their focus from constantly adopting new tools to making the most of the technologies they already have. This change in mindset is driving a more proactive approach to cybersecurity. Instead of waiting for threats to happen, leaders are asking critical questions like 'Who might target us?', 'How do they operate?', 'Are our defenses strong enough?' and 'What's our plan if something fails?'. Implementing a Threat-Informed Defense (TID) strategy requires breaking down silos between teams, encouraging collaboration and information sharing across security operations, threat intelligence, and testing groups.  From Idea to Execution: Threat-Informed Defense Pipeline#  Similar to Continuous Threat Exposure Management (CTEM), TID is a concept, a cybersecurity strategy. Organizations can adopt and implement TID through various approaches, whether using commercial solutions, open-source tools, or hybrid implementations. For example, one approach could involve leveraging Filigran's open-source extended threat management (XTM) suite that combines threat intelligence platform with adversary emulation capabilities. These integrated solutions help security teams operationalize TID through six actionable stages:  Stage 01: Strategic threat landscape assessment#  Goal: Identify which adversaries, malware, and campaigns are most relevant to your business model, stack, and region.  How: Threat assessment in threat-informed defense involves systematically evaluating and prioritizing the specific threat actors, their capabilities, tactics, techniques, and procedures (TTPs) that are most likely to target your organization's critical assets. A threat intelligence platform (TIP) allows you to gather, analyze, refine and share prioritized threat intelligence is a useful component for this step.  Outcome: A prioritized watchlist with clear inclusion criteria and analyst annotations.  Stage 02: Actor and malware tracking#  Goal: Keep pace with evolving TTPs and indicators while filtering noise.  How: Maintain adaptive watchlists; triage incoming reports; tag IOCs and TTPs and distribute them to SIEM/EDR/SOAR. Modern TIPs like open-source based OpenCTI use knowledge graph models to provide powerful visualizations to link campaigns, malware, techniques, and exploited vulnerabilities.  Outcome: Continuously updated views of active threats and automated, stakeholder-ready reporting to show program progress.  Stage 03: TTP and report mapping#  Goal: See where attacker behaviors outpace your defenses.  How: Advanced Persistent Threats (APTs) and opportunistic attackers increasingly target the expanded attack surface created by cloud-native architectures, leveraging misconfigurations in multi-cloud environments, exploiting container escape vulnerabilities, poisoning CI/CD pipelines with malicious code, and conducting identity-based attacks through stolen credentials and API keys. OpenCTI can serve as a critical enabler for this assessment by centralizing and correlating threat intelligence specific to your technology stack, automatically ingesting indicators and TTPs from multiple sources—including cloud provider threat feeds, container security advisories, and identity-focused threat research. The platform maps these threats to the MITRE ATT&CK framework, allowing security teams to visualize adversary groups.  Outcome: A prioritized TTP list ready for adversary emulation and detection engineering.  Stage 04: Breach & attack simulation#  Goal: Prove whether you security controls detect and respond as designed.  How: Testing security controls in TID moves beyond generic vulnerability scanning and compliance checks to validate whether your defenses actually stop the specific adversary behaviors targeting your organization. Adversary Exposure Validation (AEV) tools makes threat intelligence actionable by emulating the exact techniques your most likely threat actors employ. Filigran's open-source OpenBAS provides scalability to design and execute purple team exercises, breach and attack simulations, and atomic red team tests. It also feed outcomes back into OpenCTI to maintain context with the threats that matter.  Outcome: A continuous feedback loop that catches regressions, validates detections, and informs engineering fixes.  Stage 05: Control validation and investment#  Goal: Translate intel and testing into targeted remediation and budget decisions.  How: Use time-series and historical snapshots to show coverage trends and risk reduction. Apply remediation guidance from OpenBAS to tune configs, update rules, and plan upgrades or replacements. The continuous validation using the combination of OpenCTI and OpenBAS creates a feedback loop that informs strategic investments and architectural decisions with unprecedented precision. The quantifiable nature of these insights enables CISOs to justify budget requests with specific risk reduction metrics, prioritize engineering efforts based on actual adversary impact  Outcome: Evidence-based prioritization that improves day-to-day resilience and informs quarterly planning.  Stage 06: Quarterly review#  Goal: Recalibrate strategy and maintain executive alignment.  How: Consolidate threat insights, control coverage, and simulation results into executive-ready reporting. Our recommendation is to make this as a quarterly exercise to share with your key stakeholders. This creates a closed-loop system where threat intelligence directly drives security validation priorities. Revisit tracked threats, business priorities, and risk appetite as part of a broader Continuous Threat Exposure Management (CTEM) rhythm.  Outcome: A living program that stays aligned to business risk and adversary reality.  Ready to make the shift to Threat-Informed Defense?#  Utilize TID to shift the conversation from traditional security life cycle (protection/detection/response) to proactive finding the gaps in your security controls and reducing cyber risks. The empirical approach of TID provides metrics that matter, from 'we blocked 10 million attacks' to 'we can detect and stop 85% of the techniques used by the ransomware groups actively targeting our sector and here is what we are going to do to fill our gaps for the rest 15%'.  If you'd like to learn more about TID, Filigran's open-source product suite, and its alignment with the framework you can download our latest white paper, A Practical Guide to Threat-Informed Defense, or contact us to speak directly with our team.    SHARE      Tweet  Share  Share  Share",
  "m_important_content": "Jean-Philippe Salles — Head of Product at Filigran Sept 22, 2025  Cybersecurity is undergoing a necessary transformation from reacting to threats as they arise to proactively anticipating and addressing them through Threat-Informed Defense (TID). This shift emphasizes operational discipline over accumulating more tools.",
  "m_network": "clearnet",
  "m_content_type": ["news"],
  "m_weblink": [
    "https://thehackernews.com/expert-insights/2025/09/turning-intelligence-into-action-with.html"
  ],
  "m_dumplink": [
    "https://thehackernews.com/expert-insights/2025/09/turning-intelligence-into-action-with.html"
  ],
  "m_team": "hackernews live",
  "m_scrap_file": "_thehackernews",
  "m_organization": ["Filigran", "MITRE", "Cybersecurity"],
  "m_language": ["en"],
  "m_domain": ["thehackernews.com"],
  "m_hash": "7cd89edea323f8127203c984df5df7d7cbb0b564cae4b5ef770f7050f11cba34",
  "m_update_date": "2025-10-10T08:21:46.160580+00:00",
  "m_creation_date": "2025-10-10T08:21:46.186711+00:00"
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

exploit

Description

Get a specific exploit intelligence report (CVE, exploit kit, zero-day activity, etc.) by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the exploit report document

  • lang (query, optional) — language code for localized narrative fields when available.

No request body is required.

Response

Exploit intelligence report document containing exploit details, returned as a single JSON object.

Core response fields typically include:

  • m_title — exploit or module title

  • m_url — direct URL for the exploit/module page

  • m_base_url — base URL of the publishing site or contact page

  • m_content — normalized exploit description or short text body

  • m_important_content — key snippet or short summary emphasizing the exploit name or purpose

  • m_network — network type of the source, typically clearnet

  • m_content_type — internal labels such as cve, exploit, poc

  • m_weblink — list of additional URLs related to the exploit (e.g. source code or commits)

  • content_type — high-level classification tags used by other modules

  • m_name — author or contributor information

  • m_code_snippet — list of code or command snippets showing usage of the exploit

  • m_platform — list of affected or supported platforms

  • m_scrap_file — internal scraper identifier or file prefix

  • m_domain — domains related to the exploit content and references

  • m_hash — internal hash for this document, used for deduplication and correlation

  • m_update_date — last time the document was updated in the system

  • m_creation_date — first time the document was created/ingested into the system

Depending on the source and context, additional enrichment fields may be present, such as CVE identifiers, threat actor information or extended narrative text.

Example response:

{
  "m_title": "Windows Registry Only Persistence",
  "m_url": "https://www.rapid7.com/db/modules/exploit/windows/persistence/registry/",
  "m_base_url": "https://www.rapid7.com/contact/",
  "m_content": "Windows Registry Only Persistence",
  "m_important_content": "Windows Registry Only Persistence",
  "m_network": "clearnet",
  "m_content_type": ["cve"],
  "m_weblink": [
    "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/persistence/registry.rb",
    "https://github.com/rapid7/metasploit-framework/commits/master//modules/exploits/windows/persistence/registry.rb"
  ],
  "content_type": ["persistence"],
  "m_name": "Donny Maasland donny.maasland@fox-it.com,h00die",
  "m_code_snippet": [
    "msf > use exploit/windows/persistence/registry\n\n    msf exploit(registry) > show targets\n\n        ...targets...\n\n    msf exploit(registry) > set TARGET < target-id >\n\n    msf exploit(registry) > show options\n\n        ...show and set options...\n\n    msf exploit(registry) > exploit"
  ],
  "m_platform": ["Windows"],
  "m_scrap_file": "_rapid7",
  "m_domain": [
    "github.com",
    "rapid7.com",
    "rapid7.com/contact"
  ],
  "m_hash": "6c88d95f4d98b5c95f65a79da548fd5c3b33d6ac319790c33630dc2f2d869019",
  "m_update_date": "2025-10-28T18:09:14.512739+00:00",
  "m_creation_date": "2025-10-28T18:09:14.516589+00:00"
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

strategic

Description

Get a specific strategic intelligence report aggregating crawled content from onion, I2P, and similar hidden-service pages by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the strategic (generic) report document

  • lang (query, optional) — language code for localized narrative content.

No request body is required.

Response

Strategic darkweb intelligence document representing a single crawled page (such as a marketplace listing, forum thread or generic page), returned as a JSON object.

Core response fields typically include:

  • m_base_url — base URL of the hidden service or site

  • m_url — specific page URL

  • m_network — network type (e.g. onion)

  • m_title — page title as seen in the source

  • m_meta_description — meta description extracted from the HTML, if available

  • m_content — normalized text content extracted from the page

  • m_important_content — key snippet or condensed portion of the most relevant text

  • m_images — list of image URLs extracted from the page

  • m_sub_url — list of internal navigation or related links

  • m_validity_score — internal confidence/validity score for the crawled document

  • m_meta_keywords — keyword string summarizing tags, topics and SEO-style keywords (when available)

  • m_content_type — internal classification labels such as marketplaces, general, forums

  • m_country — list of associated countries inferred from the content or targeting

  • m_location — list of locations or regions mentioned or targeted

  • m_organization — extracted organizations or platforms mentioned

  • m_language — detected language(s) of the content

  • m_currencies — list of currencies mentioned or used on the page

  • m_domain — list of domains associated with the page and its references

  • m_hash_content — hash of the normalized page content

  • m_hash_url — hash of the page URL

  • m_hash — internal document hash identifier used for deduplication and correlation

  • m_update_date — last time the document was updated in the system

  • m_creation_date — first time the document was created/ingested into the system

Depending on the source, additional enrichment fields may be present, such as forum-specific metadata, structured attributes describing the section or category, or clearnet reference links.

Example response:

{
  "m_base_url": "http://cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion",
  "m_url": "http://cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion/popular/442",
  "m_network": "onion",
  "m_title": "giftcardxpress - buy cheap gift cards",
  "m_meta_description": "save up to 70% on all your favorite gift cards",
  "m_content": "save up to 70 on all your favorite gift cards\nsave up to 70% on all your favorite gift cards\nSave up to 70% on all your favorite gift cards",
  "m_important_content": "no description found but contains some urls. this website is most probably a search engine or only contain references of other websites giftcardxpress - buy cheap gift cards save up to 70% on all your favorite",
  "m_images": [
    "http://cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion/static/assets/amazon.png",
    "http://cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion/static/assets/amazon.png",
  ],
  "m_sub_url": [
    "http://cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion/popular/823",
    "http://cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion/new_arraival/823",
  ],
  "m_validity_score": 0,
  "m_content_type": ["marketplaces"],
  "m_domain": [
    "amazon.de",
    "cards3wmb7atxhczo33trz5lhzcmfjftreyap2povmftd7g22u4holyd.onion"
  ],
  "m_country": ["Spain", "Netherlands", "Germany", "France"],
  "m_organization": ["Amazon", "Fortnite", "iTunes", "GiftCardXpress", "Google", "Steam", "Netflix"],
  "m_location": ["Spain", "Germany", "France"],
  "m_language": ["en"],
  "m_currencies": ["USD", "EUR", "GBP"],
  "m_update_date": "2025-12-02T13:13:55.970184+00:00",
  "m_hash_content": "7c2739bc52efab970134f87542ac382daf25a1fa429aa0a15cbacbe30740b896",
  "m_hash_url": "3fa64feadef7ea1a7765ee0849e6797838a468b3496759042ca7f33c22b9d6f9",
  "m_hash": "c8790e0132c7fdfbbf6420cc9a73f478fbfc884202a5dab6f6ad3f1195882bbd",
  "m_creation_date": "2025-12-02T13:13:55.970231+00:00"
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

chat

Description

Get a specific chat intelligence report focused on messaging platforms such as Telegram by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the chat report document

  • lang (query, optional) — language code used to localize analytical summaries when available.

No request body is required.

Response

Chat intelligence report consolidating one chat message or a small thread (for example from Telegram), returned as a single JSON object.

Core response fields typically include:

  • m_content — normalized text content of the message (main body text)

  • m_caption — original caption text, often mirroring m_content for media posts

  • m_message_date — message date in YYYY-MM-DD format

  • m_message_id — platform-specific message identifier (e.g. Telegram message id)

  • m_message_sharable_link — deep link to the message (e.g. https://t.me/...)

  • m_channel_id — internal or platform channel identifier

  • m_views — number of views or impressions for the message

  • m_sender_name — human-readable sender name (may include additional text)

  • m_sender_username — sender username/handle (e.g. Telegram @ handle)

  • m_message_type — list of message types (e.g. ["photo"], ["text"])

  • m_media_url — URL pointing to the media or message (for example a Telegram web link)

  • m_media_caption — caption/description related to the attached media

  • m_reply_to_message_id — message id of the parent message when this is a reply

  • m_message_status — message processing status in the system (e.g. success)

  • m_channel_name — human-readable channel name (e.g. Mash)

  • m_weblink — list of additional links associated with the channel or message (e.g. invite links)

  • m_users — list of user identifiers or usernames referenced in the message (e.g. ["Tiarkasir"])

  • m_content_type — high-level internal labels for the content (e.g. ["text"])

  • m_sender_id — numeric sender id on the platform

  • m_sender_is_bot — boolean indicating whether the sender is a bot

  • m_is_forwarded — boolean indicating whether the message is a forwarded message

  • m_forwarded_date — original forward date when m_is_forwarded is true

  • m_is_reply — boolean indicating whether the message is a reply

  • m_pinned — boolean indicating whether the message is pinned in the channel

  • m_location — list of location strings extracted from the content (e.g. city or area names)

  • m_social_media_profiles — list of social profile URLs mentioned in the message content

  • m_domain — list of domains extracted from links in the message

  • m_platforms — list of platforms referenced or linked (e.g. ["instagram"])

  • m_cluster_id — internal logical cluster/group identifier for related chat items (e.g. chat)

  • m_document_id — internal document id used by the system for this chat record

  • m_hash — internal content hash used for deduplication and correlation

  • m_creation_date — timestamp when the message document was created/ingested

  • m_edit_date — last edit timestamp for the message (if it was edited)

  • m_organization — list of organizations or entities mentioned (e.g. Boeing)

  • m_language — detected language(s) of the message content (e.g. ["ru"])

Depending on the platform and message type, additional enrichment fields may be present, such as media metadata, reaction counts or extended thread context.

Example response:

{
  "m_content": "Причина сигнала бедствия Boeing 777-200 — возгорание одного из двигателей. На данный момент пожар потушен. Сейчас самолёт вырабатывает топливо, готовясь к возвращению в Домодедово в 22:40. Экипаж работает штатно, паники на борту нет. UPD. На судне находятся 412 пассажиров и 13 членов бортовой команды. Подписывайся на Mash",
  "m_caption": "Причина сигнала бедствия Boeing 777-200 — возгорание одного из двигателей. На данный момент пожар потушен. Сейчас самолёт вырабатывает топливо, готовясь к возвращению в Домодедово в 22:40. Экипаж работает штатно, паники на борту нет. UPD. На судне находятся 412 пассажиров и 13 членов бортовой команды. Подписывайся на Mash",
  "m_message_date": "2025-12-03",
  "m_message_id": "69893",
  "m_message_sharable_link": "https://t.me/mash/69893",
  "m_channel_id": "1117628569",
  "m_views": "401445",
  "m_sender_name": "TIAR None",
  "m_sender_username": "Tiarkasir",
  "m_message_type": ["photo"],
  "m_media_url": "https://t.me/mash/69893",
  "m_media_caption": "9 9 1 0 0 0 2 3 0 0 RUKO SENTRA NIAGA KALIMALANG BLOK B-1 NO.24 JALAN AHMAD YANI, KAYURINGIN BELAKANG MALL BCP •QEYSA •LENKA •MEMEY •SANSAN •KHANZA •ALEXA •ANITA •SENA •ESSA •NAOMI •MPIE •VITTA •CATRIN •MUTIA •FELISHA •ARRA •LALA •KIKI •EVA ID INSTAGRAM https://www.instagram.com/new_king_spa_bekasi_selatan?igsh=Znk4cWY3OG1udzZ3 BOKING DISINI @Tiarkasir LOKASI https://maps.app.goo.gl/sNzBhjnHhk7bgF2WA WA https://wa.me/qr/YGHM5GCX7SBFG1 SAYA TUNGGU KEHADIRANNYA SELALU BOS KU",
  "m_reply_to_message_id": "69892",
  "m_message_status": "success",
  "m_channel_name": "Mash",
  "m_weblink": ["https://t.me/+mBgDVq0QTftmY2Ji"],
  "m_users": ["Tiarkasir"],
  "m_content_type": ["text"],
  "m_sender_id": "1117628569",
  "m_sender_is_bot": false,
  "m_is_forwarded": false,
  "m_forwarded_date": "2025-11-05 08:29:26",
  "m_is_reply": true,
  "m_pinned": false,
  "m_location": ["KAYURINGIN"],
  "m_social_media_profiles": ["https://www.instagram.com/new_king_spa_bekasi_"],
  "m_domain": ["instagram.com"],
  "m_platforms": ["instagram"],
  "m_cluster_id": "chat",
  "m_document_id": "e233d6042cec2a3239a701d0eebebe3430f72543c0fd0e20de00f228808cafa5",
  "m_hash": "e233d6042cec2a3239a701d0eebebe3430f72543c0fd0e20de00f228808cafa5",
  "m_creation_date": "2025-12-03T21:36:59.858292+00:00",
  "m_edit_date": "2025-12-03 19:40:44",
  "m_organization": ["Boeing"],
  "m_language": ["ru"]
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

social

Description

Get a specific social media intelligence report (for example posts by ransomware groups or other threat actors) by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the social media report document

  • lang (query, optional) — language code for localized narrative content.

No request body is required.

Response

Social media intelligence report containing posts and activity from monitored social platforms, returned as a single JSON object.

Core response fields typically include:

  • m_sender_name — display name or handle of the account that posted the content (e.g. @lu3ky13)

  • m_message_sharable_link — full platform URL or deep link to the post

  • m_content — normalized text content of the post, including hashtags, mentions and links

  • m_content_type — internal labels describing the social collector/source type (e.g. ["social_collector"])

  • m_message_date — date the post was created, in YYYY-MM-DD format

  • m_channel_url — URL of the profile, channel or account page

  • m_message_id — platform-specific unique identifier for the post

  • m_platform — social platform name (e.g. twitter)

  • m_network — network type for the source (typically clearnet)

  • m_views — approximate view/impression count when available

  • m_comment_count — number of comments or replies when available

  • m_likes — number of likes or favorites when available

  • m_retweets — number of reshares/retweets/boosts when available

  • content_type — high-level classification tags used by other modules (e.g. ["ddos", "exploit", "rce"])

  • m_name — profile display name (e.g. lu3ky13)

  • m_scrap_file — internal scraper identifier or file prefix (e.g. _twitter)

  • m_language — detected language(s) of the post content (e.g. ["en"])

  • m_hashtag — list of hashtags extracted from the content

  • m_mention — list of mentioned accounts/handles in the post

  • m_currencies — list of currencies referenced in the post

  • m_domain — list of domains referenced in links within the post

  • m_hash — internal content hash used for deduplication and correlation

  • m_creation_date — timestamp when the social post document was created/ingested by the system

Depending on the platform and event type, additional enrichment fields may be present, such as reaction breakdowns, attached media details or thread/conversation context.

Example response:

{
  "m_sender_name": "@lu3ky13",
  "m_message_sharable_link": "https://x.com/lu3ky13/status/1852382887246541180",
  "m_content": "Remote Code Execution (RCE) thank you \n@nahamsec\n \n\nYay, I was awarded a $7,800 bounty on \n@Hacker0x01\n! \nhttps://\nhackerone.com/lu3ky-13 #TogetherWeHitHarder #bugbounty",
  "m_content_type": ["social_collector"],
  "m_message_date": "2024-11-01",
  "m_channel_url": "https://x.com/lu3ky13",
  "m_message_id": "1852382887246541180",
  "m_platform": "twitter",
  "m_network": "clearnet",
  "m_views": "23000",
  "m_comment_count": "15",
  "m_likes": "357",
  "m_retweets": "13",
  "m_name": "lu3ky13",
  "m_scrap_file": "_twitter",
  "m_domain": [
    "x.com",
    "hackerone.com"
  ],
  "m_language": ["en"],
  "m_hashtag": ["#bugbounty", "#togetherwehitharder"],
  "m_currencies": ["USD"],
  "m_mention": ["@hacker0x01", "@lu3ky13remote", "@nahamsec"],
  "m_hash": "07b76a8a449633b73d38cc4f7c55ae970e01e942ea525a5dc9f39225de347c2d",
  "m_creation_date": "2025-12-02T11:24:10.131332+00:00",
  "content_type": ["ddos", "exploit", "rce"]
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script

breach_screenshot

Description

Retrieve the screenshot image associated with a specific breach report, stored in WebP format.

The request is an HTTP GET and accepts:

  • filename (path) — base filename of the screenshot without extension.

No request body is required.

Response

WebP screenshot image that visually represents the breached website or resource described in the associated breach report. The service automatically appends the .webp extension, and the response payload is the raw image bytes.

Example:

  • Request: GET /api/search/breach/screenshot/69993154316451142028569605097804

  • Effective file retrieved: 69993154316451142028569605097804.webp

  • Response headers: Content-Type: image/webp with the binary image data in the body.

Dynamic

dynamic_user_email

Description

Perform a dynamic search for user email addresses discovered in monitored breach and defacement data, returning exposed account metadata for further investigation and remediation.

This operation also fetches real-time results from external dark-web intelligence APIs, which may take additional time to process. During this period the API may return a pending response indicating that the upstream data collection is still running.

A typical in-progress response looks like:

{
  "status": "pending",
  "progress": 10,
  "step": "running"
}

The request is an HTTP POST and expects a JSON body with a text object containing the lookup fields. Typical request payload:

{
  "text": {
    "username": "",
    "email": "msmannan00@gmail.com"
  }
}

The username field is optional and can be left empty when only the email address should be used for the exposure search.

Response

Dynamic search results listing exposed user email addresses and associated intelligence metadata.

The response is a JSON object containing a result array. Each element summarizes where the supplied identifier appears in known breaches or leak collections.

Example response:

{
  "result": [
    {
      "m_title": "Records for provided queries",
      "m_url": "http://breachdbsztfykg2fdaq2gnqnxfsbj5d35byz3yzj73hazydk4vq72qd.onion",
      "m_base_url": "http://breachdbsztfykg2fdaq2gnqnxfsbj5d35byz3yzj73hazydk4vq72qd.onion",
      "m_content": "",
      "m_important_content": "Records were found in a data breach.",
      "m_network": "onion",
      "m_section": [],
      "m_content_type": ["stolen"],
      "m_screenshot": "",
      "m_weblink": [],
      "m_dumplink": [
        "Canva",
        "000WebHost.com",
        "Breach Compilation",
        "Exploit.In",
        "Collection #2",
        "Mathway (v2)",
        "Collection #5",
        "Slideteam.net",
        "Mathway (v1)"
      ],
      "m_websites": [],
      "m_logo_or_images": [],
      "m_leak_date": null,
      "m_data_size": null,
      "m_revenue": null
    }
  ]
}

Field semantics for each element under result:

  • m_title — high level summary of the match context for the provided email or username

  • m_url — primary reference URL where the aggregated breach information is hosted

  • m_base_url — base URL of the breach or aggregation site

  • m_content — optional textual details, which may be empty when only summary text is available

  • m_important_content — short human-readable description of the exposure

  • m_network — network type where the breach information is hosted (e.g. onion)

  • m_section — list of sections or categories on the breach site that this record belongs to

  • m_content_type — internal labels describing the nature of the data, such as stolen

  • m_screenshot — identifier for a related screenshot image when available, or empty string if none

  • m_weblink — list of clearnet URLs directly related to this breach record, if present

  • m_dumplink — list of named breach collections or dump sources where the email was found

  • m_websites — list of affected websites or services when this information is available

  • m_logo_or_images — list of URLs pointing to logos or images associated with the victim or breach

  • m_leak_date — date of the leak if known, otherwise null

  • m_data_size — approximate size of the exposed dataset when provided, otherwise null

  • m_revenue — optional revenue or financial impact metadata, when tracked by the source

Multiple entries can be returned in result if the same email or username was observed in more than one breach collection or dataset.

dynamic_cracked

Description

Perform a dynamic search for cracked credentials or applications identified in breach and defacement datasets, highlighting high-risk compromised apps, accounts and password reuse exposure.

The request is an HTTP POST and expects a JSON body with a text object. For APK/app lookups, the backend currently supports using a Play Store URL to identify cracked or repackaged versions:

{
  "text": {
    "playstore": "https://play.google.com/store/apps/details?id=com.jrzheng.supervpnfree&hl=en"
  }
}

The playstore field should contain a valid Google Play application URL for which cracked or modified artifacts should be discovered.

Response

Dynamic search results listing cracked or modified application artifacts with related context and metadata.

The response is a JSON object containing a result array. Each element describes one discovered artifact, such as a cracked APK:

Example response:

{
  "result": [
    {
      "m_app_name": "SuperVPN Fast VPN Client v3.0.3.apk",
      "m_package_id": "com.jrzheng.supervpnfree",
      "m_app_url": "https://filecr.com/android/supervpn-fast-vpn-client/",
      "m_network": "clearnet",
      "m_version": "3.0.3",
      "m_content_type": ["apk"],
      "m_download_link": [],
      "m_apk_size": null,
      "m_latest_date": "2025-10-30",
      "m_mod_features": ""
    }
  ]
}

Field semantics for each element under result:

  • m_app_name — name of the discovered app artifact (often includes version and .apk suffix)

  • m_package_id — application package identifier (e.g. com.jrzheng.supervpnfree)

  • m_app_url — URL of the site hosting the cracked or redistributed app (e.g. warez/file hosting site)

  • m_network — network type where the artifact is hosted (typically clearnet)

  • m_version — discovered application version string

  • m_content_type — internal labels describing artifact type (e.g. apk)

  • m_download_link — list of direct download URLs for the artifact when available (may be empty)

  • m_apk_size — APK file size when known, otherwise null

  • m_latest_date — most recent observation date for this artifact

  • m_mod_features — description of modifications, cracks or extra features, if provided by the source

Multiple entries can be returned in result if the same Play Store app is found across different cracked repositories or mirrors. Duplicate-looking entries may indicate separate sources with the same version and metadata.

dynamic_social

Description

Perform a dynamic search for social media identifiers and related email addresses found in breach and defacement data, helping uncover exposed or impersonated social accounts.

The request is an HTTP POST and expects a JSON body with a text object containing the social handle or username to look up.

Example request payload:

{
  "text": {
    "username": "bitcoin"
  }
}

The username field should contain the social identifier to be resolved across monitored platforms and breach-related datasets.

Response

Dynamic search results listing exposed or observed social media identifiers and related contact details.

The response is a JSON object containing a result array. Each element describes one occurrence of the provided username on a monitored platform.

Example response:

{
  "result": [
    {
      "m_title": "User bitcoin found on https://twitter.com",
      "m_url": "https://twitter.com/bitcoin",
      "m_base_url": "https://twitter.com",
      "m_content": "",
      "m_important_content": "Found on: https://twitter.com/bitcoin",
      "m_network": "clearnet",
      "m_section": [],
      "m_content_type": ["stolen"],
      "m_screenshot": "",
      "m_weblink": ["https://twitter.com/bitcoin"],
      "m_dumplink": ["https://twitter.com/bitcoin"],
      "m_websites": [],
      "m_logo_or_images": [],
      "m_leak_date": null,
      "m_data_size": null,
      "m_revenue": null
    },
    {
      "m_title": "User bitcoin found on https://clubhouse.com",
      "m_url": "https://clubhouse.com/@bitcoin",
      "m_base_url": "https://clubhouse.com",
      "m_content": "",
      "m_important_content": "Found on: https://clubhouse.com/@bitcoin",
      "m_network": "clearnet",
      "m_section": [],
      "m_content_type": ["stolen"],
      "m_screenshot": "",
      "m_weblink": ["https://clubhouse.com/@bitcoin"],
      "m_dumplink": ["https://clubhouse.com/@bitcoin"],
      "m_websites": [],
      "m_logo_or_images": [],
      "m_leak_date": null,
      "m_data_size": null,
      "m_revenue": null
    }
  ]
}

Field semantics for each element under result:

  • m_title — summary line indicating the username and the platform where it was found

  • m_url — direct URL to the profile or page for the discovered account

  • m_base_url — base URL of the platform (e.g. https://twitter.com, https://clubhouse.com)

  • m_content — optional additional text content, which may be empty when only metadata is stored

  • m_important_content — short human-readable description of the finding (for example Found on: https://twitter.com/bitcoin)

  • m_network — network type where the account is hosted (typically clearnet)

  • m_section — optional list of sections/categories on the platform or in the underlying dataset

  • m_content_type — internal classification labels for the record (e.g. stolen to indicate possible compromise or risk)

  • m_screenshot — identifier for a screenshot of the profile or page, when available, or empty string

  • m_weblink — list of direct profile URLs for the discovered account on that platform

  • m_dumplink — list of links or references within breach/collection data pointing to this account

  • m_websites — list of associated websites when available

  • m_logo_or_images — list of URLs for logos, avatars or images tied to the account

  • m_leak_date — date of the leak or earliest observation if known, otherwise null

  • m_data_size — size of associated dataset when this information is available, otherwise null

  • m_revenue — optional revenue/financial impact metadata when tracked by the backend

Multiple entries can be returned in result when the same username is observed on different social platforms or in various breach-related datasets.

domain_scan

Description

Scan a target domain using the configured scanning engine.

The request is an HTTP POST and expects a JSON body matching the DomainScanRequest schema:

{
  "domain": "www.bbc.com",
  "scanType": "basic"
}

Fields:

  • domain — target domain or host to scan (e.g. www.bbc.com)

  • scanType — scan mode selector. Supported values:

    • basic — infrastructure & HTTP intelligence (security headers, caching, CSP, CORS, etc.)

    • advanced — same as basic, plus port scanning and service-level inspection

    • seo — SEO metadata, indexing and ranking-related signals

    • repo — linked repository scan (GitHub/GitLab, exposed files, commit metadata)

Payload examples by scanType (all share the same schema; only scanType changes):

{
  "domain": "www.bbc.com",
  "scanType": "basic"
}

{
  "domain": "www.bbc.com",
  "scanType": "advanced"
}

{
  "domain": "www.bbc.com",
  "scanType": "seo"
}

{
  "domain": "https://github.com/globaleaks/globaleaks-whistleblowing-software",
  "scanType": "repo"
}

Response

Scan results for the selected scanType, returned as a JSON object with a top-level result field.

For basic / advanced / seo scans, the structure of result is typically:

  • meta — scan metadata:

    • URL — fully qualified URL that was scanned (e.g. https://www.bbc.com)

    • Host — resolved host name (e.g. www.bbc.com)

    • Port — port and protocol (e.g. 443 SSL)

    • Scanned_on_date — human-readable scan date (e.g. December 07, 2025)

    • Scanned_by — scanner identity (e.g. Orion Intelligence)

  • summary — map of category name → count of findings in that category, such as:

    • Headers, Caching Findings, Caching, CSP/Policy, CORS, General, Informational

  • threats — map of category name → list of findings, each containing:

    • header — finding title or header (e.g. Permissions-Policy)

    • description — detailed explanation of the issue

    • confidence — confidence level (High, Medium, Low)

    • risk — risk level (High, Medium, Low, Informational)

  • proofs — map of category name → list of evidence items, each containing:

    • header — finding title or header

    • proof — HTML/response snippet or other raw evidence

    • confidence — confidence level

    • risk — risk level

  • grade — overall security/quality grade (e.g. D)

  • grade_counts — totals of findings by severity:

    • high, medium, low, informational

For advanced scans, the structure is the same as basic but may include additional port and service intelligence within meta and/or as extra categories in summary/threats.

For repo scans, result has the same top-level structure but often with empty findings when no issues are detected. A typical repo scan looks like:

{
  "result": {
    "meta": {
      "URL": "https://github.com/globaleaks/globaleaks-whistleblowing-software",
      "Host": "github.com",
      "Port": "443 SSL",
      "Scanned_on_date": "December 07, 2025",
      "Scanned_by": "Orion Intelligence"
    },
    "summary": {},
    "threats": {},
    "proofs": {},
    "grade": "A",
    "grade_counts": {
      "high": 0,
      "medium": 0,
      "low": 0,
      "informational": 0
    }
  }
}

The exact number of findings and the categories under summary, threats, and proofs depend on the target and the selected scanType.