Statistics

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

RankReporterLast activityCredits earnedSubmissions
1Twitter @Cryptolaemus12022-05-28 3'078'800437'228
2Twitter @drb_ra2022-05-28 282'09029'951
3Twitter @abuse_ch2022-05-28 172'06531'750
4Twitter @Virus_Deck2022-05-28 145'81528'731
5Twitter @nickkuechel2022-05-24 83'07013'254
6Twitter @pr0xylife2022-05-27 11'0001'686
7Twitter @DFNCERT2022-05-16 8'480872
8Twitter @r0ny_1232022-05-28 8'3701'670
9Twitter @AndreGironda2022-05-27 4'645900
10Twitter @sicehice2022-05-24 4'630844

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCsIOC TypeIOC description
73'119sha256_hashSHA256 hash of a malware sample (payload)
1'408ip:portip:port combination that is used for botnet Command&control (C&C)
1'147urlURL that delivers a malware payload
915urlURL that is used for botnet Command&control (C&C)
91domainDomain name that delivers a malware payload
34domainDomain that is used for botnet Command&control (C&C)
6md5_hashMD5 hash of a malware sample (payload)
4sha3_384_hashSHA3-384 hash of a malware sample (payload)
3domainDomain used for credit card skimming (usually related to Magecart attacks)

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned.

RankReporterLast activityCredits earnedSubmissions
1Twitter @Cryptolaemus12022-05-28 3'078'800437'228
2Twitter @drb_ra2022-05-28 282'09029'951
3Twitter @abuse_ch2022-05-28 172'06531'750
4Twitter @lazyactivist1922021-05-25 148'53529'707
5Twitter @Virus_Deck2022-05-28 145'81528'731
6Twitter @TallJohnBrown2022-04-04 129'10525'821
7Twitter @_CarlosCabal2022-04-14 107'96521'593
8Twitter @nickkuechel2022-05-24 83'07013'254
9Twitter @honeymoon_ioc2022-05-01 24'7304'946
10Twitter @HarioMenkel2022-02-04 14'7252'127

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCsIOC TypeIOC description
518'557sha256_hashSHA256 hash of a malware sample (payload)
40'701ip:portip:port combination that is used for botnet Command&control (C&C)
26'673urlURL that is used for botnet Command&control (C&C)
21'012urlURL that delivers a malware payload
6'346domainDomain that is used for botnet Command&control (C&C)
1'031md5_hashMD5 hash of a malware sample (payload)
585domainDomain name that delivers a malware payload
528ip:portip:port combination that delivery a malware payload
155domainDomain used for credit card skimming (usually related to Magecart attacks)
108sha1_hashSHA1 hash of a malware sample (payload)
21sha3_384_hashSHA3-384 hash of a malware sample (payload)