Statistics

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

RankReporterLast activityCredits earnedSubmissions
1Twitter @Cryptolaemus12023-03-24 4'218'265664'091
2Twitter @abuse_ch2023-03-25 582'46587'741
3Twitter @drb_ra2023-03-25 432'79051'594
4Twitter @nickkuechel2023-03-13 95'21015'474
5Twitter @pr0xylife2023-03-24 35'6106'075
6Twitter @crep1x2023-03-24 21'3454'236
7Twitter @r0ny_1232023-03-23 15'5453'082
8Twitter @parthmaniar2023-03-15 14'7852'957
9Twitter @0xrb2023-03-24 14'6152'067
10Twitter @AndreGironda2023-03-25 7'6851'427

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCsIOC TypeIOC description
4'140ip:portip:port combination that is used for botnet Command&control (C&C)
1'143urlURL that is used for botnet Command&control (C&C)
1'024urlURL that delivers a malware payload
268domainDomain that is used for botnet Command&control (C&C)
86domainDomain name that delivers a malware payload
45md5_hashMD5 hash of a malware sample (payload)
22ip:portip:port combination that delivery a malware payload
14sha256_hashSHA256 hash of a malware sample (payload)
11sha1_hashSHA1 hash of a malware sample (payload)
1domainDomain used for credit card skimming (usually related to Magecart attacks)

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned.

RankReporterLast activityCredits earnedSubmissions
1Twitter @Cryptolaemus12023-03-24 4'218'265664'091
2Twitter @abuse_ch2023-03-25 582'46587'741
3Twitter @drb_ra2023-03-25 432'79051'594
4Twitter @lazyactivist1922021-05-25 148'53529'707
5Twitter @Virus_Deck2022-09-30 147'93029'150
6Twitter @TallJohnBrown2023-01-27 129'11525'823
7Twitter @_CarlosCabal2022-06-09 107'96521'593
8Twitter @nickkuechel2023-03-13 95'21015'474
9Twitter @pr0xylife2023-03-24 35'6106'075
10Twitter @honeymoon_ioc2022-05-01 24'7304'946

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCsIOC TypeIOC description
711'292sha256_hashSHA256 hash of a malware sample (payload)
154'127urlURL that delivers a malware payload
69'922ip:portip:port combination that is used for botnet Command&control (C&C)
48'591urlURL that is used for botnet Command&control (C&C)
23'406domainDomain name that delivers a malware payload
11'761domainDomain that is used for botnet Command&control (C&C)
2'146md5_hashMD5 hash of a malware sample (payload)
782ip:portip:port combination that delivery a malware payload
229sha1_hashSHA1 hash of a malware sample (payload)
166domainDomain used for credit card skimming (usually related to Magecart attacks)
21sha3_384_hashSHA3-384 hash of a malware sample (payload)