Statistics

ThreatFox produces detailed statistics on indicators of compromise shared - find the available statistics below.

You can also access Spamhaus's Malware Digest report, based on ThreatFox data:

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

RankReporterLast activityCredits earnedSubmissions
1Twitter @abuse_ch2025-01-22 785'070120'846
2Twitter @Gi7w0rm2025-01-22 228'67543'797
3Twitter @DonPasci2025-01-23 125'92518'877
4Twitter @NDA0E2025-01-21 61'21511'200
5Twitter @abus3reports2025-01-16 46'1708'172
6Twitter @crep1x2025-01-22 41'2508'177
7Twitter @Rony2025-01-20 26'4654'612
8Twitter @dyingbreeds_2025-01-22 22'1654'138
9Twitter @500mk5002025-01-22 17'9203'506
10Twitter @juroots2025-01-22 15'4702'839

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCsIOC TypeIOC description
4'830ip:portip:port combination that is used for botnet Command&control (C&C)
1'708domainDomain that is used for botnet Command&control (C&C)
1'258domainDomain name that delivers a malware payload
785urlURL that is used for botnet Command&control (C&C)
251urlURL that delivers a malware payload
104sha256_hashSHA256 hash of a malware sample (payload)
67md5_hashMD5 hash of a malware sample (payload)
34ip:portip:port combination that delivery a malware payload
6sha1_hashSHA1 hash of a malware sample (payload)
2domainDomain used for credit card skimming (usually related to Magecart attacks)
1envelope_fromSender email address (envelope from) that is used for payload delivery

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned.

RankReporterLast activityCredits earnedSubmissions
1 Cryptolaemus12024-12-17 4'307'335679'877
2 abuse_ch2025-01-22 785'070120'846
3 drb_ra2024-11-13 694'96588'255
4 Gi7w0rm2025-01-22 228'67543'797
5 lazyactivist1922024-01-17 148'74529'736
6 Grim2024-11-13 148'11029'552
7 Virus_Deck2022-09-30 147'93029'150
8 thehappydinoa2024-12-02 142'18523'615
9 TheTallJohnBrown2024-03-14 129'11525'823
10 DonPasci2025-01-23 125'92518'877

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCsIOC TypeIOC description
724'371sha256_hashSHA256 hash of a malware sample (payload)
181'470urlURL that delivers a malware payload
171'116ip:portip:port combination that is used for botnet Command&control (C&C)
87'807urlURL that is used for botnet Command&control (C&C)
70'334domainDomain that is used for botnet Command&control (C&C)
28'845domainDomain name that delivers a malware payload
13'189md5_hashMD5 hash of a malware sample (payload)
10'297sha1_hashSHA1 hash of a malware sample (payload)
2'610ip:portip:port combination that delivery a malware payload
421domainDomain used for credit card skimming (usually related to Magecart attacks)
21sha3_384_hashSHA3-384 hash of a malware sample (payload)
1envelope_fromSender email address (envelope from) that is used for payload delivery