Statistics

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

RankReporterLast activityCredits earnedSubmissions
1Twitter @Cryptolaemus12023-05-26 4'268'775674'003
2Twitter @abuse_ch2023-05-29 599'52090'988
3Twitter @drb_ra2023-05-29 490'28058'010
4Twitter @nickkuechel2023-05-29 97'63515'932
5Twitter @pr0xylife2023-05-24 36'0506'147
6Twitter @crep1x2023-05-25 23'0554'576
7Twitter @0xrb2023-05-16 19'3502'900
8Twitter @Rony2023-05-29 17'5203'329
9Twitter @Gi7w0rm2023-05-26 15'3653'063
10Twitter @myonium12023-05-23 7'0451'404

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCsIOC TypeIOC description
2'999urlURL that delivers a malware payload
1'893ip:portip:port combination that is used for botnet Command&control (C&C)
1'157urlURL that is used for botnet Command&control (C&C)
384domainDomain that is used for botnet Command&control (C&C)
118sha256_hashSHA256 hash of a malware sample (payload)
34md5_hashMD5 hash of a malware sample (payload)
11domainDomain name that delivers a malware payload
4sha1_hashSHA1 hash of a malware sample (payload)
3ip:portip:port combination that delivery a malware payload
2domainDomain used for credit card skimming (usually related to Magecart attacks)

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared


The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors


Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned.

RankReporterLast activityCredits earnedSubmissions
1 Cryptolaemus12023-05-26 4'268'775674'003
2 abuse_ch2023-05-29 599'52090'988
3 drb_ra2023-05-29 490'28058'010
4 lazyactivist1922021-05-25 148'53529'707
5 Virus_Deck2022-09-30 147'93029'150
6 TallJohnBrown2023-01-27 129'11525'823
7 _CarlosCabal2022-06-09 107'96521'593
8 nickkuechel2023-05-29 97'63515'932
9 pr0xylife2023-05-24 36'0506'147
10 honeymoon_ioc2022-05-01 24'7304'946

Top Malware Families

Top Tags

IOCs by type


IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCsIOC TypeIOC description
711'965sha256_hashSHA256 hash of a malware sample (payload)
165'372urlURL that delivers a malware payload
77'885ip:portip:port combination that is used for botnet Command&control (C&C)
54'061urlURL that is used for botnet Command&control (C&C)
23'688domainDomain name that delivers a malware payload
14'857domainDomain that is used for botnet Command&control (C&C)
2'354md5_hashMD5 hash of a malware sample (payload)
798ip:portip:port combination that delivery a malware payload
248sha1_hashSHA1 hash of a malware sample (payload)
168domainDomain used for credit card skimming (usually related to Magecart attacks)
21sha3_384_hashSHA3-384 hash of a malware sample (payload)