Statistics

ThreatFox produces detailed statistics on indicators of compromise shared - find the available statistics below.

You can also access Spamhaus's Malware Digest report, based on ThreatFox data:

https://www.spamhaus.org/malware-digest/#threatfox

Past 14 days
Overall

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared

The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors

Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

Rank	Reporter	Last activity	Submissions
1	abuse_ch	2025-04-30 01:35:36	15'744
2	juroots	2025-04-29 07:10:50	1'361
3	DonPasci	2025-04-30 04:02:36	1'019
4	TheRavenFile	2025-04-29 15:50:20	1'011
5	dyingbreeds_	2025-04-30 04:01:40	448
6	Gi7w0rm	2025-04-21 10:37:04	408
7	RacWatchin8872	2025-04-29 11:47:24	259
8	UNP4CK	2025-04-28 07:42:26	171
9	threatcat_ch	2025-04-29 20:15:10	165
10	monitorsg	2025-04-29 23:09:20	154

Top Malware Families

Top Tags

IOCs by type

IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCs	IOC Type	IOC description
16'147	domain	Domain that is used for botnet Command&control (C&C)
2'612	ip:port	ip:port combination that is used for botnet Command&control (C&C)
1'058	sha256_hash	SHA256 hash of a malware sample (payload)
850	url	URL that is used for botnet Command&control (C&C)
329	domain	Domain name that delivers a malware payload
224	url	URL that delivers a malware payload
82	md5_hash	MD5 hash of a malware sample (payload)
8	ip:port	ip:port combination that delivery a malware payload
1	domain	Domain used for credit card skimming (usually related to Magecart attacks)

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared

The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors

Rank	Reporter	Last activity	Submissions
1	Cryptolaemus1	2025-04-24	679'888
2	abuse_ch	2025-04-30	154'753
3	drb_ra	2025-04-16	88'255
4	Gi7w0rm	2025-04-21	51'781
5	TheRavenFile	2025-04-29	36'755
6	DonPasci	2025-04-30	28'630
7	lazyactivist192	2025-02-07	29'739
8	Grim	2024-11-13	29'552
9	Virus_Deck	2022-09-30	29'150
10	thehappydinoa	2024-12-02	23'615

Top Malware Families

Top Tags

IOCs by type

IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCs	IOC Type	IOC description
758'568	sha256_hash	SHA256 hash of a malware sample (payload)
189'091	ip:port	ip:port combination that is used for botnet Command&control (C&C)
183'539	url	URL that delivers a malware payload
114'707	domain	Domain that is used for botnet Command&control (C&C)
96'352	url	URL that is used for botnet Command&control (C&C)
31'545	domain	Domain name that delivers a malware payload
13'869	md5_hash	MD5 hash of a malware sample (payload)
10'323	sha1_hash	SHA1 hash of a malware sample (payload)
3'022	ip:port	ip:port combination that delivery a malware payload
468	domain	Domain used for credit card skimming (usually related to Magecart attacks)
21	sha3_384_hash	SHA3-384 hash of a malware sample (payload)
1	envelope_from	Sender email address (envelope from) that is used for payload delivery