Statistics
ThreatFox produces detailed statistics on indicators of compromise shared - find the available statistics below.
You can also access Spamhaus's Malware Digest report, based on ThreatFox data:
The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.
Number of IOCs shared
The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.
Top Contributors
Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.
| Rank | Reporter | Last activity | Submissions |
|---|---|---|---|
| 1 |  juroots | 2025-11-17 14:22:48 | 3'410 |
| 2 |  threatcat_ch | 2025-11-17 21:37:24 | 1'906 |
| 3 |  abuse_ch | 2025-11-17 20:50:22 | 1'416 |
| 4 |  DonPasci | 2025-11-17 21:41:49 | 1'098 |
| 5 |  HuntYethHounds | 2025-11-17 21:36:53 | 523 |
| 6 |  Grim | 2025-11-17 00:20:08 | 504 |
| 7 |  dyingbreeds_ | 2025-11-17 12:06:36 | 483 |
| 8 | digitallodge | 2025-11-15 15:43:06 | 298 |
| 9 |  ttakvam | 2025-11-17 13:48:43 | 290 |
| 10 |  BlackLotusLabs | 2025-11-17 13:58:11 | 213 |
Top Malware Families
Top Tags
IOCs by type
IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).
| IOCs | IOC Type | IOC description |
|---|---|---|
| 3'225 | ip:port | ip:port combination that is used for botnet Command&control (C&C) |
| 2'473 | domain | Domain name that delivers a malware payload |
| 2'306 | domain | Domain that is used for botnet Command&control (C&C) |
| 1'648 | url | URL that is used for botnet Command&control (C&C) |
| 638 | url | URL that delivers a malware payload |
| 177 | md5_hash | MD5 hash of a malware sample (payload) |
| 170 | sha256_hash | SHA256 hash of a malware sample (payload) |
| 168 | sha1_hash | SHA1 hash of a malware sample (payload) |
| 8 | ip:port | ip:port combination that delivery a malware payload |
The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.
Number of IOCs shared
The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.
Top Contributors
Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned.
| Rank | Reporter | Last activity | Submissions |
|---|---|---|---|
| 1 |  Cryptolaemus1 | 2025-09-05 | 679'888 |
| 2 | abuse_ch | 2025-11-17 | 177'425 |
| 3 |  drb_ra | 2025-10-23 | 88'280 |
| 4 |  Gi7w0rm | 2025-11-07 | 57'067 |
| 5 | DonPasci | 2025-11-17 | 49'942 |
| 6 | juroots | 2025-11-17 | 42'521 |
| 7 | Grim | 2025-11-17 | 44'252 |
| 8 |  TheRavenFile | 2025-11-13 | 37'552 |
| 9 |  lazyactivist192 | 2025-02-07 | 29'739 |
| 10 |  Virus_Deck | 2022-09-30 | 29'150 |
Top Malware Families
Top Tags
IOCs by type
IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).
| IOCs | IOC Type | IOC description |
|---|---|---|
| 766'117 | sha256_hash | SHA256 hash of a malware sample (payload) |
| 238'840 | ip:port | ip:port combination that is used for botnet Command&control (C&C) |
| 185'786 | url | URL that delivers a malware payload |
| 143'924 | domain | Domain that is used for botnet Command&control (C&C) |
| 107'294 | url | URL that is used for botnet Command&control (C&C) |
| 44'888 | domain | Domain name that delivers a malware payload |
| 19'897 | md5_hash | MD5 hash of a malware sample (payload) |
| 15'591 | sha1_hash | SHA1 hash of a malware sample (payload) |
| 3'286 | ip:port | ip:port combination that delivery a malware payload |
| 544 | domain | Domain used for credit card skimming (usually related to Magecart attacks) |
| 22 | sha3_384_hash | SHA3-384 hash of a malware sample (payload) |
| 1 | envelope_from | Sender email address (envelope from) that is used for payload delivery |