Statistics

ThreatFox produces detailed statistics on indicators of compromise shared - find the available statistics below.

You can also access Spamhaus's Malware Digest report, based on ThreatFox data:

https://www.spamhaus.org/malware-digest/#threatfox

Past 14 days
Overall

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared

The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors

Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

Rank	Reporter	Last activity	Submissions
1	abuse_ch	2025-04-25 06:00:56	15'719
2	TheRavenFile	2025-04-25 05:23:45	2'463
3	Gi7w0rm	2025-04-21 10:37:04	1'512
4	juroots	2025-04-24 05:45:39	1'209
5	DonPasci	2025-04-25 04:01:57	1'105
6	dyingbreeds_	2025-04-25 05:24:11	405
7	RacWatchin8872	2025-04-23 11:58:17	236
8	threatcat_ch	2025-04-25 07:02:15	150
9	UNP4CK	2025-04-25 06:14:46	130
10	ttakvam	2025-04-25 05:29:05	99

Top Malware Families

Top Tags

IOCs by type

IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCs	IOC Type	IOC description
17'690	domain	Domain that is used for botnet Command&control (C&C)
2'749	ip:port	ip:port combination that is used for botnet Command&control (C&C)
1'351	url	URL that is used for botnet Command&control (C&C)
1'116	sha256_hash	SHA256 hash of a malware sample (payload)
301	domain	Domain name that delivers a malware payload
250	url	URL that delivers a malware payload
172	md5_hash	MD5 hash of a malware sample (payload)
6	ip:port	ip:port combination that delivery a malware payload
3	domain	Domain used for credit card skimming (usually related to Magecart attacks)

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared

The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors

Rank	Reporter	Last activity	Submissions
1	Cryptolaemus1	2025-04-24	679'888
2	abuse_ch	2025-04-25	154'473
3	drb_ra	2025-04-16	88'255
4	Gi7w0rm	2025-04-21	51'781
5	TheRavenFile	2025-04-25	35'827
6	DonPasci	2025-04-25	28'323
7	lazyactivist192	2025-02-07	29'739
8	Grim	2024-11-13	29'552
9	Virus_Deck	2022-09-30	29'150
10	thehappydinoa	2024-12-02	23'615

Top Malware Families

Top Tags

IOCs by type

IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCs	IOC Type	IOC description
757'657	sha256_hash	SHA256 hash of a malware sample (payload)
188'321	ip:port	ip:port combination that is used for botnet Command&control (C&C)
183'465	url	URL that delivers a malware payload
114'364	domain	Domain that is used for botnet Command&control (C&C)
96'003	url	URL that is used for botnet Command&control (C&C)
31'419	domain	Domain name that delivers a malware payload
13'859	md5_hash	MD5 hash of a malware sample (payload)
10'323	sha1_hash	SHA1 hash of a malware sample (payload)
3'018	ip:port	ip:port combination that delivery a malware payload
468	domain	Domain used for credit card skimming (usually related to Magecart attacks)
21	sha3_384_hash	SHA3-384 hash of a malware sample (payload)
1	envelope_from	Sender email address (envelope from) that is used for payload delivery