Statistics

ThreatFox produces detailed statistics on indicators of compromise shared - find the available statistics below.

You can also access Spamhaus's Malware Digest report, based on ThreatFox data:

https://www.spamhaus.org/malware-digest/#threatfox

Past 14 days
Overall

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox within the past 14 days.

Number of IOCs shared

The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 30 days.

Top Contributors

Threatfox is "just" a platform for sharing IOCs. It would be worthless without the help of volunteers who contribute their IOCs to the project. The table below shows the top contributors by credits earned for the past 30 days.

Rank	Reporter	Last activity	Submissions
1	TheRavenFile	2025-04-03 07:26:17	22'438
2	juroots	2025-04-02 13:24:47	2'319
3	DonPasci	2025-04-03 04:01:31	1'613
4	abuse_ch	2025-04-03 07:35:29	741
5	Gi7w0rm	2025-03-28 16:01:19	581
6	s1dhy	2025-03-31 06:14:02	570
7	RacWatchin8872	2025-04-03 06:11:44	416
8	dyingbreeds_	2025-04-03 06:10:59	298
9	threatcat_ch	2025-04-03 07:15:34	195
10	DaveLikesMalwre	2025-04-01 05:27:23	184

Top Malware Families

Top Tags

IOCs by type

IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (past 14 days).

IOCs	IOC Type	IOC description
22'474	sha256_hash	SHA256 hash of a malware sample (payload)
2'959	ip:port	ip:port combination that is used for botnet Command&control (C&C)
2'199	domain	Domain that is used for botnet Command&control (C&C)
1'285	url	URL that is used for botnet Command&control (C&C)
868	domain	Domain name that delivers a malware payload
364	url	URL that delivers a malware payload
29	md5_hash	MD5 hash of a malware sample (payload)
15	domain	Domain used for credit card skimming (usually related to Magecart attacks)
7	ip:port	ip:port combination that delivery a malware payload
3	sha1_hash	SHA1 hash of a malware sample (payload)

The statistics below consider indicators of compromise (IOCs) submitted to ThreatFox since it's launch in March 2021.

Number of IOCs shared

The chart below documents the number of indicators of compromise (IOCs) shared on ThreatFox per day over a period of 12 months.

Top Contributors

Rank	Reporter	Last activity	Submissions
1	Cryptolaemus1	2025-03-18	679'883
2	abuse_ch	2025-04-03	138'235
3	drb_ra	2025-01-23	88'255
4	Gi7w0rm	2025-03-29	50'269
5	TheRavenFile	2025-04-03	33'187
6	DonPasci	2025-04-03	26'701
7	lazyactivist192	2025-02-07	29'739
8	Grim	2024-11-13	29'552
9	Virus_Deck	2022-09-30	29'150
10	thehappydinoa	2024-12-02	23'615

Top Malware Families

Top Tags

IOCs by type

IOCs on ThreatFox are categorized so called IOC types. The following table shows the number of IOCs observed on ThreatFox per IOC type (overall).

IOCs	IOC Type	IOC description
756'415	sha256_hash	SHA256 hash of a malware sample (payload)
184'422	ip:port	ip:port combination that is used for botnet Command&control (C&C)
183'089	url	URL that delivers a malware payload
96'306	domain	Domain that is used for botnet Command&control (C&C)
94'248	url	URL that is used for botnet Command&control (C&C)
31'018	domain	Domain name that delivers a malware payload
13'631	md5_hash	MD5 hash of a malware sample (payload)
10'323	sha1_hash	SHA1 hash of a malware sample (payload)
2'991	ip:port	ip:port combination that delivery a malware payload
465	domain	Domain used for credit card skimming (usually related to Magecart attacks)
21	sha3_384_hash	SHA3-384 hash of a malware sample (payload)
1	envelope_from	Sender email address (envelope from) that is used for payload delivery