Dark Web APIs
FullHunt's Dark Web APIs provide comprehensive monitoring of your organization's presence on the dark web, including compromised credentials, phishing domains, typosquatting, and exposed email addresses.
info
These API endpoints are available for enterprise accounts only.
Compromised Credentials
Monitor for compromised credentials and leaks within your organization.
HTTP Request
GET https://fullhunt.io/api/v1/enterprise/darkweb/compromised-credentials
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| query | Yes | string | Email or domain search string |
| page | No | integer | Pagination page number |
Example Request
curl "https://fullhunt.io/api/v1/enterprise/darkweb/compromised-credentials?query=john.smith@acme.com" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx"
Example Response
{
"query": {
"query": "john.smith@acme.com"
},
"results": [
{
"id": "LEAK-7394",
"address": "123 Corporate Drive, Phoenix, AZ 85001",
"darkweb_metadata_count": 157834291,
"darkweb_metadata_date": "2023-12-10 00:00:00",
"darkweb_metadata_description": "In December 2023, a large-scale data compilation was discovered containing records from multiple corporate data breaches. The compilation included various data points from company directories and internal systems.",
"darkweb_metadata_leaked_data": "Email addresses, Passwords, Physical addresses, Names",
"darkweb_metadata_name": "CorporateDataDump_2023",
"database_name": "BreachCompilation",
"date_added": "2024-02-15 14:22:31",
"domain": "acme.com",
"email": "john.smith@acme.com",
"hash_type": "bcrypt",
"hashed_password": "$2a$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewvfbrgSP3nXnm3m",
"ipaddress": "192.168.1.100",
"name": "John Smith",
"password": "rocket2023",
"phone": "+1-555-0123-4567",
"username": "jsmith",
"vin": "1HGCM82633A123456"
}
],
"total_query_results": 4
}
Potential Phishing Domains
Search for potentially malicious domains that may be used in phishing attacks targeting your organization.
HTTP Request
GET https://fullhunt.io/api/v1/enterprise/darkweb/potential-phishing
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| query | No | string | Domain name search string |
| page | No | integer | Pagination page number |
Example Request
curl "https://fullhunt.io/api/v1/enterprise/darkweb/potential-phishing" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx"
Example Response
{
"results": {
"items": [
{
"id": "LEAK-123",
"domain_name": "acme-login.com",
"date_added": "2024-03-15 10:30:45",
"last_seen": "2024-03-15 10:30:45",
"type": "DomainName"
}
],
"total": 15,
"page": 1,
"per_page": 10
}
}
Typosquatting Domains
Detect and monitor potential typosquatting domains that could be used for phishing attacks or brand impersonation.
HTTP Request
GET https://fullhunt.io/api/v1/enterprise/darkweb/typosquatting
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| query | No | string | Domain name search string |
| page | No | integer | Pagination page number |
Example Request
curl "https://fullhunt.io/api/v1/enterprise/darkweb/typosquatting" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx"
Example Response
{
"results": {
"items": [
{
"id": "LEAK-123",
"domain_name": "acmecorp.com",
"date_added": "2024-03-15",
"last_seen": "2024-03-15",
"type": "TypoSquatting"
}
],
"total": 23,
"page": 1,
"per_page": 10
}
}
Discovered Emails
Monitor and detect email addresses associated with your organization that have been exposed on the dark web.
HTTP Request
GET https://fullhunt.io/api/v1/enterprise/darkweb/discovered-emails
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| query | No | string | Email or domain search string |
| page | No | integer | Pagination page number |
Example Request
curl "https://fullhunt.io/api/v1/enterprise/darkweb/discovered-emails" \
-H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx"
Example Response
{
"results": {
"items": [
{
"id": "LEAK-123",
"email": "john.smith@acme.com",
"domain": "acme.com",
"date_added": "2024-03-15",
"breaches": ["DataVault_2023_Q1"]
}
],
"total": 42,
"page": 1,
"per_page": 10
}
}
Integration Example
import requests
import time
from datetime import datetime
class FullHuntDarkWeb:
def __init__(self, api_key):
self.api_key = api_key
self.base_url = "https://fullhunt.io/api/v1/enterprise/darkweb"
self.headers = {"X-API-KEY": api_key}
def check_compromised_credentials(self, query):
"""Check for compromised credentials."""
url = f"{self.base_url}/compromised-credentials"
params = {"query": query}
response = requests.get(url, headers=self.headers, params=params)
if response.status_code == 200:
return response.json()
else:
print(f"Error: {response.status_code}")
return None
def check_phishing_domains(self, query=None):
"""Check for potential phishing domains."""
url = f"{self.base_url}/potential-phishing"
params = {}
if query:
params["query"] = query
response = requests.get(url, headers=self.headers, params=params)
if response.status_code == 200:
return response.json()
else:
print(f"Error: {response.status_code}")
return None
def check_typosquatting(self, query=None):
"""Check for typosquatting domains."""
url = f"{self.base_url}/typosquatting"
params = {}
if query:
params["query"] = query
response = requests.get(url, headers=self.headers, params=params)
if response.status_code == 200:
return response.json()
else:
print(f"Error: {response.status_code}")
return None
def check_discovered_emails(self, query=None):
"""Check for discovered emails."""
url = f"{self.base_url}/discovered-emails"
params = {}
if query:
params["query"] = query
response = requests.get(url, headers=self.headers, params=params)
if response.status_code == 200:
return response.json()
else:
print(f"Error: {response.status_code}")
return None
def comprehensive_domain_check(self, domain):
"""Perform comprehensive dark web check for a domain."""
print(f"🔍 Comprehensive Dark Web Check for: {domain}")
print("=" * 60)
# Check compromised credentials
print("\n📧 Checking compromised credentials...")
creds = self.check_compromised_credentials(domain)
if creds and creds.get('results'):
print(f" Found {len(creds['results'])} compromised credential records")
for record in creds['results'][:3]: # Show first 3
print(f" - {record['email']} (Database: {record['database_name']})")
print(f" Date Added: {record['date_added']}")
if record.get('password'):
print(f" Password Exposed: Yes")
else:
print(" ✅ No compromised credentials found")
# Check phishing domains
print("\n🎣 Checking potential phishing domains...")
phishing = self.check_phishing_domains(domain)
if phishing and phishing.get('results', {}).get('items'):
items = phishing['results']['items']
print(f" Found {len(items)} potential phishing domains")
for item in items[:3]: # Show first 3
print(f" - {item['domain_name']} (Added: {item['date_added']})")
else:
print(" ✅ No potential phishing domains found")
# Check typosquatting
print("\n🔄 Checking typosquatting domains...")
typo = self.check_typosquatting(domain)
if typo and typo.get('results', {}).get('items'):
items = typo['results']['items']
print(f" Found {len(items)} typosquatting domains")
for item in items[:3]: # Show first 3
print(f" - {item['domain_name']} (Added: {item['date_added']})")
else:
print(" ✅ No typosquatting domains found")
# Check discovered emails
print("\n📨 Checking discovered emails...")
emails = self.check_discovered_emails(domain)
if emails and emails.get('results', {}).get('items'):
items = emails['results']['items']
print(f" Found {len(items)} exposed email addresses")
for item in items[:3]: # Show first 3
print(f" - {item['email']} (Breaches: {', '.join(item.get('breaches', []))})")
else:
print(" ✅ No exposed email addresses found")
print("\n✅ Dark web check completed")
# Usage
api_key = "your-api-key-here"
darkweb = FullHuntDarkWeb(api_key)
# Check specific email
creds = darkweb.check_compromised_credentials("john.doe@acme.com")
# Comprehensive domain check
darkweb.comprehensive_domain_check("acme.com")
Automated Monitoring Script
import requests
import json
import time
from datetime import datetime, timedelta
def setup_darkweb_monitoring(api_key, domains, webhook_url=None):
"""Set up automated dark web monitoring for multiple domains."""
darkweb = FullHuntDarkWeb(api_key)
print("🛡️ Setting up Dark Web Monitoring")
print("=" * 50)
for domain in domains:
print(f"\n📍 Monitoring setup for: {domain}")
# Store baseline counts
baseline = {
'domain': domain,
'timestamp': datetime.now().isoformat(),
'compromised_credentials': 0,
'phishing_domains': 0,
'typosquatting_domains': 0,
'discovered_emails': 0
}
# Get current counts
creds = darkweb.check_compromised_credentials(domain)
if creds and creds.get('total_query_results'):
baseline['compromised_credentials'] = creds['total_query_results']
phishing = darkweb.check_phishing_domains(domain)
if phishing and phishing.get('results', {}).get('total'):
baseline['phishing_domains'] = phishing['results']['total']
typo = darkweb.check_typosquatting(domain)
if typo and typo.get('results', {}).get('total'):
baseline['typosquatting_domains'] = typo['results']['total']
emails = darkweb.check_discovered_emails(domain)
if emails and emails.get('results', {}).get('total'):
baseline['discovered_emails'] = emails['results']['total']
# Save baseline
with open(f"{domain}_darkweb_baseline.json", "w") as f:
json.dump(baseline, f, indent=2)
print(f" Compromised Credentials: {baseline['compromised_credentials']}")
print(f" Phishing Domains: {baseline['phishing_domains']}")
print(f" Typosquatting Domains: {baseline['typosquatting_domains']}")
print(f" Discovered Emails: {baseline['discovered_emails']}")
# Rate limiting
time.sleep(2)
print("\n✅ Dark web monitoring baselines established")
def check_for_changes(api_key, domains, webhook_url=None):
"""Check for changes since last baseline."""
darkweb = FullHuntDarkWeb(api_key)
changes_detected = False
for domain in domains:
try:
# Load baseline
with open(f"{domain}_darkweb_baseline.json", "r") as f:
baseline = json.load(f)
except FileNotFoundError:
print(f"No baseline found for {domain}. Run setup first.")
continue
print(f"\n🔍 Checking changes for: {domain}")
current = {
'domain': domain,
'timestamp': datetime.now().isoformat()
}
# Check each category
categories = [
('compromised_credentials', 'check_compromised_credentials'),
('phishing_domains', 'check_phishing_domains'),
('typosquatting_domains', 'check_typosquatting'),
('discovered_emails', 'check_discovered_emails')
]
for category, method_name in categories:
method = getattr(darkweb, method_name)
if category == 'compromised_credentials':
result = method(domain)
current_count = result.get('total_query_results', 0) if result else 0
else:
result = method(domain)
current_count = result.get('results', {}).get('total', 0) if result else 0
baseline_count = baseline.get(category, 0)
current[category] = current_count
if current_count > baseline_count:
change = current_count - baseline_count
changes_detected = True
print(f" 🚨 {category.replace('_', ' ').title()}: +{change} new items")
# Send alert if webhook configured
if webhook_url:
alert = {
'domain': domain,
'category': category,
'new_items': change,
'total_items': current_count,
'timestamp': current['timestamp']
}
send_webhook_alert(webhook_url, alert)
else:
print(f" ✅ {category.replace('_', ' ').title()}: No changes")
time.sleep(1) # Rate limiting
# Update baseline
with open(f"{domain}_darkweb_baseline.json", "w") as f:
json.dump(current, f, indent=2)
if not changes_detected:
print("\n✅ No new dark web threats detected")
else:
print("\n⚠️ New threats detected - review alerts above")
def send_webhook_alert(webhook_url, alert_data):
"""Send alert to webhook endpoint."""
try:
response = requests.post(webhook_url, json=alert_data)
if response.status_code == 200:
print(f" 📤 Alert sent to webhook")
else:
print(f" ❌ Failed to send webhook alert: {response.status_code}")
except Exception as e:
print(f" ❌ Webhook error: {e}")
# Usage
api_key = "your-api-key-here"
domains = ["acme.com", "example.org"]
webhook_url = "https://your-webhook-endpoint.com/alerts"
# Initial setup
setup_darkweb_monitoring(api_key, domains, webhook_url)
# Regular monitoring (run this periodically)
check_for_changes(api_key, domains, webhook_url)
Response Field Reference
Compromised Credentials Response
| Field | Type | Description |
|---|---|---|
id | string | Unique leak identifier |
email | string | Compromised email address |
password | string | Plain text password (if available) |
hashed_password | string | Hashed password |
hash_type | string | Type of hash used (bcrypt, MD5, SHA256, etc.) |
domain | string | Associated domain |
database_name | string | Source database/breach name |
date_added | string | Date when record was added to database |
darkweb_metadata_* | string | Metadata about the breach/leak |
Domain Monitoring Response
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier |
domain_name | string | Suspicious domain name |
date_added | string | Date when domain was first detected |
last_seen | string | Date when domain was last seen |
type | string | Type of threat (DomainName, TypoSquatting) |
Further Reading
- Error Handling: For details on handling API responses and errors, see our guide on API Error Codes.