Dynamic Parameters

emails array Required*

Array of email addresses to search for compromised credentials.

👤 Email Monitoring

search-by-login/emails

Search for specific email addresses to monitor employee or customer account compromises. Useful for incident response and proactive monitoring.

Minimum 1 email
Maximum 50 emails
Valid email format required
Cannot be used with usernames, ips, or stealers

usernames array Required*

johndoe

Array of usernames to search for compromised accounts.

🔑 Username Monitoring

search-by-login/usernames

Track compromises of specific usernames across multiple platforms. Useful when email addresses are unknown or for common corporate username patterns.

Minimum 1 username
Maximum 50 usernames
Cannot be used with emails, ips, or stealers

ips array Required*

67.181.31.229 45.166.26.62/28

Array of IP addresses or CIDR range to search.

🌐 IP Monitoring

search-by-ip

Monitor compromises from specific IP addresses or ranges. Useful for tracking corporate network exposure or investigating suspicious activity.

Minimum 1 IP/CIDR
Maximum 50 IPs/21-32 CIDR Range
Valid IPv4/CIDR format required
Cannot be used with emails, usernames, or stealers

*Either ips or cidr must be provided, but not both

stealers array Required*

US_98.11.162.214_25-01-25_13579

Array of stealer IDs to retrieve specific credential sets.

🎯 Stealer Lookup

search-by-stealer

Retrieve credentials from specific stealer logs using their unique identifiers. Useful for detailed investigation of known compromises.

Minimum 1 stealer ID
Maximum 50 stealer IDs
Valid stealer ID format required
Cannot be used with emails, usernames, or ips

Common Parameters

types array

employees users third_parties

Narrow down search to employees, users, or third parties.

*third_parties type is only available when 'domains' parameter is provided.

filter_credentials boolean default: true

true false

When true, returns only credentials matching the search criteria.

keywords_match string default: any

all any

Determines if all keywords must match or any single keyword is sufficient.

keywords array

Array of keywords to search in credentials data and URL parts.

sort_by string default: date_compromised

date_compromised date_uploaded

The field which the stealers should be sorted by.

sort_direction string default: desc

asc desc

The direction in which the results should be sorted.

start_date date-string

ISO 8601 formatted date to filter results from (inclusive). Context depends on sort_by parameter.

end_date date-string

ISO 8601 formatted date to filter results to (inclusive). Context depends on sort_by parameter.

cursor base64 string

Pagination token for fetching next page of results. Obtained from previous response's nextCursor field.

additional_fields array

installed_software employee_session_cookies

Additional data fields to include in the response.