URLAbuse is a community-based URL intelligence platform built to identify, verify, and share malicious URLs — phishing, malware, hacked websites, and online scams — in real time. Free, open, and actionable.
URLAbuse is not just a blacklist. Every entry in the feed comes with evidence — a screenshot, metadata, IP and ASN data, registrar information, and abuse type classification. Enough to act, not just to know.
The platform collects URLs through honeypots, automated scanners, and community submissions. Each submission is verified before publication. Everything is free and publicly accessible — no account required to consume the feed.
Every URL in the feed has been analyzed and confirmed malicious. Each entry includes a screenshot and full metadata — not just a raw URL.
Trusted reporters — organizations, researchers, and automated systems — contribute URLs that are analyzed and published for everyone.
New threats are added as they're identified — giving defenders the freshest intelligence without waiting for batch updates.
The public feed is available to anyone — no registration, no API key, no fee. Commercial access to deeper data available on request.
IP address, ASN, registrar, screenshot, abuse type, and target — everything needed to act, investigate, or escalate.
URLAbuse feeds directly into Karen IT's Domain Blocklist (DBL), used by Quad9. Confirmed threats flow automatically into the broader intelligence ecosystem.
URLAbuse covers the full range of URL-based abuse. Every entry is classified into one of five categories — enabling precise filtering for your specific use case.
Pages designed to steal credentials, payment data, or personal information — impersonating banks, payment providers, government services, and technology platforms. Includes geofenced campaigns targeting specific countries.
URLs serving malware payloads — drive-by downloads, exploit kits, payload staging servers, and malspam landing pages distributing malicious files or scripts.
Legitimate websites that have been compromised and are being used to serve malicious content — redirect chains, hidden malware downloads, or injected phishing pages.
Unlicensed or illegal gambling platforms operating without regulatory approval — frequently used as fronts for fraud or operating in jurisdictions where online gambling is prohibited.
Fraudulent websites operating fake online shops, advance-fee schemes, investment fraud, and other deceptive operations designed to defraud users through false promises or fake goods.
Every URL goes through the same process before it reaches the public feed. No unverified data, no false positives published without review.
URLs submitted via honeypots, automated scanners, community reporters, or API-connected partners with trusted tokens.
The URL is fetched and analyzed. A screenshot is taken. IP, ASN, registrar, and abuse type are recorded. Target identified.
Standard submissions are manually verified by the URLAbuse team. Trusted reporter submissions may be published directly.
Verified entries published to the public feed with full evidence — available immediately via web, API, and downstream feeds.
Confirmed threats shared with registries, registrars, and hosting providers. Flow automatically into the Karen IT DBL used by Quad9.
Three API endpoints — two for trusted reporters, one internal. All return JSON. An API token is required for submission endpoints.
Report a URL for manual verification by the URLAbuse team before publication. Available to trusted third-party reporters.
| # | Parameter | Required | Description |
|---|---|---|---|
| 1 | token | Yes | Your API token — contact URLAbuse to request |
| 2 | url | Yes | The malicious or suspicious URL to report |
| 3 | date_type | Yes | One of: phishing malware hacked bet scam |
| 4 | target | Optional | Target of the attack (e.g. brand name, #pe32 for PE executables) |
| 5 | geofenced | Optional | Two-letter country code if the URL is geofenced (e.g. US) |
| 6 | reporter | Optional | Your name or organization (max 30 characters) |
import requests, json, sys reported_url = 'https://example-phishing.xyz/login' api_url = "https://zapi.urlabuse.com/feed/report_url" params = { "token": "YOUR-TOKEN-HERE", "url": reported_url, "data_type": "phishing", "target": "PayPal", "geofenced": "US", "reporter": "YourOrg" } r = requests.get(api_url, params=params, timeout=10) result = json.loads(r.text) # {"success": true, "code": 200, "msg": "Reported successfully"} print(result)
Submit without manual verification — data published directly. Only available to highly trusted parties. Supports screenshot submission.
| # | Parameter | Required | Description |
|---|---|---|---|
| 1 | token | Yes | Your trusted reporter token |
| 2 | url | Yes | The malicious URL to report |
| 3 | rtype | Yes | One of: phishing malware hacked bet scam |
| 4 | target | Optional | Target brand or platform |
| 5 | screenshot | Optional | Base64-encoded JPG screenshot |
| 6 | reporter | Optional | Your organization name (max 30 chars) |
| 7 | is_public | Optional | 1 = public (default), 0 = private |
import requests, json, base64 api_url = "https://urlabuse.com/get_trusted_report" screenshot = base64.b64encode(open("/tmp/screenshot.jpg", "rb").read()) params = { "token": "YOUR-TOKEN-HERE", "url": "https://malicious-site.xyz/payload", "rtype": "phishing", "target": "AT&T", "screenshot": screenshot, "reporter": "YourOrg", "is_public": 1 } r = requests.post(api_url, data=params, timeout=10) # {"success": true} print(json.loads(r.text))
Internal API for administrators. Ingests verified data directly from Karen IT's internal CTI infrastructure.
| # | Parameter | Required | Description |
|---|---|---|---|
| 1 | token | Admin only | Administrator token |
| 2 | cti_url | Yes | Permanent URL from the internal CTI system |
| 3 | rtype | Yes | One of: phishing malware hacked bet scam |
| 4 | target | Optional | Target of the threat |
| 5 | is_public | Optional | 1 = public (default), 0 = private |
This endpoint is available to administrators only. Contact us for integration documentation.
Tokens are issued to trusted reporters — organizations, researchers, and automated systems with a legitimate security use case.
URLAbuse serves a wide range of organizations and individuals — from individual researchers to DNS resolvers handling billions of queries a day.
Access verified phishing and malware URLs with full evidence for research, threat tracking, and campaign analysis. Contribute your own findings to the community.
Consume the live feed or API to enrich SIEM alerts, update blocklists, and validate reported URLs against a community-verified source.
URLAbuse data feeds the Karen IT Domain Blocklist (DBL), used by Quad9 to protect millions of DNS queries every day. The same intelligence, at scale.
Identify malicious domains registered through your platform and support takedown decisions with documented, verified evidence.
Monitor for phishing campaigns targeting your brand. URLAbuse tracks phishing by target — including financial institutions — in real time.
Receive structured abuse reports for domains and hosting infrastructure in your constituency. URLAbuse distributes verified reports directly to responsible parties.
URLAbuse is free, open, and continuously updated. If you see something malicious on the internet — report it. If you want to integrate the feed into your security stack — the API is waiting.