Best Practices

Special Permission Required

Due to its sensitive nature, access to the Cyber API is limited.
Please contact us at [email protected] for more information.

In order to use the API you need to call an endpoint URL with your private access token. You can easily obtain this URL by using our query builder
Note: you must be logged in to use it

Data Integrity

Each request may return up to 10 posts matching your query. However, there may be significantly more results matching your filter parameters. To consume all the data, make sure you keep on calling the same URL string value that appears in the "next" key found in the output for each request.

"totalResults": 20597,
  "moreResultsAvailable": 20587,
  "next": "/cyberFilter?token=XXX-XXX&format=json&ts=1532532434047&q=fresh+AND+buy",
  "requestsLeft": 8947

Domain Threat Monitoring

I searched for the name of my company and received 0 results.
Does it mean my company is safe?

Unfortunately, it doesn’t. Sometimes people on the Dark Web (DW) discuss a specific subject (a country, person, company, etc) and mention it explicitly. But keep in mind that hackers, vendors, and others might not mention the company explicitly, since they don’t want to be exposed so easily as they want to be able to continue to sell credit cards (CCs) or data of the given company. For example - after running a search, we didn’t find a particular company’s name in the DW, but we could find mentions of its email server IP log with an SMTP error address - which means this IP was interesting for hackers, whether it’s been hacked or planned to be hacked.

SMTP Log error dump found in pastebin

SMTP Log error dump found in pastebin

The same scenario might occur with banks and credit card (CC) leaks - hackers might leak CC numbers and information of your bank without mentioning the bank name. We’d find it later, however, with the bank’s CC numbering system; for example, when a search reveals a number of CCs that are identified as belonging to a particular bank because of its first 4 digits.

For further details on this subject, you’re welcome to contact us.

No Results

I'm calling your legacy Dark Web endpoint and often receive 0 results. What’s the problem?

The Dark Web API’s bucket of sources is significantly smaller than the Cyber API’s. For example, when trying to find leaks of the private password “dada5320” in quotations with the Dark Web API, there were no results. When we looked up the password the exact same way using the Cyber API, we’ve found a Pastebin leak of the password and the mail it’s attached to:

For better coverage of searches, try our new Cyber API, which includes brand new filters and more sources from the Dark Web. Our coverage now includes Discord, ZeroNet, I2P, IRC, Telegram, Open Bazaar and TOR (plus cyber-related open-web sites).

Refine Your Query

I receive a lot of irrelevant results with the keyword I searched. How can I make my search more targeted?

Use the Entities filters to search for relevant terms. For example, if you were searching for a specific wallet ID, you’d want to receive results containing this wallet ID and not URLs with a similar string. You can define the filter “Wallet ID Number” and receive results with this number, categorized as a wallet ID and not a URL. For example, when searching for the wallet ID “13p4YNg” with the right filer, you would receive 14 results with this text as a wallet ID. Without the filter, however, you wouldn’t receive any results whatsoever.

Practical Operators

What are the practical operators I can use in the Cyber API?

Here are a few examples:

  • Use the dollar sign $ to search for a specific term
  • Example: “Trickbot$”
  • Use quotations to search “” for a specific expression: “MDMA Crystals
  • Use the minus sign (-) to rule out parameters and words (e.g “snow” - weather)
  • Use the operator AND to return results that have both words (e.g. “cocaine” AND “heroin”)
  • Use the operator OR to return results that have either one of the words

Note: The plus (+) operator does not work on Cyber API.

Use Parentheses

I searched for "cocaine" OR "heroin" AND "MDMA" and did not receive the types of results I wanted.

To write the query correctly, make sure to use parentheses.

For example, to receive results with the words, “cocaine” OR with both the words “heroin” AND “MDMA,” use the query "cocaine" OR ("heroin" AND "MDMA")

Correct usage of Parenthesis

Correct usage of Parenthesis

Monitor Specific Domain Efficiently

I searched for results from a specific marketplace and received very few results.

When you filter results by a specific marketplace onion, you’ll receive results only from this marketplace address, even though there might be another 5 or 6 Onions for this marketplace. For example, when you filter by this Onion: t5kqoucj5kbboheh.onion (Dream Market Onion) you receive 18,779 results. That seems like a high number, right?
On the other hand, if you use the site name filter and search for all the results under the site name rather than a specific Onion - you’ll receive all the results from all of that specific marketplace (in this case Onion).
Let’s take another example. Try filtering by the site name: Dream Market. You’ll receive over 2 million results for the same time frame! Try checking your results using this filter to receive more relevant results from a specific site.


I searched for specific keywords, why isn’t it enough to find good results?

Words used on marketplaces or forums in the Dark Web (DW) are usually unique. It’s a type of slang you need to be familiar with in order to have effective search results. That’s why, for example, when you run the query "credit card" AND "details" you receive 23,131 results, but when you run the query "credit card" AND "FULLZ" you receive 25,173 results.

When you know the right terminology, you’ll find more and better results.
For more effective results, try running the query with similar but slightly different words and filters.

I searched for posts published by a specific actor. Why can’t I find his or her real name?
In 99% percent of cases, actors won’t call themselves by their real name -- it’s a dead giveaway of their identity. Instead, actors will create a nickname and be identified and addressed by it.

For example, when we tried to search for the actor name “Bob Smith” (real name) using the author filter, we found 0 results. However, when we look for “TheShop” (a nickname) we received over 4,000 results.

Getting More Results

What can I do if I receive very few results for the past 3 months?

Expanding the time frame for your query might return important results you didn’t expect. Let’s say you want to check if anyone in the Dark Web (DW) has targeted your hospital for a DDoS attack. After running the query "ddos" "target" "hospital" and searching for the past month, you receive 6 results. But if you expand the search to the past 3 months, you might receive 30 results. For an entire year, you would receive 162 results. There may have been chatter on the DW planning an attack on your hospital as a DDoS target for the past year and you wouldn’t have known about it unless you widened the time frame for the search.

Filter Noise (especially sexual media mentions)

Usually, our approach toward query is to build a BOW - Bank of Word that group all keywords & phrases relevant for our target, whether its a topic, company or any other entity.
Once we receive results we might bump into a list of items that are noise and distract us from the real type of information, as well as cost more queries.
In order to exclude them from the result set, we can use the (-) sign to exclude a domain, keywords, etc.
Example: (fullz OR cvv) -site.domain:dreamamzigom6grj.onion

In the case of cyber searches in marketplaces or forums the result set might include also a sexual media content such as a reference to porn movies or images, in order to filter such content, one can use the enriched.category:sexual_media
The last filter can improve your results.
Note: the Filter is applicable on data starting 01/2020

Time and Date Stamps

What’s the difference between Published and Crawled dates?

Published filters means that results are filtered according to the date they were published (you can set it to be a range of dates, later than x or before y). A crawled filter means that results are filtered by the date they were scanned and saved in our API (also editable as the Published date). Also, in some cases, the published date does not exist in the source, so it won’t exist in the result. The crawled date of a result will always exist and might be different than the published date. For example, in this search we set the crawled date to be for three months in the past, and received a result published in 2005. The crawling date is 23/7/18.

Monitoring to Yield Results

I didn’t get any results right now, how can I keep track of relevant posts?

Webhose’s Cyber API can deliver you the results you’re looking for in any time frame. This kind of fine-structured query could run every few hours or days and search our API for any threats, mentions, questions, etc. in the Dark Web (DW). For example, you might want to check if there are any physical threats on a particular company’s President or CEO. You can do this by setting a query and running it 24 hours in the past each time to see if any new results (=threats) show up. In the result below, we blurred the specific names we looked for:

Threat found via constant monitoring

Threat found via constant monitoring

By running this query every day, you can discover the newest threats that might be relevant to you, and thwart the threat long before it occurs. If we show an example of continuous search over a period of time as a graph, we’d see something like this: (time over # of posts returning from the query):

Note: You can also choose to run the query hours/days/weeks back from now, using *“crawled:>now-24h” or “published:>3d”*.

Applying constant monitoring leads to better results

Applying constant monitoring leads to better results

Updated 2 months ago

What's Next

GET Parameters

Best Practices

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.