API Reference

Real-time phishing intelligence as JSON, CSV, or TXT. Open, free, no auth required.

847 Active

No auth Open access

10 req/s Per IP

Hourly Refresh

Building an AI agent? See For AI Agents for the MCP server and Agent Skills wrappers.

Introduction

The detection pipeline identifies active suspicious phishing sites in real time by monitoring multiple threat intelligence sources and Certificate Transparency logs. Data is enriched with IP geolocation, TLS certificate information, and detection verdicts.

Detection sources:

Certificate Transparency - real-time monitoring of newly issued TLS certificates
Google Safe Browsing - batch lookup against Google's threat lists
OpenPhish - community phishing feed
PhishTank - verified phishing URLs
TweetFeed - IOCs shared on social media
urlscan.io - live URL scanning verdicts

Pipeline schedule

Process	Frequency	Description
Detection pipeline	Every hour	Scans Certificate Transparency logs and checks threat intel sources for new suspicious phishing domains
Active site re-check	Every 6 hours	Re-visits active sites, captures fresh screenshots, and updates detection verdicts
New registration scan	Daily (00:30 UTC)	Scans newly registered domains for suspicious keyword patterns
Data enrichment	On detection	IP geolocation, ASN, TLS certificate, and hosting organization via ipinfo.io

Endpoint URL

https://phishunt.io/api/v1/domains

Get domains

GET /api/v1/domains Try it

Returns active suspicious phishing domains with enrichment data: IP geolocation, TLS certificate issuer, hosting org, and detection verdicts from Google Safe Browsing, OpenPhish, PhishTank, TweetFeed, and urlscan.io.

Query parameters

Parameter	Type	Description
`limit`	integer	Number of results to return. Omit to get all current results; max 1000 when set.
`offset`	integer	Number of results to skip for pagination. Default 0, max 10000.
`format`	string	Response format: `json`, `csv`, or `txt`. Default json.
`company`	string	Filter by targeted brand (e.g. `amazon`, `paypal`). See targeted brands.
`since`	ISO 8601	Only entries after this date (e.g. `2026-03-01`).

Example request

curl "https://phishunt.io/api/v1/domains"

import requests

r = requests.get("https://phishunt.io/api/v1/domains", params={
    "limit": 50,
    "company": "amazon",
})

data = r.json()
print(f"Returned {data['count']} results")

for site in data["results"]:
    print(site["url"], site["company"], site["ip"])

const url = "https://phishunt.io/api/v1/domains?limit=50&company=amazon";
const res = await fetch(url);
const { count, results } = await res.json();

console.log(`Returned ${count} results`);
results.forEach(site => {
    console.log(site.url, site.company, site.ip);
});

Example response

{
  "count": 2,
  "offset": 0,
  "limit": null,
  "results": [
    {
      "url": "https://amazon.example-phish.com/signin",
      "domain": "amazon.example-phish.com",
      "company": "amazon",
      "date": "2026-03-27T14:30:00+00:00",
      "first_seen": "2026-03-25T09:12:00+00:00",
      "uuid": "54889cb5-146d-484f-8b94-7a0b7385bff7",
      "ip": "198.51.100.42",
      "country": "United States",
      "asn": "64496",
      "org": "Example Hosting Inc.",
      "cert": "Let's Encrypt R3",
      "malicious_google": false,
      "malicious_openphish": true,
      "malicious_phishtank": false,
      "malicious_tweetfeed": false,
      "malicious_urlscan": true
    }
  ]
}

Feeds

Download the complete active suspicious phishing feed. Updated every hour. Full dataset with no filtering - use the domains endpoint for query parameters.

JSON

CSV

TXT

OpenAPI

Feed files return all active entries as a download. The JSON feed is a flat array (no wrapper object). The TXT feed contains one URL per line. Import the OpenAPI spec into Postman or Insomnia.

Response fields

Each object in the results array (or feed entries) contains these fields, grouped by purpose.

Identity

Field	Type	Description
`url`	string	Full URL of the suspicious site
`domain`	string	Domain name including subdomains
`company`	string	Targeted brand slug (e.g. `amazon`, `paypal`)
`uuid`	string	Unique identifier for this entry (UUID v4)

Time

Field	Type	Description
`first_seen`	datetime	When the site was first detected (ISO 8601)
`date`	datetime	Last check timestamp (ISO 8601)

Hosting

Field	Type	Description
`ip`	string	Resolved IPv4 address
`country`	string	Hosting country name
`asn`	string	Autonomous System Number (e.g. `13335`)
`org`	string	Hosting organization
`cert`	string	TLS certificate issuer

Detection sources

Field	Type	Description
`malicious_google`	boolean	`true` if flagged by Google Safe Browsing
`malicious_openphish`	boolean	`true` if present in OpenPhish feed
`malicious_phishtank`	boolean	`true` if present in PhishTank
`malicious_tweetfeed`	boolean	`true` if present in TweetFeed
`malicious_urlscan`	boolean	`true` if flagged by urlscan.io

Pagination

Use offset and limit to paginate through results. The response includes both values so you can compute the next page.

# Page 1
curl "https://phishunt.io/api/v1/domains?limit=100&offset=0"

# Page 2
curl "https://phishunt.io/api/v1/domains?limit=100&offset=100"

# Page 3
curl "https://phishunt.io/api/v1/domains?limit=100&offset=200"

When count is less than limit, you've reached the last page.

Status codes

Code	Description
200	Success. Response body contains the requested data.
400	Bad request. Invalid parameter value (e.g. malformed `since` date).
429	Rate limited. Back off and retry.

Notes

CORS - All API responses include Access-Control-Allow-Origin: *, so you can call the API from browser applications.

Terms - Data is provided on a best-effort basis. False positives may occur. See Terms of Service.