Phishing Domains Feed
Free real-time feed of active suspicious phishing sites - download in TXT, JSON, or CSV format
Updated 2026-04-24 20:23 UTC
580
Active URLs
26
Brands
139
IP addresses
43
Hosting providers
Download
All feeds are updated hourly and served via Cloudflare for fast, reliable delivery.
TXT
Plain text - one URL per line. Ideal for simple blocklists and scripts.
Download feed.txtJSON
Structured data with enrichment (IP, ASN, GeoIP, detection sources).
Download feed.jsonCSV
Spreadsheet-ready. All fields with UTF-8 encoding and proper escaping.
Download feed.csvFields
Every record in the JSON and CSV feeds includes these fields:
| Field | Type | Description |
|---|---|---|
url | string | Full suspicious URL |
domain | string | Domain (includes subdomains) |
company | string | Targeted brand (lowercase slug) |
date | string | Last check timestamp (ISO 8601, UTC) |
first_seen | string | First detection timestamp (ISO 8601, UTC) |
uuid | string | Unique identifier |
ip | string | IP address resolved at detection time |
country | string | Country of the hosting IP |
asn | string | Autonomous System Number |
org | string | Hosting provider / organization |
cert | string | TLS certificate issuer |
malicious_google | boolean | Flagged by Google Safe Browsing |
malicious_openphish | boolean | Listed in OpenPhish feed |
malicious_phishtank | boolean | Listed in PhishTank feed |
malicious_tweetfeed | boolean | Reported on TweetFeed |
malicious_urlscan | boolean | Detected by urlscan.io |
JSON example
{
"url": "https://paypal.com-authenticator.my.id",
"domain": "paypal.com-authenticator.my.id",
"company": "paypal",
"date": "2026-04-04T14:54:49.363437+00:00",
"first_seen": "2026-04-04T14:54:49.363437+00:00",
"uuid": "cf7bf933-e820-42ff-9c73-0596563cc2d7",
"ip": "103.186.0.228",
"country": "Indonesia",
"asn": "136052",
"org": "PT Cloud Hosting Indonesia",
"cert": "Let's Encrypt",
"malicious_google": false,
"malicious_openphish": false,
"malicious_phishtank": false,
"malicious_tweetfeed": false,
"malicious_urlscan": true
}
Need more control?
Use the REST API to filter by brand, date range, or pagination - with the same data and formats.
GeoIP data provided by ipinfo.io. Threat intelligence from Google Safe Browsing, OpenPhish, PhishTank, TweetFeed, and urlscan.io.