Phishing Domains Feed
Free real-time feed of active suspicious phishing sites - download in TXT, JSON, or CSV format
Updated 2026-05-16 01:30 UTC
801
Active URLs
30
Brands
154
IP addresses
41
Hosting providers
Download
All feeds are updated hourly and served via Cloudflare for fast, reliable delivery.
Fields
Every record in the JSON and CSV feeds includes these fields:
| Field | Type | Description |
|---|---|---|
url | string | Full suspicious URL |
domain | string | Domain (includes subdomains) |
company | string | Targeted brand (lowercase slug) |
date | string | Last check timestamp (ISO 8601, UTC) |
first_seen | string | First detection timestamp (ISO 8601, UTC) |
uuid | string | Unique identifier |
ip | string | IP address resolved at detection time |
country | string | Country of the hosting IP |
asn | string | Autonomous System Number |
org | string | Hosting provider / organization |
cert | string | TLS certificate issuer |
malicious_google | boolean | Flagged by Google Safe Browsing |
malicious_openphish | boolean | Listed in OpenPhish feed |
malicious_phishtank | boolean | Listed in PhishTank feed |
malicious_tweetfeed | boolean | Reported on TweetFeed |
malicious_urlscan | boolean | Detected by urlscan.io |
JSON example
{
"url": "https://paypal.com-authenticator.my.id",
"domain": "paypal.com-authenticator.my.id",
"company": "paypal",
"date": "2026-04-04T14:54:49.363437+00:00",
"first_seen": "2026-04-04T14:54:49.363437+00:00",
"uuid": "cf7bf933-e820-42ff-9c73-0596563cc2d7",
"ip": "103.186.0.228",
"country": "Indonesia",
"asn": "136052",
"org": "PT Cloud Hosting Indonesia",
"cert": "Let's Encrypt",
"malicious_google": false,
"malicious_openphish": false,
"malicious_phishtank": false,
"malicious_tweetfeed": false,
"malicious_urlscan": true
}
Need more control?
Use the REST API to filter by brand, date range, or pagination - with the same data and formats.
GeoIP data provided by ipinfo.io. Threat intelligence from Google Safe Browsing, OpenPhish, PhishTank, TweetFeed, and urlscan.io.