Check if the local Tor SOCKS5 proxy daemon is running and accessible. Returns connectivity status for .onion fetching.

Fetch raw HTML from a .onion URL via Tor SOCKS5 proxy. Requires a running Tor daemon. Only .onion URLs are allowed (DNS leak prevention via socks5h).

Fetch and parse a .onion site via Tor. Returns structured data: page title, all links, and visible body text. Requires running Tor daemon.

Search for .onion sites using Ahmia.fi search engine. Returns titles, URLs, and descriptions of matching hidden services.

Get a list of current Tor exit node IP addresses from the official Tor Project bulk exit list.

Check if a specific IP address is a known Tor exit node. Uses cached exit node list.

Get detailed Tor exit node information including fingerprints, publish timestamps, and exit addresses.

Fetch the most recent ransomware victims from ransomware.live. Returns victim name, group, country, sector, publication date, and associated URLs.

List all known ransomware groups tracked by ransomware.live. Returns group names, descriptions, onion URLs, and profile information.

Get a detailed profile for a specific ransomware group by name. Includes description, known URLs, locations, and profile metadata.

Get all victims claimed by a specific ransomware group. Returns victim names, countries, sectors, and publication dates.

Search ransomware victims by keyword. Matches against victim names, descriptions, and other fields. Useful for checking if a specific company has been listed as a victim.

Get ransomware victims filtered by country using ISO 3166-1 alpha-2 country code. Example codes: US, GB, DE, TR, FR, JP.

Get ransomware victims filtered by sector or industry. Examples: 'healthcare', 'finance', 'education', 'government', 'technology'.

List all ransomware groups tracked by RansomLook. Returns 582+ groups with names and associated onion/clear-web URLs. Complementary source to ransomware.live.

Fetch the most recent ransomware posts and victim claims from RansomLook. Returns group name, post title, URL, and discovery timestamp.

List all known data breaches from HaveIBeenPwned. Optionally filter by domain. Free endpoint, no API key required.

Get details of a specific data breach by name from HaveIBeenPwned. Free endpoint, no API key required.

Get the most recently added data breach from HaveIBeenPwned. Free endpoint, no API key required.

List all data classes (types of compromised data) known to HaveIBeenPwned. Free endpoint, no API key required.

Check if a password has appeared in known data breaches using the Pwned Passwords k-anonymity API. Only the first 5 characters of the SHA-1 hash are sent to the server. Free, no API key required.

Search all data breaches for a specific account (email or username) via HaveIBeenPwned. Requires HIBP_API_KEY (paid endpoint).

Search for an email address in publicly posted pastes (Pastebin, etc.) via HaveIBeenPwned. Requires HIBP_API_KEY (paid endpoint).

Get recent IOCs from ThreatFox (abuse.ch). Returns indicators of compromise reported in the last N days.

Search ThreatFox IOCs by term. Accepts IP addresses, domain names, hashes (MD5/SHA256), or URLs.

Search ThreatFox IOCs by tag (e.g., "Cobalt Strike", "Emotet", "AgentTesla").

Search ThreatFox IOCs by malware family using Malpedia naming convention (e.g., "win.cobalt_strike", "win.emotet").

Look up a URL or host in URLhaus (abuse.ch). Provide either a full URL for URL lookup or a hostname/IP for host lookup.

Search URLhaus (abuse.ch) entries by tag (e.g., "Emotet", "Dridex", "elf").

Look up a malware sample in MalwareBazaar (abuse.ch) by hash. Accepts MD5, SHA1, or SHA256.

Get recent malware samples from MalwareBazaar (abuse.ch). Returns the most recently submitted samples.

Search MalwareBazaar (abuse.ch) by tag or YARA signature name. Use 'tag' for tag-based search or 'signature' for signature-based search.

Look up threat intelligence for an IP address via AlienVault OTX. Returns pulse info, reputation, country, ASN.

Look up threat intelligence for a domain via AlienVault OTX. Returns pulse info, whois, reputation.

Look up threat intelligence for a file hash via AlienVault OTX. Supports MD5, SHA1, SHA256.

Look up threat intelligence for a CVE via AlienVault OTX. Returns related pulses and indicators.

Search AlienVault OTX threat pulses by keyword. Returns matching pulses with tags, malware families, and IOC counts.

Check an IP address against AbuseIPDB for abuse reports. Returns confidence score, ISP, country, and report count. Requires ABUSEIPDB_API_KEY.

Get individual abuse reports for an IP from AbuseIPDB. Returns detailed report comments and categories. Requires ABUSEIPDB_API_KEY.

Get AbuseIPDB's blacklist of the most reported malicious IP addresses. Requires ABUSEIPDB_API_KEY.

Check an entire CIDR network block for abuse reports on AbuseIPDB. Requires ABUSEIPDB_API_KEY.

Look up an IP address on GreyNoise Community API. Returns classification (benign/malicious/unknown), scanner status, and last seen timestamp. Free, no API key required.

Quick GreyNoise check: is this IP a known scanner or known benign service? Returns simplified classification.

Look up an indicator (IP, domain, URL, or hash) on Pulsedive. Returns risk level, threats, feeds, and properties.

Search Pulsedive indicators by value. Returns matching indicator IDs.

Explore linked indicators on Pulsedive using advanced queries. Returns related IOCs with risk levels.

Search Hudson Rock Cavalier for stealer log entries by domain. Returns compromised machines, credentials, and malware details. Requires HUDSONROCK_API_KEY.

Search Hudson Rock Cavalier stealer logs by email address. Returns compromised machines with that email in browser credentials. Requires HUDSONROCK_API_KEY.

Search Hudson Rock Cavalier stealer logs by IP address. Returns compromised machines originating from that IP. Requires HUDSONROCK_API_KEY.

Search the Vulners vulnerability database using Lucene queries. Returns CVEs, advisories, and exploits.

Look up a specific vulnerability or exploit by ID on Vulners. Free, no API key required. Supports CVE, EDB, GHSA IDs.

Search specifically for exploits on Vulners (ExploitDB entries). Filters results to exploit type only.

Look up a Bitcoin address on blockchain.info. Returns balance, transaction count, and recent transactions.

Get Bitcoin address balance in satoshi from blockchain.info. Quick balance check without full transaction history.

Get detailed Bitcoin transaction information by hash. Returns inputs, outputs, fees, and block info.

Check a Bitcoin address for abuse reports on ChainAbuse. Returns scam reports with categories and descriptions.

Search Hybrid Analysis sandbox by file hash (MD5, SHA1, SHA256). Returns verdict, AV detection rate, and analysis details. Requires HYBRID_API_KEY.

Get full malware analysis overview from Hybrid Analysis for a SHA256 hash. Returns MITRE ATT&CK techniques, network indicators, processes, and extracted files. Requires HYBRID_API_KEY.

Get the latest malware detonation feed from Hybrid Analysis. Returns recently analyzed samples with verdicts. Requires HYBRID_API_KEY.

Look up metadata for a .onion address via CIRCL AIL project. Returns first/last seen dates, status, tags, certificates, ports, and associated Bitcoin addresses.

Initiate a search on IntelligenceX for leaked data, dark web content, and more. Returns a search ID to retrieve results. Requires INTELX_API_KEY.

Retrieve results for an IntelligenceX search by ID. Use after intelx_search to get actual data. Requires INTELX_API_KEY.

Initiate a phonebook search on IntelligenceX — finds emails, domains, URLs associated with a term. Returns search ID. Requires INTELX_API_KEY.

Retrieve phonebook search results from IntelligenceX by ID. Use after intelx_phonebook. Requires INTELX_API_KEY.

Check if a URL is a known phishing site via PhishTank. Returns whether the URL is in their database and if it has been verified.

List all available darknet-mcp data sources with their configuration status, required API keys, and available tools.