darknet-mcp-server
Enables AI agents to query abuse.ch services such as ThreatFox for malware IOCs, URLhaus for malicious URLs, and other threat intelligence feeds.
Facilitates blockchain intelligence by tracing Bitcoin transactions and checking abuse reports on the Bitcoin blockchain.
Allows AI agents to search for breached accounts, credentials, and pastes using the Have I Been Pwned API.
Provides .onion hidden service access via Tor SOCKS5 proxy, enabling dark web scraping, onion search, and exit node checks.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@darknet-mcp-servercheck if example.com has any data breaches"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
The Problem
Dark web intelligence is the missing layer in every security investigation. Breach databases, ransomware trackers, Tor hidden services, malware sandboxes, stealer logs, blockchain forensics, exploit databases — the data you need is scattered across dozens of platforms, each with its own API, its own auth, its own rate limits, its own output format. Today you check HIBP in one tab, ThreatFox in another, browse ransomware leak sites through Tor, pull up MalwareBazaar for a hash, check blockchain transactions on a block explorer, and then spend an hour manually piecing it all together.
Traditional dark web intel workflow:
check breach exposure -> HIBP web interface (paid API)
search leaked credentials -> IntelligenceX web interface
track ransomware groups -> ransomware.live + ransomlook.io (2 separate UIs)
access .onion hidden services -> Tor Browser manually
analyze malware samples -> Hybrid Analysis + MalwareBazaar (2 more UIs)
check IP abuse history -> AbuseIPDB + GreyNoise (2 more UIs)
trace cryptocurrency -> blockchain.info + ChainAbuse
search for exploits -> Vulners web interface
check phishing URLs -> PhishTank web interface
correlate everything -> copy-paste into a report
────────────────────────────────
Total: 60+ minutes per investigation, most of it switching contextsdarknet-mcp-server gives your AI agent 66 tools across 16 data sources via the Model Context Protocol. The agent queries all sources in parallel, correlates data across the surface and dark web, identifies threats, and presents a unified intelligence picture — in a single conversation.
With darknet-mcp-server:
You: "Investigate the breach exposure and threat landscape for target.com"
Agent: -> HIBP: 3 known breaches (Adobe 2013, LinkedIn 2021, Collection #1)
-> ThreatFox: 2 IOCs associated with domain (C2 callback, phishing)
-> URLhaus: 1 malicious URL hosted on subdomain
-> Ransomware: No victim listings found (good)
-> Stealer logs: 47 compromised employee credentials found
-> OTX: 5 threat pulses referencing the domain
-> AbuseIPDB: Primary IP has 12 abuse reports (brute force)
-> "target.com has been in 3 data breaches exposing 2.1M records.
47 employee credentials found in stealer logs — immediate
password reset recommended. 2 active ThreatFox IOCs suggest
ongoing targeting. No ransomware listings, but the abuse
reports on the primary IP warrant investigation."Related MCP server: OSINT MCP Server
How It's Different
Existing tools give you raw data one source at a time. darknet-mcp-server gives your AI agent the ability to reason across surface web and dark web intelligence simultaneously.
Quick Start
Option 1: npx (no install)
npx darknet-mcp-serverFree tools work immediately. No API keys required for ransomware tracking, breach listings, GreyNoise, blockchain, OTX, and more.
Option 2: Clone
git clone https://github.com/badchars/darknet-mcp-server.git
cd darknet-mcp-server
bun installEnvironment variables (optional)
# Breach & credential intelligence
export HIBP_API_KEY=your-key # Enables breach account search & paste search
export INTELX_API_KEY=your-key # Enables 4 IntelligenceX tools
# Threat intelligence
export OTX_API_KEY=your-key # Increases AlienVault OTX rate limits
export ABUSEIPDB_API_KEY=your-key # Enables 4 AbuseIPDB tools
export ABUSECH_AUTH_KEY=your-key # Higher rate limits for abuse.ch suite
export PULSEDIVE_API_KEY=your-key # Higher rate limits for Pulsedive
# Stealer logs & credentials
export HUDSONROCK_API_KEY=your-key # Enables 3 Hudson Rock stealer log tools
# Exploit & malware analysis
export VULNERS_API_KEY=your-key # Enables Vulners search & exploit tools
export HYBRID_API_KEY=your-key # Enables 3 Hybrid Analysis malware tools
# Phishing
export PHISHTANK_API_KEY=your-key # Higher rate limits for PhishTank
# Tor SOCKS5 proxy (for .onion access)
export TOR_SOCKS_HOST=127.0.0.1 # Default: 127.0.0.1
export TOR_SOCKS_PORT=9050 # Default: 9050All API keys are optional. Without them, you still get ransomware tracking, breach listings, GreyNoise, blockchain intelligence, OTX, Tor exit node checks, onion search, CIRCL onion lookup, and more.
Connect to your AI agent
# With npx
claude mcp add darknet-mcp-server -- npx darknet-mcp-server
# With local clone
claude mcp add darknet-mcp-server -- bun run /path/to/darknet-mcp-server/src/index.tsAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"darknet": {
"command": "npx",
"args": ["-y", "darknet-mcp-server"],
"env": {
"HIBP_API_KEY": "optional",
"INTELX_API_KEY": "optional",
"ABUSEIPDB_API_KEY": "optional",
"HUDSONROCK_API_KEY": "optional",
"HYBRID_API_KEY": "optional",
"VULNERS_API_KEY": "optional"
}
}
}
}Same JSON config format. Point the command to npx darknet-mcp-server or your local installation path.
Tor setup (optional, for .onion access)
The 7 Tor tools (tor_fetch_onion, tor_scrape_onion, etc.) require a running Tor SOCKS5 proxy.
# macOS
brew install tor && brew services start tor
# Linux
sudo apt install tor && sudo systemctl start tor
# Docker
docker run -d -p 9050:9050 dperson/torproxy
# Verify connectivity
npx darknet-mcp-server --check-torStart querying
You: "Check if example.com has been in any data breaches and look for stealer logs"That's it. The agent handles breach lookups, credential searches, threat correlation, and more automatically.
What The AI Can Do
Breach Investigation
You: "Check if example.com has been in any data breaches"
Agent: -> breachList {domain: "example.com"}
-> breachSearch {account: "admin@example.com"}
-> stealer_domain {domain: "example.com"}
-> intelx_search {term: "example.com"}
-> "example.com appears in 5 known breaches:
- ExampleDB 2023: 4.2M records (emails, passwords, IPs)
- Collection #1: credential stuffing list
- Combolist 2024: 890K email:password pairs
Stealer logs: 23 compromised machines with saved credentials
for example.com found in Hudson Rock database.
IntelligenceX: 47 results across paste sites and dark web."Ransomware Tracking
You: "What ransomware groups are targeting healthcare?"
Agent: -> ransomwareBySector {sector: "healthcare"}
-> ransomwareRecent {}
-> ransomlookRecent {}
-> "Healthcare sector ransomware activity:
142 victims across 12 groups in the last 12 months.
Top groups: LockBit3 (38 victims), BlackCat/ALPHV (24),
Cl0p (19), Royal (15).
Most recent: MedCorp Inc. listed by LockBit3 (2 days ago).
3 new healthcare victims in the last week across
ransomware.live and RansomLook feeds."Dark Web Recon
You: "Search for mentions of our company on .onion sites"
Agent: -> tor_search_onion {query: "AcmeCorp"}
-> intelx_search {term: "acmecorp.com"}
-> onion_lookup {address: "relevant-onion-address.onion"}
-> "Dark web search results for AcmeCorp:
Ahmia.fi: 3 .onion pages mention AcmeCorp
- Forum post discussing AcmeCorp employee list (leak forum)
- Marketplace listing for AcmeCorp database (unverified)
- Blog post referencing AcmeCorp breach
IntelligenceX: 12 results on paste sites
Recommendation: investigate the forum post and marketplace
listing for potential active data sales."Malware Analysis
You: "Analyze this file hash for malware indicators: abc123def456..."
Agent: -> malware_search {hash: "abc123def456..."}
-> malware_overview {sha256: "abc123def456..."}
-> bazaarHash {hash: "abc123def456..."}
-> threatfoxSearch {searchTerm: "abc123def456..."}
-> otx_hash {hash: "abc123def456..."}
-> "Malware analysis for abc123def456:
Hybrid Analysis: MALICIOUS (threat score 95/100)
- Family: AgentTesla (info stealer)
- MITRE ATT&CK: T1555 (Credential Access), T1071 (C2)
- Network IOCs: 3 C2 domains, 2 IPs
MalwareBazaar: First seen 2024-03-15, tagged 'AgentTesla'
ThreatFox: 2 IOC entries linking to same campaign
OTX: Referenced in 4 threat pulses"Tools Reference (66 tools)
Tool | Description |
| Check if the local Tor SOCKS5 proxy daemon is running and accessible |
| Fetch raw HTML from a .onion URL via Tor SOCKS5 proxy (DNS leak prevention via socks5h) |
| Fetch and parse a .onion site — returns structured data: title, links, body text |
| Search for .onion sites using Ahmia.fi search engine |
| Get current Tor exit node IP addresses from the official Tor Project bulk exit list |
| Check if a specific IP address is a known Tor exit node |
| Get detailed Tor exit node information including fingerprints and publish timestamps |
Tool | Description |
| Fetch the most recent ransomware victims from ransomware.live |
| List all known ransomware groups tracked by ransomware.live |
| Get a detailed profile for a specific ransomware group by name |
| Get all victims claimed by a specific ransomware group |
| Search ransomware victims by keyword (company name, domain, etc.) |
| Get ransomware victims filtered by ISO 3166-1 alpha-2 country code |
| Get ransomware victims filtered by sector/industry (healthcare, finance, etc.) |
| List all 582+ ransomware groups tracked by RansomLook |
| Fetch the most recent ransomware posts and victim claims from RansomLook |
Tool | Description |
| List all known data breaches from HaveIBeenPwned, optionally filter by domain — free |
| Get details of a specific data breach by name — free |
| Get the most recently added data breach — free |
| List all data classes (types of compromised data) known to HIBP — free |
| Check if a password has appeared in known breaches (k-anonymity, only 5-char SHA-1 prefix sent) — free |
| Search all breaches for a specific account (email/username) — requires |
| Search for an email address in publicly posted pastes — requires |
Tool | Description |
| Get recent IOCs from ThreatFox reported in the last N days |
| Search ThreatFox IOCs by IP, domain, hash, or URL |
| Search ThreatFox IOCs by tag (e.g., Cobalt Strike, Emotet) |
| Search ThreatFox IOCs by malware family using Malpedia naming |
| Look up a URL or host in URLhaus for malware distribution |
| Search URLhaus entries by tag |
| Look up a malware sample in MalwareBazaar by MD5, SHA1, or SHA256 hash |
| Get the most recently submitted malware samples from MalwareBazaar |
| Search MalwareBazaar by tag or YARA signature name |
Tool | Description |
| Look up threat intelligence for an IP address — pulse info, reputation, country, ASN |
| Look up threat intelligence for a domain — pulse info, whois, reputation |
| Look up threat intelligence for a file hash (MD5, SHA1, SHA256) |
| Look up threat intelligence for a CVE — related pulses and indicators |
| Search OTX threat pulses by keyword |
Tool | Description |
| Check an IP address for abuse reports — confidence score, ISP, country, report count |
| Get individual abuse reports for an IP with detailed comments and categories |
| Get AbuseIPDB's blacklist of the most reported malicious IP addresses |
| Check an entire CIDR network block for abuse reports |
Tool | Description |
| Look up an IP on GreyNoise — classification (benign/malicious/unknown), scanner status |
| Quick check: is this IP a known scanner or known benign service? |
Tool | Description |
| Look up an indicator (IP, domain, URL, or hash) — risk level, threats, feeds |
| Search Pulsedive indicators by value |
| Explore linked indicators using advanced queries (related IOCs with risk levels) |
Tool | Description |
| Search stealer log entries by domain — compromised machines, credentials, malware details |
| Search stealer logs by email address — compromised machines with that email in browser credentials |
| Search stealer logs by IP address — compromised machines originating from that IP |
Tool | Description |
| Search the Vulners vulnerability database using Lucene queries |
| Look up a specific vulnerability or exploit by ID (CVE, EDB, GHSA) — free |
| Search specifically for exploits (ExploitDB entries) |
Tool | Description |
| Look up a Bitcoin address — balance, transaction count, recent transactions |
| Get Bitcoin address balance in satoshi (quick check without full history) |
| Get detailed Bitcoin transaction information by hash — inputs, outputs, fees, block info |
| Check a Bitcoin address for abuse reports on ChainAbuse — scam reports with categories |
Tool | Description |
| Search Hybrid Analysis sandbox by file hash — verdict, AV detection rate, analysis details |
| Full malware analysis overview — MITRE ATT&CK techniques, network indicators, processes |
| Get the latest malware detonation feed — recently analyzed samples with verdicts |
Tool | Description |
| Look up metadata for a .onion address via CIRCL AIL project — first/last seen, status, tags, certs, ports, BTC addresses |
Tool | Description |
| Initiate a search on IntelligenceX for leaked data, dark web content, and more |
| Retrieve results for an IntelligenceX search by ID |
| Phonebook search — find emails, domains, URLs associated with a term |
| Retrieve phonebook search results by ID |
Tool | Description |
| Check if a URL is a known phishing site via PhishTank |
Tool | Description |
| List all available data sources with configuration status, API key status, and tool counts |
CLI Usage
# List all available tools
npx darknet-mcp-server --list
# Check Tor SOCKS5 proxy connectivity
npx darknet-mcp-server --check-tor
# Run any tool directly
npx darknet-mcp-server --tool breachList '{"domain":"adobe.com"}'
npx darknet-mcp-server --tool ransomwareRecent '{}'
npx darknet-mcp-server --tool tor_search_onion '{"query":"marketplace"}'
npx darknet-mcp-server --tool btc_address '{"address":"1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"}'
# Tools requiring API keys
HIBP_API_KEY=your-key npx darknet-mcp-server --tool breachSearch '{"account":"user@example.com"}'
HYBRID_API_KEY=your-key npx darknet-mcp-server --tool malware_search '{"hash":"abc123..."}'Data Sources (16)
Source | Auth | Rate Limit | What it provides |
| 1 req/1.5s | Breach search, paste search, password check, breach listings | |
| 1 req/s | Dark web content, leaked data search, phonebook (emails/domains/URLs) | |
Optional | 1 req/s | Threat intel for IPs, domains, hashes, CVEs; threat pulse search | |
| 1 req/s | IP abuse reports, confidence scoring, blacklist, CIDR block check | |
Optional | 2 req/s | IOC search, malware family tracking, tag-based search | |
Optional | 2 req/s | Malware distribution URL tracking, host/URL lookup | |
Optional | 2 req/s | Malware sample repository, hash lookup, YARA signature search | |
None | 1 req/s | IP classification (benign/malicious), internet scanner detection | |
Optional | 1 req/s | Indicator enrichment, risk scoring, linked IOC exploration | |
| 1 req/s | Stealer log search by domain, email, or IP | |
Optional | 1 req/s | Vulnerability/exploit database, CVE lookup, ExploitDB search | |
None | 1 req/s | Bitcoin address lookup, balance, transaction details | |
None | 1 req/s | Bitcoin address abuse/scam reports | |
| 1 req/s | Malware sandbox detonation, MITRE ATT&CK mapping, sample feed | |
None | 0.5 req/s | .onion address metadata, first/last seen, associated BTC addresses | |
None | N/A | Exit node list, .onion fetching/scraping, Ahmia.fi search |
Architecture
src/
index.ts # CLI entrypoint (--help, --list, --check-tor, stdio server)
protocol/
mcp-server.ts # MCP server setup (stdio transport)
tools.ts # Tool registry — all 66 tools assembled here
types/
index.ts # Shared types (ToolDef, ToolContext, ToolResult)
utils/
rate-limiter.ts # Per-provider rate limiter
cache.ts # TTL cache for API responses
tor-fetch.ts # Tor SOCKS5 proxy HTTP client
require-key.ts # API key validation helper
tor/ # Tor Network tools (7)
ransomware/ # Ransomware Intelligence tools (9)
breach/ # HIBP Breach tools (7)
abusech/ # ThreatFox + URLhaus + MalwareBazaar tools (9)
otx/ # AlienVault OTX tools (5)
abuseipdb/ # AbuseIPDB tools (4)
greynoise/ # GreyNoise Community tools (2)
pulsedive/ # Pulsedive tools (3)
hudsonrock/ # Hudson Rock stealer log tools (3)
vulners/ # Vulners exploit tools (3)
blockchain/ # Blockchain Intelligence tools (4)
hybrid/ # Hybrid Analysis malware tools (3)
onionlookup/ # CIRCL Onion Lookup tool (1)
intelx/ # IntelligenceX tools (4)
phishing/ # PhishTank tool (1)
meta/ # Meta tools (1)Design decisions:
16 providers, 1 server — Every data source is an independent module. The agent picks which tools to use based on the query.
Per-provider rate limiters — Each data source has its own
RateLimiterinstance calibrated to that API's limits. No shared bottleneck.TTL caching — Ransomware data (15min), breach lists (10min), abuse.ch (5min) results are cached to avoid redundant API calls during multi-tool workflows.
Graceful degradation — Missing API keys don't crash the server. Tools return descriptive error messages: "Set HIBP_API_KEY to enable breach account search."
DNS leak prevention — Tor .onion tools use
socks5h://protocol to resolve DNS through Tor, preventing DNS leaks to the local resolver.4 dependencies —
@modelcontextprotocol/sdk,zod,socks-proxy-agent, andcheerio. All clearnet HTTP via nativefetch. All Tor traffic via SOCKS5.
Limitations
HIBP account/paste search requires a paid API key ($3.50/month)
IntelligenceX, AbuseIPDB, Hudson Rock, and Hybrid Analysis require API keys for their tools
Tor .onion tools require a running Tor SOCKS5 proxy (not bundled)
abuse.ch free tier has lower rate limits without
ABUSECH_AUTH_KEYRansomware.live and RansomLook data depends on upstream scraping frequency
Blockchain tools support Bitcoin only (no Ethereum/Monero)
PhishTank database can lag behind real-time phishing campaigns
macOS / Linux tested (Windows not tested)
Part of the MCP Security Suite
Project | Domain | Tools |
Browser-based security testing | 39 tools, Firefox, injection testing | |
Cloud security (AWS/Azure/GCP) | 38 tools, 60+ checks | |
GitHub security posture | 39 tools, 45 checks | |
Vulnerability intelligence | 23 tools, 5 sources | |
OSINT & reconnaissance | 37 tools, 12 sources | |
darknet-mcp-server | Dark web & threat intelligence | 66 tools, 16 sources |
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/darknet-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server