Skip to main content
Darkfield
About · by Orizon

A public window into the cybercrime ecosystem.

Darkfield turns the noise of leak sites, dark web markets and threat feeds into a structured, permanently-addressable record — free to read, no signup, no paywall on the data.

Darkfield is a continuously-updated observatory of the cybercrime ecosystem. It catalogs ransomware operators and the victims they name on their leak sites, alongside blacklisted cryptocurrency wallets, exposed credentials, emerging zero-days and the broader dark web and Telegram chatter that surrounds them. Every operator, victim and indicator lives on a permanent, citable URL.

It is built and operated by Orizon, a cybersecurity company. Darkfield is the public-facing observatory that sits on top of the same intelligence pipeline Orizon runs for its customers — opened up, deliberately, because a clearer public record of who is being attacked and by whom makes the whole ecosystem harder to operate in.

What we track

The corpus spans six interlocking surfaces, each with its own live index:

  • Ransomware operators — active and dormant groups, their aliases, leak-site history and target patterns.
  • Victim disclosures — organisations named on leak sites, with sector, country and disclosure timeline.
  • Sector and geographic breakdowns — who gets hit, and where.
  • Zero-days — active-exploitation radar drawn from CISA KEV, vendor advisories and public proof-of-concept drops.
  • Daily intelligence pulse — a written summary of what moved in the last 24 hours.

Our principles

Free and public. The observatory data is readable without an account. We believe the basic facts of who is being attacked should not sit behind a paywall.

Claims, not verdicts.A leak-site listing is an operator’s claim. We record and structure it; we do not treat it as a proven breach, and we never host or redistribute stolen data. Where we can corroborate or enrich a record, we say so.

Transparent by construction. Our methodology page documents exactly where the data comes from, how often it updates, and the limits of what it can tell you.

Corrections

If your organisation appears in the corpus and a record is wrong, or you represent a security team that needs something amended, write to [email protected]. We act on well-founded correction requests quickly.

Frequently asked questions

What is Darkfield?
Darkfield is a free, public observatory of the cybercrime ecosystem — ransomware operators, dark-web leak-site victim disclosures, exploited zero-day CVEs, and blacklisted cryptocurrency wallets. It tracks hundreds of ransomware groups and tens of thousands of victim disclosures on permanent, citable URLs. It is built and operated by Orizon (https://orizon.one).
Is Darkfield free?
Yes. Browsing the observatory is free with no account. The data feed and API are free to use, including commercially, with attribution; calling the wider API needs only a free Observer key (50 requests/day).
Where does Darkfield's data come from?
Primarily from monitoring ransomware operators' own .onion leak sites, supplemented by clearnet intelligence feeds. The data records public operator claims, not independently verified breaches — see the methodology at https://darkfield.orizon.one/methodology.
How is Darkfield different from a regular ransomware tracker?
Beyond browsable operator and victim dossiers, Darkfield exposes the full corpus through a free JSON feed, REST API, RSS, CSV, STIX 2, and an official MCP server, so the data is usable directly inside tools and AI assistants like Claude and ChatGPT.

Darkfield v0.50.0 BETA · operated by Orizon