Darkfield publishes the most recent ransomware leak-site disclosures as a free, public JSON feed. Each record links to its permanent dossier, so you can cite or deep-link any victim. It updates with the dataset and is CORS-open, so you can fetch it directly from the browser.
The feed
GET https://darkfield.orizon.one/feed.json curl -s https://darkfield.orizon.one/feed.json | jq '.victims[0]'
Each victim object carries: victim, group, sector, country, discovered, published, status, and a permanent url.
Endpoints
All endpoints are free, CORS-open and need no key. JSON unless noted.
| /feed.json | Most recent victim disclosures |
| /feed.xml | Same, as an RSS 2.0 feed |
| /data/groups.json | Every tracked operator (slim) |
| /data/stats.json | Totals + top operators, sectors, countries |
| /data/group/<slug> | One operator + its recent victims |
| /data/group/<slug>/yara | Operator's YARA detection rules |
| /data/group/<slug>/mitre | Operator's MITRE ATT&CK mapping |
| /data/search.json?q=<term> | Search operators + victims |
| /data/export.csv | Bulk CSV export of victim disclosures |
| /data/stix2 | STIX 2 bundle for SIEM / threat-intel platforms |
| /data/certs.json | National CERT/CSIRT reporting contacts |
| /data/cert/<country> | One country's CERT contact |
| /data/wallet/<address> | Live on-chain enrichment for a wallet |
Full API
For groups, sectors, country breakdowns and historical queries, the full read API is documented in the interactive API reference. You can also browse the corpus directly: victims, operators, sectors, countries.
Use it in Claude, Cursor & other AI tools (MCP)
Darkfield ships an official Model Context Protocol server, so AI assistants can query live ransomware intelligence directly — “what has LockBit claimed recently?”, “show the latest disclosures”. Tools: search_ransomware, get_operator, list_operators, recent_disclosures, ransomware_stats. Setup for Claude Desktop and Cursor is in the mcp-server README.
Connectors & integrations
Because everything above is plain REST + JSON (and a STIX 2 bundle), it drops into the tools you already run — no custom plugin required:
- n8n / Zapier / Make — point an HTTP Request node at any endpoint (e.g.
/data/search.json?q=) and build workflows. - SIEM / SOAR — ingest
/data/stix2(STIX 2) or/feed.xml(RSS) into Splunk, Sentinel, OpenCTI, MISP, or any TAXII-aware platform. - Maltego — wrap the endpoints as a local transform.
- Claude / Cursor — the MCP server (above).
- Spreadsheets / notebooks —
/data/export.csvopens anywhere.
License & attribution
Free to use, including commercially, with attribution back to Darkfield. The data is a record of public operator claims, not verified breaches — please read the methodology before relying on it.
Frequently asked questions
- Is there a free ransomware data feed or API?
- Yes. Darkfield publishes a free, public JSON feed of the latest ransomware leak-site victim disclosures at https://darkfield.orizon.one/feed.json, plus a free REST API. The feed needs no signup or key and is CORS-open. Calling the wider API needs only a free Observer key (50 requests/day).
- Where can I get a list of ransomware groups and their victims?
- Darkfield tracks hundreds of ransomware operators and tens of thousands of leak-site victim disclosures. Browse them at https://darkfield.orizon.one/groups and https://darkfield.orizon.one/victims, or pull them programmatically via /data/groups.json and /feed.json. Every operator and victim has a permanent dossier URL.
- Can I use Darkfield's ransomware data in Claude or ChatGPT?
- Yes. Darkfield ships an official Model Context Protocol (MCP) server so assistants like Claude and Cursor can query live ransomware intelligence directly — for example 'what has LockBit claimed recently?'. Setup is in the mcp-server README at https://github.com/Orizon-eu/orizon-darkfield/tree/main/mcp-server. The plain REST/JSON API also works as a ChatGPT Action.
- Is the data free to use commercially?
- Yes — it is free to use, including commercially, with attribution back to Darkfield (https://darkfield.orizon.one). The data records public operator claims on leak sites, not independently verified breaches; read the methodology before relying on it.
- What formats are available?
- JSON (/feed.json and /data/* endpoints), RSS 2.0 (/feed.xml), bulk CSV (/data/export.csv), and a STIX 2 bundle (/data/stix2) for SIEM/SOAR and threat-intel platforms such as Splunk, Sentinel, OpenCTI, and MISP.