The Story
I have been writing about free security APIs all week. AbuseIPDB for IP reputation. VirusTotal for file scanning. Shodan for device search.
But one organization quietly runs five free APIs that together cover URL scanning, malware samples, IOC sharing, botnet tracking, and SSL blacklisting. All without an API key.
Meet abuse.ch — the Swiss non-profit that powers half the internet's threat intelligence.
The 5 Free APIs
1. URLhaus — Malicious URL Database
import requests
# Check if a URL serves malware
r = requests.post("https://urlhaus-api.abuse.ch/v1/url/", data={"url": "http://suspicious-site.com"})
print(r.json()["query_status"]) # 'no_results' = clean
300K+ malicious URLs indexed. No rate limits.
2. MalwareBazaar — Malware Sample Repository
# Get recent malware samples
r = requests.post("https://mb-api.abuse.ch/api/v1/", data={"query": "get_recent", "selector": "25"})
samples = r.json().get("data", [])
print(f"Latest samples: {len(samples)}")
1M+ malware samples. Used by AV companies worldwide.
3. ThreatFox — IOC Sharing Platform
# Search for indicators of compromise
r = requests.post("https://threatfox-api.abuse.ch/api/v1/", json={"query": "get_iocs", "days": 7})
iocs = r.json().get("data", [])
print(f"IOCs in last 7 days: {len(iocs)}")
IP addresses, domains, URLs associated with malware.
4. Feodo Tracker — Botnet C2 Server Tracking
# Get active botnet command & control servers
r = requests.get("https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt")
c2_ips = [l for l in r.text.split("\n") if l and not l.startswith("#")]
print(f"Active C2 servers: {len(c2_ips)}")
Tracks Dridex, Emotet, TrickBot, QakBot C2 infrastructure.
5. SSL Blacklist — Malicious SSL Certificates
# Get blacklisted SSL certificate fingerprints
r = requests.get("https://sslbl.abuse.ch/blacklist/sslipblacklist.csv")
lines = [l for l in r.text.split("\n") if l and not l.startswith("#")]
print(f"Blacklisted certs: {len(lines)}")
SSL certificates used by botnets and malware.
Why abuse.ch Is Special
| Feature | abuse.ch | VirusTotal | Shodan |
|---|---|---|---|
| API Key | Not needed | Required | Required |
| Rate Limits | None | 4/min | Varies |
| Cost | Free forever | Free (limited) | Free (limited) |
| Focus | Threat intel | File scanning | Device search |
| Data sharing | Open | Restricted | Restricted |
Build a Complete Threat Pipeline
class ThreatPipeline:
def check_url(self, url):
return requests.post("https://urlhaus-api.abuse.ch/v1/url/", data={"url": url}).json()
def check_hash(self, sha256):
return requests.post("https://mb-api.abuse.ch/api/v1/", data={"query": "get_info", "hash": sha256}).json()
def get_iocs(self, days=7):
return requests.post("https://threatfox-api.abuse.ch/api/v1/", json={"query": "get_iocs", "days": days}).json()
def get_c2_blocklist(self):
r = requests.get("https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt")
return [l for l in r.text.split("\n") if l and not l.startswith("#")]
pipeline = ThreatPipeline()
I maintain a full list of free security APIs at Free Security APIs and a Python toolkit at abuse.ch Toolkit.
Did you know about all 5 abuse.ch services? Which one is most useful for your work? I am building a complete threat intel pipeline — share what APIs you use!
Follow me for daily free API discoveries and security tools.
Top comments (0)