Shedding Light on the Darkode Forum | WhoisXML API

Threat Reports

Shedding Light on the Darkode Forum

The Darkode Forum, which started operating in 2007, was taken down through a global effort in 2015.1 But the community came back online in 2019.2

WhoisXML API threat researcher Dancho Danchev sought to find out if the DNS still has traces of Darkode. His deep dive, which began with five domains identified as indicators of compromise (IoCs), into the threat revealed:

  • 40+ IP address resolutions of the domains identified as IoCs obtained from DNS lookups
  • 30+ unredacted email addresses used to register the domains identified as IoCs from historical WHOIS records
  • 3600+ more domains that shared the IoCs’ registrant email addresses or IP addresses from reverse WHOIS and IP lookups

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1]
  • [2]
Try our WhoisXML API for free
Get started