Search Stealer Logs (Legacy)

GET

service

search-stealer

Search Stealer Database (Legacy)

curl --request GET \
  --url https://oathnet.org/api/service/search-stealer \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "results": [
      {
        "id": "00022607410d8ec9",
        "LOG": "[email protected]:password123",
        "email": [
          "[email protected]"
        ],
        "_version_": 1846138226857738200
      },
      {
        "id": "03b4f7e0ae1e2fac",
        "LOG": "https://aurorafn.dev/signup:Diddy:diddyisdaddy1",
        "domain": [
          "aurorafn.dev"
        ],
        "path": [
          "/signup"
        ],
        "_version_": 1835054175050793000
      }
    ],
    "results_found": 500,
    "results_shown": 25,
    "nextCursorMark": "AoE..."
  }
}

What are Stealer Logs?

Stealer logs are data collected by information-stealing malware (infostealers) from infected computers. When a device gets infected, the malware captures:

Saved browser passwords and cookies
Autofill data (emails, addresses, payment info)
Discord tokens
Cryptocurrency wallet files
Screenshots
System information

LOG Format

Stealer logs typically store credentials in a LOG format - a plain text line containing the URL, username, and password separated by delimiters:

https://example.com|[email protected]|password123

Common separators used in stealer logs:

Pipe: |
Colon: :
Semicolon: ;
Tab: \t
Comma: ,

Example LOG entries:

https://facebook.com|[email protected]|MyP@ssword!
https://twitter.com:johndoe:secret123
https://amazon.com;[email protected];shopping2024

This is the legacy stealer search endpoint. For more advanced features including victim device information, use the V2 Stealer Search.

Smart Query Detection

The q parameter uses smart detection to automatically determine your query type:

[email protected] → searches as email
example.com → searches as domain
john_doe → searches as username

Authorizations

x-api-key

string

header

required

API key for authentication (lowercase header name)

Query Parameters

string

required

cursor

string

search_id

string

dbnames

string

Response

200 - application/json

Stealer search results

success

boolean

message

string

data

object

Show child attributes

V2 Stealer SearchEnhanced stealer search with advanced filtering. Returns credential documents with associated victim log IDs. **Key differences from legacy:** - Uses `items` array instead of `results` - Includes `meta` object with pagination info - Supports array filters with `[]` suffix

⌘I

Search Stealer Database (Legacy)

curl --request GET \
  --url https://oathnet.org/api/service/search-stealer \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "results": [
      {
        "id": "00022607410d8ec9",
        "LOG": "[email protected]:password123",
        "email": [
          "[email protected]"
        ],
        "_version_": 1846138226857738200
      },
      {
        "id": "03b4f7e0ae1e2fac",
        "LOG": "https://aurorafn.dev/signup:Diddy:diddyisdaddy1",
        "domain": [
          "aurorafn.dev"
        ],
        "path": [
          "/signup"
        ],
        "_version_": 1835054175050793000
      }
    ],
    "results_found": 500,
    "results_shown": 25,
    "nextCursorMark": "AoE..."
  }
}

Overview

Search

Victims

File Search

Exports

OSINT Lookups

Discord

Gaming

Network & Email

Utility

Search Stealer Logs (Legacy)

What are Stealer Logs?

LOG Format

Smart Query Detection

Authorizations

Query Parameters

Response

Overview

Search

Victims

File Search

Exports

OSINT Lookups

Discord

Gaming

Network & Email

Utility

​What are Stealer Logs?

​LOG Format

​Smart Query Detection

Authorizations

Query Parameters

Response

What are Stealer Logs?

LOG Format

Smart Query Detection