Search Stealer Logs (Legacy)

GET

service

search-stealer

Search Stealer Database (Legacy)

curl --request GET \
  --url https://oathnet.org/api/service/search-stealer \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "results": [
      {
        "id": "00022607410d8ec9",
        "LOG": "t-diddy@hotmail.com:password123",
        "email": [
          "t-diddy@hotmail.com"
        ],
        "_version_": 1846138226857738200
      },
      {
        "id": "03b4f7e0ae1e2fac",
        "LOG": "https://aurorafn.dev/signup:Diddy:diddyisdaddy1",
        "domain": [
          "aurorafn.dev"
        ],
        "path": [
          "/signup"
        ],
        "_version_": 1835054175050793000
      }
    ],
    "results_found": 500,
    "results_shown": 25,
    "nextCursorMark": "AoE..."
  }
}

What are Stealer Logs?

Stealer logs are data collected by information-stealing malware (infostealers) from infected computers. When a device gets infected, the malware captures:

Saved browser passwords and cookies
Autofill data (emails, addresses, payment info)
Discord tokens
Cryptocurrency wallet files
Screenshots
System information

LOG Format

Stealer logs typically store credentials in a LOG format - a plain text line containing the URL, username, and password separated by delimiters:

https://example.com|user@email.com|password123

Common separators used in stealer logs:

Pipe: |
Colon: :
Semicolon: ;
Tab: \t
Comma: ,

Example LOG entries:

https://facebook.com|john.doe@gmail.com|MyP@ssword!
https://twitter.com:johndoe:secret123
https://amazon.com;buyer@email.com;shopping2024

This is the legacy stealer search endpoint. For more advanced features including victim device information, use the V2 Stealer Search.

Smart Query Detection

The q parameter uses smart detection to automatically determine your query type:

user@example.com → searches as email
example.com → searches as domain
john_doe → searches as username

Authorizations

x-api-key

string

header

required

API key for authentication (lowercase header name)

Query Parameters

string

required

cursor

string

search_id

string

dbnames

string

Response

200 - application/json

Stealer search results

success

boolean

message

string

data

object

Show child attributes

V2 Stealer SearchCurrent stealer search surface for new integrations. Successful responses use the standard search envelope. The same route also accepts POST when you want to send `filter` or `filter_id` in the JSON request body instead of the query string.

Search Stealer Database (Legacy)

curl --request GET \
  --url https://oathnet.org/api/service/search-stealer \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "results": [
      {
        "id": "00022607410d8ec9",
        "LOG": "t-diddy@hotmail.com:password123",
        "email": [
          "t-diddy@hotmail.com"
        ],
        "_version_": 1846138226857738200
      },
      {
        "id": "03b4f7e0ae1e2fac",
        "LOG": "https://aurorafn.dev/signup:Diddy:diddyisdaddy1",
        "domain": [
          "aurorafn.dev"
        ],
        "path": [
          "/signup"
        ],
        "_version_": 1835054175050793000
      }
    ],
    "results_found": 500,
    "results_shown": 25,
    "nextCursorMark": "AoE..."
  }
}

​What are Stealer Logs?

​LOG Format

​Smart Query Detection

Authorizations

Query Parameters

Response

What are Stealer Logs?

LOG Format

Smart Query Detection