Skip to main content
GET
/
service
/
v2
/
stealer
/
search
V2 Stealer Search
curl --request GET \
  --url https://oathnet.org/api/service/v2/stealer/search \
  --header 'x-api-key: <api-key>'
{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "items": [
      {
        "id": "doc_001_001",
        "log_id": "vic_001_irjay_za",
        "url": "https://accounts.google.com/signin",
        "domain": [
          "google.com"
        ],
        "subdomain": [
          "accounts.google.com"
        ],
        "path": [
          "/signin"
        ],
        "username": "[email protected]",
        "password": "SecretPass123",
        "pwned_at": "2024-03-15T10:30:00Z",
        "indexed_at": "2024-11-21T17:49:44Z"
      }
    ],
    "meta": {
      "count": 25,
      "total": 1234,
      "took_ms": 3,
      "has_more": true,
      "total_pages": 50,
      "max_score": 1
    },
    "next_cursor": "eyJsYXN0X2lkIjoiZG9jXzAwMV8wMDEifQ=="
  }
}

What are Stealer Logs?

Stealer logs are data collected by information-stealing malware (infostealers) from infected computers. When a device gets infected, the malware captures saved passwords, cookies, tokens, and other sensitive data.

LOG Format

Stealer logs store credentials in LOG format - plain text lines with URL, username, and password: 
https://example.com|[email protected]|password123
Common separators: | (pipe), : (colon), ; (semicolon), , (comma)

Understanding the Response

Results with log_id

When results have a log_id, you can access the full victim profile: 
{
  "items": [
    {
      "log_id": "abc123def456",
      "url": "https://facebook.com",
      "username": "[email protected]",
      "password": "***",
      "victim": {
        "country": "US",
        "ip": "192.168.1.1",
        "hwid": "ABC123..."
      }
    }
  ]
}
Use the log_id with the Victims Manifest endpoint to get full device information.

Results without log_id

Some results may only contain the raw LOG data without a linked victim profile: 
{
  "items": [
    {
      "LOG": "https://facebook.com|[email protected]|p@ssword123",
      "url": "https://facebook.com",
      "username": "[email protected]"
    }
  ]
}
These are credential-only results parsed from stealer logs without full victim context.

Smart Query Detection

Highlighted Feature: The q parameter automatically detects your query type - no need to specify it!
QueryDetected As
[email protected]Email search
example.comDomain search
john_doeUsername search
123456789012345678Discord ID search

Filtering Options

Filter results by domain to narrow down your search: 
# Search for credentials on specific domains
GET /service/v2/stealer/[email protected]&domain[]=facebook.com&domain[]=instagram.com

Authorizations

x-api-key
string
header
required

API key for authentication (lowercase header name)

Query Parameters

q
string

Search query (optional if using filters)

cursor
string
page_size
integer
default:25
Required range: 1 <= x <= 100
sort
string

Sort field. Prefix with - for descending.

wildcard
boolean
default:false
log_id
string

Filter to specific victim log ID

has_log_id
boolean

Only return results with associated logs

from
string<date>

Start date (ISO 8601)

to
string<date>

End date (ISO 8601)

domain[]
string[]

Filter by domain(s)

subdomain[]
string[]
username[]
string[]
password[]
string[]
path[]
string[]
fields[]
string[]

Select specific fields to return

search_id
string

Response

200 - application/json

Stealer search results

success
boolean
message
string
data
object