V2 Stealer Search - OathNet API

GET

service

stealer

Search Stealer Records

curl --request GET \
  --url https://oathnet.org/api/service/v2/stealer/search \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "<string>",
  "data": {
    "items": [
      {
        "id": "<string>",
        "log_id": "<string>",
        "url_str": "<string>",
        "domain": [
          "<string>"
        ],
        "subdomain": [
          "<string>"
        ],
        "email_domains": [
          "<string>"
        ],
        "path": [
          "<string>"
        ],
        "username": "<string>",
        "password": "<string>",
        "email": [
          "<string>"
        ],
        "log": "<string>",
        "pwned_at": "2023-11-07T05:31:56Z",
        "indexed_at": "2023-11-07T05:31:56Z"
      }
    ],
    "meta": {
      "count": 123,
      "total": 123,
      "took_ms": 123,
      "has_more": true,
      "total_pages": 123,
      "max_score": 123,
      "filter_id": "0123456789abcdef01234567"
    },
    "next_cursor": "<string>"
  }
}

Overview

/service/v2/stealer/search is the current stealer search surface for new integrations. It supports the standard search envelope, cursor pagination, array filters, and optional POST-based filter payloads. Use GET for normal query params. Use POST to the same route when you want to send { filter, filter_id } in the request body. See Structured Filters for a simpler step-by-step guide with examples for flat params, POST body mode, AI filters, and query_config.

Response Shape

Successful responses are wrapped:

{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "items": [
      {
        "id": "doc_01",
        "log_id": "abc123def456",
        "url_str": "https://accounts.example.com/login",
        "domain": ["example.com"],
        "subdomain": ["accounts.example.com"],
        "email_domains": ["example.com"],
        "path": ["/login"],
        "username": "user@example.com",
        "password": "SecretPass123",
        "email": ["user@example.com"],
        "pwned_at": "2026-04-17T08:00:00Z",
        "indexed_at": "2026-04-18T08:00:00Z"
      }
    ],
    "meta": {
      "count": 1,
      "total": 1,
      "took_ms": 5,
      "has_more": false,
      "total_pages": 1
    },
    "next_cursor": null
  }
}

Smart Query Detection

The q parameter automatically detects common query types.

Query	Detected As
`user@example.com`	Email
`example.com`	Domain
`john_doe`	Username
`123456789012345678`	Discord ID

Notes

log_id lets you pivot from a credential hit into the related Victim Manifest.
Result objects are sparse. Do not assume every item includes every optional field.
The legacy log field can still appear on some results for compatibility.
Use from, to, and date_field when you need indexed-time monitoring or bounded investigations.

For subdomain extraction, see V2 Stealer Subdomain.

Authorizations

x-api-key

string

header

required

API key for authentication (lowercase header name)

Query Parameters

string

Search query

cursor

string

page_size

integer

sort

string

from

string<date-time>

date_field

enum<string>

Available options:

indexed_at,

pwned_at

log_id

string

has_log_id

boolean

wildcard

boolean

logic

enum<string>

Available options:

and,

or

filter

string

JSON-encoded structured filter tree.

Use leaf nodes with field, operator, and value, or compound nodes with and / or. If you would rather send the filter as a real JSON object, use POST on the same /search route. See /guides/structured-filters for the full grammar, operators, limits, and examples.

filter_id

string

24-character transient filter context ID returned by POST /service/v2/ai/filter or a previous search response.

24-character transient filter context ID.

Pattern: ^[0-9a-fA-F]{24}$

Example:

"0123456789abcdef01234567"

domain[]

string[]

subdomain[]

string[]

username[]

string[]

password[]

string[]

path[]

string[]

email[]

string[]

ip[]

string[]

hwid[]

string[]

discord_id[]

string[]

fields[]

string[]

Response field whitelist

search_id

string

Response

Stealer search response

success

boolean

message

string

data

object

Show child attributes

V2 Breach SearchCurrent breach search surface for new integrations. Supports flat filters plus structured `filter` and `filter_id` flows. The same route also accepts POST when you want to send `filter` or `filter_id` in the JSON request body instead of the query string.

Search Stealer Records

curl --request GET \
  --url https://oathnet.org/api/service/v2/stealer/search \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "<string>",
  "data": {
    "items": [
      {
        "id": "<string>",
        "log_id": "<string>",
        "url_str": "<string>",
        "domain": [
          "<string>"
        ],
        "subdomain": [
          "<string>"
        ],
        "email_domains": [
          "<string>"
        ],
        "path": [
          "<string>"
        ],
        "username": "<string>",
        "password": "<string>",
        "email": [
          "<string>"
        ],
        "log": "<string>",
        "pwned_at": "2023-11-07T05:31:56Z",
        "indexed_at": "2023-11-07T05:31:56Z"
      }
    ],
    "meta": {
      "count": 123,
      "total": 123,
      "took_ms": 123,
      "has_more": true,
      "total_pages": 123,
      "max_score": 123,
      "filter_id": "0123456789abcdef01234567"
    },
    "next_cursor": "<string>"
  }
}

​Overview

​Response Shape

​Smart Query Detection

​Notes

Authorizations

Query Parameters

Response

Overview

Response Shape

Smart Query Detection

Notes