Skip to main content
GET
/
service
/
v2
/
victims
/
{log_id}
Get Victim Manifest (File Tree)
curl --request GET \
  --url https://oathnet.org/api/service/v2/victims/{log_id} \
  --header 'x-api-key: <api-key>'
{
  "log_id": "<string>",
  "log_name": "<string>",
  "victim_tree": {
    "id": "<string>",
    "name": "<string>",
    "type": "file",
    "size_bytes": 123,
    "children": "<array>"
  },
  "_meta": {
    "user": {
      "plan": "Pro",
      "plan_type": "pro",
      "is_plan_active": true
    },
    "lookups": {
      "used_today": 5,
      "left_today": 995,
      "daily_limit": 1000,
      "is_unlimited": false
    },
    "service": {
      "name": "Service Name",
      "id": "service-id",
      "category": "general",
      "is_premium": false,
      "is_available": true,
      "session_quota": 10
    },
    "performance": {
      "duration_ms": 111.47,
      "timestamp": "2026-01-06T00:44:08.191547"
    }
  }
}

What is a Victim Manifest?

A victim manifest is the complete profile of an infected device, including:
  • System information (OS, hardware)
  • All files captured by the stealer
  • Credentials, cookies, tokens
  • Browser history and autofill data

Response Format

SDK Note: This endpoint returns an unwrapped response (log_id, system_info, files at root level) rather than wrapped in the standard {success, data} envelope. SDKs handle this automatically in v1.0.3+.

Understanding log_id

The log_id is a unique identifier for a specific victim’s stealer log. You get this from: 
# Get log_id from stealer search
results = search_stealer("user@email.com")
log_id = results["items"][0]["log_id"]

# Use log_id to get full manifest
manifest = requests.get(
    f"https://oathnet.org/api/service/v2/victims/{log_id}",
    headers={"x-api-key": API_KEY}
).json()

Manifest Contents

The manifest includes a file tree of everything captured (note: response is unwrapped): 
{
  "log_id": "abc123def456",
  "log_name": "victim_2024_01_15",
  "victim_tree": {
    "id": "root",
    "name": "/",
    "type": "directory",
    "children": [
      {
        "id": "dir_passwords",
        "name": "Passwords",
        "type": "directory",
        "children": [
          {
            "id": "f1",
            "name": "Chrome.txt",
            "type": "file",
            "size_bytes": 1024
          },
          {
            "id": "f2",
            "name": "Firefox.txt",
            "type": "file",
            "size_bytes": 512
          }
        ]
      },
      {
        "id": "dir_cookies",
        "name": "Cookies",
        "type": "directory",
        "children": [
          {
            "id": "f3",
            "name": "Discord.txt",
            "type": "file",
            "size_bytes": 2048
          }
        ]
      }
    ]
  }
}

Key Fields

FieldDescription
log_idUnique identifier for this victim log
log_nameHuman-readable name for the log
victim_treeHierarchical file tree structure
victim_tree.idUnique file/directory ID (use with file endpoint)
victim_tree.typeEither file or directory
victim_tree.size_bytesFile size in bytes (files only)
victim_tree.childrenChild nodes (directories only)

Accessing File Contents

Use the id from file nodes in the tree to get file contents: 
# Get specific file content (returns raw text, not JSON!)
file_content = requests.get(
    f"https://oathnet.org/api/service/v2/victims/{log_id}/files/{file_id}",
    headers={"x-api-key": API_KEY}
).text  # Note: .text not .json()
See Get File Content for details.

Authorizations

x-api-key
string
header
required

API key for authentication (lowercase header name)

Path Parameters

log_id
string
required

Response

Victim manifest

Note: This endpoint returns an unwrapped response (log_id, log_name, victim_tree at root level) rather than wrapped in the standard {success, data} envelope. SDKs handle this automatically.

log_id
string
log_name
string
victim_tree
object
_meta
object

Metadata included in all API responses