Skip to main content
GET
/
service
/
v2
/
victims
/
search
Search Victim Profiles
curl --request GET \
  --url https://oathnet.org/api/service/v2/victims/search \
  --header 'x-api-key: <api-key>'
{
  "items": [
    {
      "log_id": "<string>",
      "device_users": [
        "<string>"
      ],
      "hwids": [
        "<string>"
      ],
      "device_ips": [
        "<string>"
      ],
      "device_emails": [
        "<string>"
      ],
      "discord_ids": [
        "<string>"
      ],
      "total_docs": 123,
      "pwned_at": "2023-11-07T05:31:56Z",
      "indexed_at": "2023-11-07T05:31:56Z"
    }
  ],
  "meta": {
    "count": 123,
    "total": 123,
    "took_ms": 123,
    "has_more": true,
    "total_pages": 123,
    "max_score": 123
  },
  "next_cursor": "<string>",
  "_meta": {
    "user": {
      "plan": "Pro",
      "plan_type": "pro",
      "is_plan_active": true
    },
    "lookups": {
      "used_today": 5,
      "left_today": 995,
      "daily_limit": 1000,
      "is_unlimited": false
    },
    "service": {
      "name": "Service Name",
      "id": "service-id",
      "category": "general",
      "is_premium": false,
      "is_available": true,
      "session_quota": 10
    },
    "performance": {
      "duration_ms": 111.47,
      "timestamp": "2026-01-06T00:44:08.191547"
    }
  }
}
The Victims Search endpoint searches across victim device profiles rather than credentials. This is different from the regular stealer search.
FeatureStealer SearchVictims Search
SearchesCredentials (URLs, usernames, passwords)Device profiles (IPs, Discord IDs, emails on device)
Use caseFind credentials for an email/domainFind devices associated with an identifier
ReturnsIndividual credential recordsVictim device profiles

When to Use Each

Use Stealer Search (/service/v2/stealer/search) when:
  • Looking for credentials associated with an email
  • Searching for passwords on a specific domain
  • Finding leaked login data
Use Victims Search (/service/v2/victims/search) when:
  • Looking for infected devices by Discord ID
  • Finding devices by IP address
  • Searching for all devices where an email appeared
  • Investigating a specific victim’s profile

Response Format

SDK Note: This endpoint returns an unwrapped response (items, meta, next_cursor at root level) rather than wrapped in the standard {success, data} envelope. SDKs handle this automatically in v1.0.3+.

Smart Query Detection

Highlighted Feature: The q parameter automatically detects your query type!
OathNet automatically detects what you’re searching for:
Query FormatDetected Type
user@example.comEmail on device
192.168.1.1IP address of device
123456789012345678Discord ID on device
ABCD1234-5678Hardware ID (HWID)

Understanding Results

The response includes victim device profiles (note: response is unwrapped): 
{
  "items": [
    {
      "log_id": "abc123def456",
      "device_users": ["victim_user"],
      "hwids": ["ABCD-1234-5678"],
      "device_ips": ["192.168.1.1"],
      "device_emails": ["victim@email.com"],
      "discord_ids": ["123456789012345678"],
      "total_docs": 150,
      "pwned_at": "2024-01-15T10:30:00Z",
      "indexed_at": "2024-01-16T08:00:00Z"
    }
  ],
  "meta": {
    "total": 1,
    "count": 1,
    "has_more": false
  },
  "next_cursor": null
}

Key Fields

FieldDescription
log_idUnique identifier for this victim profile. Use with Manifest endpoint.
device_usersUsernames found on the device
hwidsHardware IDs of the device
device_ipsIP addresses of the infected device
device_emailsEmail addresses found on the device
discord_idsDiscord IDs found on the device
total_docsNumber of documents/files in the stealer log
pwned_atWhen the device was compromised
indexed_atWhen the log was indexed

Getting Full Victim Details

Once you have a log_id, use it to get the full victim manifest: 
# Step 1: Search for victims
victims = requests.get(
    "https://oathnet.org/api/service/v2/victims/search",
    params={"q": "123456789012345678"},  # Discord ID
    headers={"x-api-key": API_KEY}
).json()

# Step 2: Get full manifest for first result
if victims["items"]:
    log_id = victims["items"][0]["log_id"]
    manifest = requests.get(
        f"https://oathnet.org/api/service/v2/victims/{log_id}",
        headers={"x-api-key": API_KEY}
    ).json()

Authorizations

x-api-key
string
header
required

API key for authentication (lowercase header name)

Query Parameters

q
string
cursor
string
page_size
integer
default:25
sort
string
wildcard
boolean
log_id
string
from
string<date>
to
string<date>
total_docs_min
integer

Minimum document count in log

total_docs_max
integer

Maximum document count in log

email[]
string[]
ip[]
string[]
hwid[]
string[]

Hardware ID filter

discord_id[]
string[]
username[]
string[]

Device username filter

fields[]
string[]
search_id
string

Response

200 - application/json

Victim search results

Note: This endpoint returns an unwrapped response (items, meta, next_cursor at root level) rather than wrapped in the standard {success, data} envelope. SDKs handle this automatically.

items
object[]
meta
object
next_cursor
string
_meta
object

Metadata included in all API responses