Skip to main content
GET
/
service
/
v2
/
victims
/
search
Search Victim Profiles
curl --request GET \
  --url https://oathnet.org/api/service/v2/victims/search \
  --header 'x-api-key: <api-key>'
{
  "success": true,
  "message": "<string>",
  "data": {
    "items": [
      {
        "log_id": "<string>",
        "device_user_str": [
          "<string>"
        ],
        "hwids_str": [
          "<string>"
        ],
        "device_ips": [
          "<string>"
        ],
        "device_emails_str": [
          "<string>"
        ],
        "discord_ids": [
          "<string>"
        ],
        "total_docs": 123,
        "pwned_at": "2023-11-07T05:31:56Z",
        "indexed_at": "2023-11-07T05:31:56Z"
      }
    ],
    "meta": {
      "count": 123,
      "total": 123,
      "took_ms": 123,
      "has_more": true,
      "total_pages": 123,
      "max_score": 123,
      "filter_id": "0123456789abcdef01234567"
    },
    "next_cursor": "<string>"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.oathnet.org/llms.txt

Use this file to discover all available pages before exploring further.

Victims search returns compromised-device summaries rather than individual credential records. Each result is keyed by log_id, which you can use to fetch the manifest or inspect files. Use GET for normal query params. Use POST to the same route when you want to send { filter, filter_id } in the request body. See Structured Filters for a simpler step-by-step guide with examples for flat params, POST body mode, AI filters, and query_config.
FeatureStealer SearchVictims Search
Primary recordCredential-style documentDevice or log summary
Common pivotsdomain, username, password, log_idIP, HWID, device email, Discord ID, total docs
Next stepreview the credential hitfetch the manifest or files for that log_id

Response Format

Successful responses use the standard search envelope. The victim results live under data.items. 
{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "items": [
      {
        "log_id": "abc123def456",
        "device_user_str": ["victim_user"],
        "hwids_str": ["ABCD-1234-5678"],
        "device_ips": ["192.168.1.1"],
        "device_emails_str": ["victim@example.com"],
        "discord_ids": ["123456789012345678"],
        "total_docs": 150,
        "pwned_at": "2024-01-15T10:30:00Z",
        "indexed_at": "2024-01-16T08:00:00Z"
      }
    ],
    "meta": {
      "count": 1,
      "total": 1,
      "took_ms": 4,
      "has_more": false,
      "total_pages": 1
    },
    "next_cursor": null
  }
}

Key Fields

FieldDescription
log_idUnique identifier for this victim profile
device_user_strUsernames found on the device
hwids_strHardware identifiers found on the device
device_ipsDevice IP addresses
device_emails_strEmail addresses present on the device
discord_idsDiscord IDs found on the device
total_docsNumber of files or documents in the log
pwned_atWhen the device was compromised
indexed_atWhen OathNet indexed the log

Next Step

Once you have a log_id, fetch the Victim Manifest to inspect the file tree, then request specific files or the archive as needed.

Authorizations

x-api-key
string
header
required

API key for authentication (lowercase header name)

Query Parameters

q
string
cursor
string
page_size
integer
sort
string
from
string<date-time>
to
string<date-time>
date_field
enum<string>
Available options:
indexed_at,
pwned_at
wildcard
boolean
log_id
string
filter
string

JSON-encoded structured filter tree.

Use leaf nodes with field, operator, and value, or compound nodes with and / or. If you would rather send the filter as a real JSON object, use POST on the same /search route. See /guides/structured-filters for the full grammar, operators, limits, and examples.

filter_id
string

24-character transient filter context ID returned by POST /service/v2/ai/filter or a previous search response.

24-character transient filter context ID.

Pattern: ^[0-9a-fA-F]{24}$
Example:

"0123456789abcdef01234567"

total_docs_min
integer
total_docs_max
integer
email[]
string[]
ip[]
string[]
hwid[]
string[]
discord_id[]
string[]
username[]
string[]
fields[]
string

Response

200 - application/json

Victim search response

success
boolean
message
string
data
object