Search Victims - OathNet API

GET

service

victims

Search Victim Profiles

curl --request GET \
  --url https://oathnet.org/api/service/v2/victims/search \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "<string>",
  "data": {
    "items": [
      {
        "log_id": "<string>",
        "device_user_str": [
          "<string>"
        ],
        "hwids_str": [
          "<string>"
        ],
        "device_ips": [
          "<string>"
        ],
        "device_emails_str": [
          "<string>"
        ],
        "discord_ids": [
          "<string>"
        ],
        "total_docs": 123,
        "pwned_at": "2023-11-07T05:31:56Z",
        "indexed_at": "2023-11-07T05:31:56Z"
      }
    ],
    "meta": {
      "count": 123,
      "total": 123,
      "took_ms": 123,
      "has_more": true,
      "total_pages": 123,
      "max_score": 123,
      "filter_id": "0123456789abcdef01234567"
    },
    "next_cursor": "<string>"
  }
}

What is Victims Search?

Victims search returns compromised-device summaries rather than individual credential records. Each result is keyed by log_id, which you can use to fetch the manifest or inspect files. Use GET for normal query params. Use POST to the same route when you want to send { filter, filter_id } in the request body. See Structured Filters for a simpler step-by-step guide with examples for flat params, POST body mode, AI filters, and query_config.

Victims Search vs Stealer Search

Feature	Stealer Search	Victims Search
Primary record	Credential-style document	Device or log summary
Common pivots	domain, username, password, log_id	IP, HWID, device email, Discord ID, total docs
Next step	review the credential hit	fetch the manifest or files for that `log_id`

Response Format

Successful responses use the standard search envelope. The victim results live under data.items.

{
  "success": true,
  "message": "Request completed successfully",
  "data": {
    "items": [
      {
        "log_id": "abc123def456",
        "device_user_str": ["victim_user"],
        "hwids_str": ["ABCD-1234-5678"],
        "device_ips": ["192.168.1.1"],
        "device_emails_str": ["victim@example.com"],
        "discord_ids": ["123456789012345678"],
        "total_docs": 150,
        "pwned_at": "2024-01-15T10:30:00Z",
        "indexed_at": "2024-01-16T08:00:00Z"
      }
    ],
    "meta": {
      "count": 1,
      "total": 1,
      "took_ms": 4,
      "has_more": false,
      "total_pages": 1
    },
    "next_cursor": null
  }
}

Key Fields

Field	Description
`log_id`	Unique identifier for this victim profile
`device_user_str`	Usernames found on the device
`hwids_str`	Hardware identifiers found on the device
`device_ips`	Device IP addresses
`device_emails_str`	Email addresses present on the device
`discord_ids`	Discord IDs found on the device
`total_docs`	Number of files or documents in the log
`pwned_at`	When the device was compromised
`indexed_at`	When OathNet indexed the log

Next Step

Once you have a log_id, fetch the Victim Manifest to inspect the file tree, then request specific files or the archive as needed.

Authorizations

x-api-key

string

header

required

API key for authentication (lowercase header name)

Query Parameters

string

cursor

string

page_size

integer

sort

string

from

string<date-time>

date_field

enum<string>

Available options:

indexed_at,

pwned_at

wildcard

boolean

log_id

string

filter

string

JSON-encoded structured filter tree.

Use leaf nodes with field, operator, and value, or compound nodes with and / or. If you would rather send the filter as a real JSON object, use POST on the same /search route. See /guides/structured-filters for the full grammar, operators, limits, and examples.

filter_id

string

24-character transient filter context ID returned by POST /service/v2/ai/filter or a previous search response.

24-character transient filter context ID.

Pattern: ^[0-9a-fA-F]{24}$

Example:

"0123456789abcdef01234567"

total_docs_min

integer

total_docs_max

integer

email[]

string[]

ip[]

string[]

hwid[]

string[]

discord_id[]

string[]

username[]

string[]

fields[]

string

Response

200 - application/json

Victim search response

success

boolean

message

string

data

object

Show child attributes

Get Victim ManifestRetrieve the raw manifest for a victim log.

Search Victim Profiles

curl --request GET \
  --url https://oathnet.org/api/service/v2/victims/search \
  --header 'x-api-key: <api-key>'

{
  "success": true,
  "message": "<string>",
  "data": {
    "items": [
      {
        "log_id": "<string>",
        "device_user_str": [
          "<string>"
        ],
        "hwids_str": [
          "<string>"
        ],
        "device_ips": [
          "<string>"
        ],
        "device_emails_str": [
          "<string>"
        ],
        "discord_ids": [
          "<string>"
        ],
        "total_docs": 123,
        "pwned_at": "2023-11-07T05:31:56Z",
        "indexed_at": "2023-11-07T05:31:56Z"
      }
    ],
    "meta": {
      "count": 123,
      "total": 123,
      "took_ms": 123,
      "has_more": true,
      "total_pages": 123,
      "max_score": 123,
      "filter_id": "0123456789abcdef01234567"
    },
    "next_cursor": "<string>"
  }
}

​What is Victims Search?

​Victims Search vs Stealer Search

​Response Format

​Key Fields

​Next Step

Authorizations

Query Parameters

Response

What is Victims Search?

Victims Search vs Stealer Search

Response Format

Key Fields

Next Step