Feeds API
The Feeds API provides daily batches of Cyber Threat Intelligence (CTI) information, including ransomware victims, detected Telegram channels, and cryptocurrency wallet addresses. These feeds are designed for continuous monitoring and integration with security systems.
Get Ransomware Feed
Section titled “Get Ransomware Feed”GET/api/v2/feed/ransomware
Daily feed of ransomware victims detected by Vysion. This feed provides structured information about companies that have been targeted by ransomware groups.
Parameters
Section titled “Parameters”| Name | Type | Required | Description |
|---|---|---|---|
batch | string | Yes | Date in YYYY-MM-DD format to retrieve the specific day’s feed |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of results per page |
Examples
Section titled “Examples”curl "https://api.vysion.ai/api/v2/feed/ransomware?batch=2024-08-01" \ --header 'Accept: application/json' \ --header 'x-api-key: YOUR_API_KEY'import requests
headers = { 'Accept': 'application/json', 'x-api-key': 'YOUR_API_KEY'}
r = requests.get('https://api.vysion.ai/api/v2/feed/ransomware', params={ 'batch': '2024-08-01'}, headers=headers)
print(r.json())Response
Section titled “Response”{ "data": { "total": 15, "hits": [ { "id": "ransomware_123456", "companyName": "TechCorp Solutions", "companyLink": "https://techcorp.example.com", "url": "https://darkweb-site.onion/victims/techcorp", "ransomwareGroup": "lockbit", "detectionDate": "2024-08-01T14:30:22Z", "text": "TechCorp Solutions - Manufacturing company based in Germany. 500GB of confidential data including customer information, financial records...", "country": "DE", "naics": "31-33", "industry": "Manufacturing" }, { "id": "ransomware_123457", "companyName": "MedicalCenter Plus", "companyLink": "https://medcenter.example.com", "url": "https://darkweb-site.onion/victims/medcenter", "ransomwareGroup": "alphv", "detectionDate": "2024-08-01T16:45:12Z", "text": "MedicalCenter Plus - Healthcare provider compromised. Patient records and medical data exposed...", "country": "US", "naics": "62", "industry": "Healthcare" } ] }, "error": null}Get Telegram Feed
Section titled “Get Telegram Feed”GET/api/v2/feed/telegram
Daily feed of detected Telegram channels identified by Vysion. This feed helps monitor new threat actor communications and malicious channels.
Parameters
Section titled “Parameters”| Name | Type | Required | Description |
|---|---|---|---|
batch | string | Yes | Date in YYYY-MM-DD format to retrieve the specific day’s feed |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of results per page |
Examples
Section titled “Examples”curl "https://api.vysion.ai/api/v2/feed/telegram?batch=2024-08-01" \ --header 'Accept: application/json' \ --header 'x-api-key: YOUR_API_KEY'import requests
headers = { 'Accept': 'application/json', 'x-api-key': 'YOUR_API_KEY'}
r = requests.get('https://api.vysion.ai/api/v2/feed/telegram', params={ 'batch': '2024-08-01'}, headers=headers)
print(r.json())Response
Section titled “Response”{ "data": { "total": 8, "hits": [ { "id": "telegram_feed_123456", "telegram": [ "t.me/suspicious_channel_001", "t.me/crypto_scam_group" ], "detectionDate": "2024-08-01T12:15:30Z", "url": "https://suspicious-site.onion/telegram-links", "path": "/telegram-channels", "network": "tor" }, { "id": "telegram_feed_123457", "telegram": [ "t.me/ransomware_news", "t.me/threat_intel" ], "detectionDate": "2024-08-01T18:22:45Z", "url": "https://threat-forum.onion/channels", "path": "/communication", "network": "tor" } ] }, "error": null}Get Wallets Feed
Section titled “Get Wallets Feed”GET/api/v2/feed/{platform}/wallets
Daily feed of cryptocurrency wallet addresses detected by Vysion. This feed helps track wallet addresses associated with malicious activities.
Parameters
Section titled “Parameters”| Name | Type | Required | Description |
|---|---|---|---|
platform | string | Yes | Platform name (telegram,discord or darknet) |
batch | string | Yes | Date in YYYY-MM-DD format to retrieve the specific day’s feed |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of results per page |
Examples
Section titled “Examples”curl "https://api.vysion.ai/api/v2/feed/darknet/wallets?batch=2024-08-01" \ --header 'Accept: application/json' \ --header 'x-api-key: YOUR_API_KEY'import requests
headers = { 'Accept': 'application/json', 'x-api-key': 'YOUR_API_KEY'}
r = requests.get('https://api.vysion.ai/api/v2/feed/darknet/wallets', params={ 'batch': '2024-08-01'}, headers=headers)
print(r.json())Response
Section titled “Response”{ "data": { "total": 20, "hits": [ { "id": "wallet_feed_123456", "url": "https://ransomware-site.onion/payment", "detectionDate": "2024-08-01T22:48:08Z", "network": "tor", "title": "Payment Instructions - LockBit", "tag": ["ransomware", "payment"], "bitcoin_address": [ { "value": "bc1q026rl6hjkdywnsrtva26mq2w0avs9k850ew2d6" }, { "value": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa" } ] }, { "id": "wallet_feed_123457", "url": "https://crypto-scam.onion/invest", "detectionDate": "2024-08-01T17:16:42Z", "network": "tor", "title": "Investment Opportunity", "tag": ["scam", "investment"], "bitcoin_address": [ { "value": "3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy" } ] } ] }, "error": null}Get Onions Feed
Section titled “Get Onions Feed”GET/api/v2/feed/{platform}/onion
Daily feed of “.onion” URLs detected by Vysion. This feed helps to obtain onions linked to malicious activity and/or containing recent activity.
Parameters
Section titled “Parameters”| Name | Type | Required | Description |
|---|---|---|---|
platform | string | Yes | Platform name (telegram,discord or darknet) |
batch | string | Yes | Date in YYYY-MM-DD format to retrieve the specific day’s feed |
page | integer | No | Page number for pagination |
page_size | integer | No | Number of results per page |
Examples
Section titled “Examples”curl "https://api.vysion.ai/api/v2/feed/darknet/onion?batch=2024-08-04" \ --header 'Accept: application/json' \ --header 'x-api-key: YOUR_API_KEY'import requests
headers = { 'Accept': 'application/json', 'x-api-key': 'YOUR_API_KEY'}
r = requests.get('https://api.vysion.ai/api/v2/feed/darknet/onion/batch=2024-08-04', params={ 'batch': '2024-08-01'}, headers=headers)
print(r.json())Response
Section titled “Response”{ "data": { "total": 20, "hits": [ { "id": "onion_feed_123456", "url": { "url": "http://abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefab.onion", "networkProtocol": "http", "domainName": "abcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefabcdefab.onion", "port": 80, "path": "", "signature": "9eacm9a3-1b3c-1234-123a-b82212a0221f", "network": "tor" } "path": "/d/dts", "detectionDate": "2025-08-04T20:48:08Z", "tag": [], "network": "tor", }, { "id": "onion_feed_987654", "url": { "url": "http://zyxwvutsrqponmlkjihgfedcbaabcdefabcdefabcdefabcdefabcd.onion", "networkProtocol": "http", "domainName": "zyxwvutsrqponmlkjihgfedcbaabcdefabcdefabcdefabcdefabcd.onion", "port": 80, "path": "", "signature": "4fa12c7b-8d9e-4321-9abc-f1234567890a", "network": "tor" }, "path": "/x/y/test", "detectionDate": "2025-07-15T14:22:45Z", "tag": ["example"], "network": "tor" } ] }, "error": null}Response Schemas
Section titled “Response Schemas”Ransomware Feed Schema
Section titled “Ransomware Feed Schema”| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the victim entry |
companyName | string | Name of the targeted company |
companyLink | string | URL to the company’s official website |
url | string | URL where the victim information was found |
ransomwareGroup | string | Name of the ransomware group responsible |
detectionDate | string | When the victim was detected (ISO 8601) |
text | string | Extracted text about the victim |
country | string | Country code where the company is located |
naics | string | NAICS industry classification code |
industry | string | Human-readable industry classification |
Telegram Feed Schema
Section titled “Telegram Feed Schema”| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the feed entry |
telegram | array | List of detected Telegram channel/group links |
detectionDate | string | When the channels were detected (ISO 8601) |
url | string | Source URL where the Telegram links were found |
path | string | Path component of the source URL |
network | string | Network type (tor, clearnet) |
Wallets Feed Schema
Section titled “Wallets Feed Schema”| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the feed entry |
url | string | Source URL where the wallet addresses were found |
detectionDate | string | When the wallets were detected (ISO 8601) |
network | string | Network type (tor, clearnet) |
title | string | Title of the source page |
tag | array | Tags associated with the detection |
bitcoin_address | array | Detected Bitcoin addresses |
Address Object Schema
Section titled “Address Object Schema”Wallet addresses are returned as objects with a value field:
| Field | Type | Description |
|---|---|---|
value | string | The cryptocurrency address |
Onions Feed Schema
Section titled “Onions Feed Schema”| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the feed entry |
url | array | Source URL where the wallet addresses were found |
path | string | Path component of the source URL |
detectionDate | string | When the wallets were detected (ISO 8601) |
network | string | Network type (tor, clearnet) |
tag | array | Tags associated with the detection |
URL Object Schema
Section titled “URL Object Schema”URL objects are returned as objects with several fields:
| Field | Type | Description |
|---|---|---|
url | string | Source URL where the wallet addresses were found |
networkProtocol | string | The protocol used for URL connection |
domainName | string | Domain name obtained from the URL |
path | string | Path component of the source URL |
signature | string | Path component of the source URL |
network | string | Network type (tor, clearnet) |
Feed Usage Patterns
Section titled “Feed Usage Patterns”Daily Monitoring
Section titled “Daily Monitoring”import requestsfrom datetime import datetime, timedelta
# Get yesterday's feedsyesterday = (datetime.now() - timedelta(days=1)).strftime('%Y-%m-%d')
# Fetch all feed typesfeeds = ['ransomware', 'telegram', 'wallets']for feed_type in feeds: response = requests.get(f'https://api.vysion.ai/api/v2/feed/{feed_type}', params={'batch': yesterday}, headers={'x-api-key': 'YOUR_API_KEY'}) data = response.json() print(f"{feed_type} feed: {data['data']['total']} new entries")Pagination Example
Section titled “Pagination Example”import requests
def get_complete_feed(feed_type, batch_date, api_key): all_hits = [] page = 1 page_size = 100
while True: response = requests.get(f'https://api.vysion.ai/api/v2/feed/{feed_type}', params={ 'batch': batch_date, 'page': page, 'page_size': page_size }, headers={'x-api-key': api_key})
data = response.json() hits = data['data']['hits'] all_hits.extend(hits)
if len(hits) < page_size: break
page += 1
return all_hitsFeed Integration Best Practices
Section titled “Feed Integration Best Practices”1. Regular Polling
Section titled “1. Regular Polling”- Set up daily cron jobs to fetch new feed data
- Use the previous day’s date as the batch parameter
- Store feed data locally to avoid re-processing
2. Error Handling
Section titled “2. Error Handling”- Implement retry logic for failed requests
- Check for empty feeds (some days may have no new data)
- Monitor feed freshness and alert on missing batches
3. Data Processing
Section titled “3. Data Processing”- Deduplicate entries across feeds
- Enrich data with additional context from other APIs
- Correlate wallet addresses across different feed types
4. SIEM Integration
Section titled “4. SIEM Integration”- Format feed data for your SIEM system
- Create alerts for high-priority ransomware groups
- Track trends in victim industries and locations
Supported Networks
Section titled “Supported Networks”| Network | Description |
|---|---|
tor | Tor hidden services (.onion domains) |
clearnet | Regular internet domains |
Error Responses
Section titled “Error Responses”Feed endpoints may return these error codes:
| Status | Error Code | Description |
|---|---|---|
| 400 | Bad Request | Invalid batch date format |
| 401 | Unauthorized | Invalid or missing API key |
| 404 | Not Found | No data available for the specified batch date |
| 422 | Unprocessable Entity | Invalid parameters |
| 429 | Too Many Requests | Rate limit exceeded |
| 500 | Internal Server Error | Server error |
Data Retention
Section titled “Data Retention”- Feed data is typically available for the past 30 days
- Historical data beyond 30 days may require special access
- Contact support for bulk historical data requests