discovered 30 Mar 2026

destroylist

HTML ★ 910 via github-topic

AI Summary: Destroylist is a comprehensive phishing and scam domain blacklist that provides real-time threat intelligence to protect users globally. This tool maintains an extensive database of over 100,000 phishing domains and features active statistics on domain additions and removals, ensuring up-to-date protection against online threats. The repository supports community contributions, fostering collaborative efforts in enhancing online security.

README

Destroylist: Phishing & Scam Domain Blacklist

Destroyolist Illustration

Last Commit Stars

Quick Access

Live Statistics

Primary	Primary Live	Community	Community Live

Primary Content	Community Content

	Today	Week	Month
Primary
Community

Data Feeds

Feed	Description	Update
Primary	Curated phishing domains	⚡ Real-time
Primary Live	DNS verified active	🕐 24h
Community	Aggregated from 13+ sources	🕐 2h
Community Live	Community DNS verified	🕐 24h
Primary Content	Curated + HTTP content verified	🕐 12h
Community Content	Aggregated + HTTP content verified	🕐 24h
Allowlist	False positive protection	✋ Manual

[!TIP] Production: list.json or active_domains.json · Max coverage: blocklist.json · Firewall/DNS: root lists

📁 All Download Formats (TXT, Hosts, AdBlock, Dnsmasq, Unbound, RPZ)

Format	Primary	Primary Live	Community	Community Live
TXT	⬇️	⬇️	⬇️	⬇️
Hosts	⬇️	⬇️	⬇️	⬇️
AdBlock	⬇️	⬇️	⬇️	⬇️
Dnsmasq	⬇️	⬇️	⬇️	⬇️
Unbound	⬇️	⬇️	⬇️	⬇️
RPZ	⬇️	⬇️	⬇️	⬇️

Hosts → Pi-hole, /etc/hosts, Windows · AdBlock → uBlock Origin, AdGuard · Dnsmasq → dnsmasq DNS · Unbound → pfSense, OPNsense · RPZ → BIND, Knot DNS

Root Lists

[!TIP] Root domains only — no subdomains, hosting providers excluded

	All Roots	Live Only	Services Only
🔴 Primary	JSON · TXT	JSON · TXT	JSON · TXT
⚫ Community	JSON · TXT	JSON · TXT	JSON · TXT

All Roots — clean root domains (no infra) · Live Only — DNS-verified active · Services Only — hosting platform subdomains (Vercel, Pages.dev, Netlify, etc.)

Content-Verified Feeds

[!NOTE] Real HTTP content verification — not just DNS, but actual phishing page detection

Feed	Description	⏰ Update	Download
💥 Primary Content	Curated phishing with verified active content	`12h` (06:00 / 18:00 UTC)
🌐 Community Content	Aggregated feeds with verified active content	`24h` (03:00 UTC)

[!WARNING] Cloaking Alert: Scammers use cloaking to hide phishing from bots — showing blank/fake pages to scanners. Domain NOT in content list ≠ safe! Use Primary All or Community General for full protection.

Threat Intelligence API

API

Free, open, no API key. Real-time domain risk scoring (0-100) across 770K+ threats · Hourly sync · Single & bulk check (500/req) · Keyword search · Full feeds

📖 API Endpoints, Scoring & Integration Examples

Endpoints

Method	Endpoint	Description
`GET`	`/v1/check?domain=`	Single domain check with risk score & severity
`POST`	`/v1/check/bulk`	Bulk check up to 500 domains per request
`GET`	`/v1/search?q=`	Search blocklisted domains by keyword
`GET`	`/v1/feed/{list}`	Download full domain feeds (primary, community, active)
`GET`	`/v1/stats`	Live statistics & domain counts

Threat Scoring

Every domain gets a risk score (0-100) based on multiple signals:

Signal	Points	Description
Curated blocklist	+40	In primary destroylist
Community reported	+20	Reported by community sources
DNS active	+30	Domain currently resolves
Multi-source	+10	Confirmed by multiple feeds
Suspicious keywords	+5 each	metamask, wallet, airdrop, etc.
Risky TLD	+5	.xyz, .top, .club, .icu, etc.

🔴 Critical 70-100 · 🟠 High 40-69 · 🟡 Medium 20-39 · 🟢 Low 1-19

Quick Integration

cURL

curl "https://api.destroy.tools/v1/check?domain=suspicious-site.xyz"

Python

import requests
r = requests.get(f"https://api.destroy.tools/v1/check?domain={domain}")
if r.json()["threat"]:
    print(f"BLOCKED: {r.json()['severity']} (score: {r.json()['risk_score']})")

JavaScript

const r = await fetch(`https://api.destroy.tools/v1/check?domain=${domain}`);
const data = await r.json();
if (data.threat) console.warn("PHISHING:", data.severity, data.risk_score);

Bulk Check

curl -X POST "https://api.destroy.tools/v1/check/bulk" \
  -H "Content-Type: application/json" \
  -d '{"domains":["site1.com","site2.xyz","site3.top"]}'

About Destroylist

[!NOTE] Live data collection began on July 1, 2025

Destroylist is a powerful tool against phishing and scams, powered by PhishDestroy. It provides reliable intel for:

✔️ Firewalls
✔️ DNS resolvers
✔️ Threat platforms
✔️ Security research

Protect the web, one domain at a time!

🔧 Quick Integration Examples (Subscribe URLs · curl · Python · Bash)

Tool	Format	URL
Pi-hole	Hosts	`https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt`
AdGuard Home	AdBlock	`https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt`
uBlock Origin	AdBlock	`https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt`
pfSense / OPNsense (Unbound)	Unbound	`https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf`
BIND / Knot DNS (RPZ)	RPZ	`https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone`
Dnsmasq	Dnsmasq	`https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf`

Pi-hole — Settings > Blocklists > paste the Hosts URL
AdGuard Home — Filters > DNS Blocklists > Add blocklist > paste the AdBlock URL
uBlock Origin — Settings > Filter lists > Import > paste the AdBlock URL
pfSense — Services > DNS Resolver > paste the Unbound URL
BIND/Knot — Add the RPZ URL as a response-policy zone

curl One-Liners

# Plain domain list
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/domains.txt -o domains.txt

# Hosts format (Pi-hole, /etc/hosts)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt -o hosts_blocklist.txt

# AdBlock format (uBlock Origin, AdGuard)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt -o adblock.txt

# Dnsmasq
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf -o dnsmasq_blocklist.conf

# Unbound (pfSense / OPNsense)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf -o unbound_blocklist.conf

# RPZ (BIND / Knot)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone -o rpz_blocklist.zone

Python

import requests
blocklist = requests.get('https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.json').json()
is_malicious = "suspicious-domain.com" in blocklist

Bash

curl -s https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.txt | grep -q "suspicious-domain.com" && echo "BLOCKED"

Threat Intelligence & Automated Remediation Workflow

Workflow

🔍 DISCOVER	📤 REPORT	⚖️ LEGAL	📡 PUBLISH
30+ parsers	50+ vendors	ICANN compliance	Real-time
CT logs, DNS	Google, Microsoft	Abuse notifications	GitHub, Telegram
Social media	VirusTotal, Cloudflare	Evidence packages	Twitter, Mastodon

📖 Read Full Workflow Details

Phase 1: Pre-emptive Discovery & Ingestion

🔎 We utilize a distributed network of 30+ proprietary parsers to identify malicious domains at their earliest stage:

Advanced Heuristics: Continuous monitoring of Google Ads (Malvertising), SEO-manipulated search results, and trending social media campaigns on Twitter (X), YouTube, and Telegram
Infrastructure Analysis: Leveraging dnstwist and typosquatting detection to catch look-alike domains targeting established brands
Community Intelligence: Real-time ingestion of community-reported threats via our Telegram Bot and partner intelligence feeds

📤 Phase 2: Global Ecosystem Contribution

Once a threat is confirmed, we submit data to over 50 industry-leading vendors:

Cloudflare        Google Safe Browsing      Microsoft Security      VirusTotal
Netcraft          ESET                      Bitdefender             Norton Safe Web
Avira             PhishTank                 Dr.Web                  Yandex Safe Browsing
URLScan.io        PolySwarm                 SiteReview              Urlquery
PhishStats        PhishReport               IsItPhish               ThreatCenter

📝 Phase 3: Legal Notifications & Investigation Support

Abuse Notifications: Formal alerts to domain registrars and hosting providers
Forensic Evidence Disclosure: Complete evidence packages including metadata, screenshots, and PDF reports
ICANN Compliance Support: Reports aligned with ICANN standards
Conditional Re-Detection Logic: Follow-up alerts only if threat remains active beyond 24 hours

📢 Phase 4: Public Transparency & Community Alerts

Open Database: Real-time commits to this GitHub repository
Live Monitoring: Visual intelligence at phishdestroy.io/live
Social Broadcasting: Automated alerts on Twitter, Telegram, and Mastodon

Key Info for Online Fraud Victims

Abuse Process

Show details about complaints and transparency

💼 DestroyList aims to disable malicious domains: scams, phishing, and other illicit sites to enhance internet safety.

Before a domain is added, we:

🔍 Scan it across cybersecurity platforms for threat intelligence.

📥 Send an official complaint to the registrar and the hosting provider (via WHOIS), including scan results, screenshots, and a request for client investigation. The complaint also notifies them about inclusion in our public database.

🚔 According to ICANN rules, registrars must review such complaints within 24 hours.

🦖 We work hard to eliminate threats quickly. Every malicious domain is analyzed, documented, reported, and published transparently.

However, when a domain receives 10–30+ abuse reports and a registrar still ignores them for months, the situation changes: the registrar is no longer a passive party. It effectively provides infrastructure for illegal activity.

Some registrars behave as if their internal policies somehow override ICANN requirements and national laws — as if phishing and fraud are “allowed” as long as they personally decide not to act.

👮 We document this publicly so that anyone can see: threats persist not because they were unnoticed, but because the responsible providers simply chose to do nothing.

Requests from private individuals:

DestroyList is an open-source, non-commercial volunteer project.

Private individuals may request the number of abuse reports we have sent for a specific domain, but only through public channels:

via GitHub issues
via commit history: https://github.com/phishdestroy/destroylist/commits/main/

❗ We do not respond to private e-mail requests from individuals about report counts.

✔️ This is a legal requirement for transparency and equal access to information.

Official government or law-enforcement requests may be answered privately.

💔 If you were defrauded by a domain already listed here, check its addition date using the commit history or via our Telegram/Mastodon channels.

💬 If the fraud happened after the domain was already listed, the registrar’s or host’s delay may indicate they share responsibility for the loss. Future potential victims can also see this negligence documented publicly.

🔞 Registrars and hosts that tolerate scam operations may reasonably be expected to assist victims or their legal representatives.