Destroylist: Phishing & Scam Domain Blacklist
Quick Access
Live Statistics
| Primary | Primary Live | Community | Community Live |
|---|---|---|---|
 |
 |
 |
 |
| Today | Week | Month | |
|---|---|---|---|
| Primary |  |
 |
 |
| Community |  |
 |
 |
Data Feeds
| Feed | Description | Update | Download |
|---|---|---|---|
| Primary | Curated phishing domains | ⚡ Real-time |   |
| Primary Live | DNS verified active | 🕐 24h |  |
| Community | Aggregated from 35+ sources | 🕐 2h |  |
| Community Live | Community DNS verified | 🕐 24h |  |
| Primary Content | Curated + HTTP content verified | 🕐 12h |  |
| Community Content | Aggregated + HTTP content verified | 🕐 24h |  |
| Allowlist | False positive protection | ✋ Manual |  |
Tip
Production:
list.jsonoractive_domains.json· Max coverage:blocklist.json· Firewall/DNS: root lists
📁 All Download Formats (TXT, Hosts, AdBlock, Dnsmasq)
| Format | Primary | Primary Live | Community | Community Live |
|---|---|---|---|---|
| TXT | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| Hosts | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| AdBlock | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| Dnsmasq | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
Hosts → Pi-hole, /etc/hosts, Windows · AdBlock → uBlock Origin, AdGuard · Dnsmasq → DNS server
Root Lists
Tip
Root domains only — no subdomains, hosting providers excluded
| All Roots | Live Only | |
|---|---|---|
| 🔴 Primary | active_root_domains.json |
online_root_domains.json |
| ⚫ Community | community_root_domains.json |
community_online_root_domains.json |
Content-Verified Feeds 
Note
Real HTTP content verification — not just DNS, but actual phishing page detection
| Feed | Description | ⏰ Update | Download |
|---|---|---|---|
| 💥 Primary Content | Curated phishing with verified active content | 12h (06:00 / 18:00 UTC) |
content_active.json |
| 🌐 Community Content | Aggregated feeds with verified active content | 24h (03:00 UTC) |
content_live.json |
Warning
Cloaking Alert: Scammers use cloaking to hide phishing from bots — showing blank/fake pages to scanners. Domain NOT in content list ≠ safe! Use Primary All or Community General for full protection.
Threat Intelligence API
Free, open, no API key. Real-time domain risk scoring (0-100) across 770K+ threats · Hourly sync · Single & bulk check (500/req) · Keyword search · Full feeds
📖 API Endpoints, Scoring & Integration Examples
Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET |
/v1/check?domain= |
Single domain check with risk score & severity |
POST |
/v1/check/bulk |
Bulk check up to 500 domains per request |
GET |
/v1/search?q= |
Search blocklisted domains by keyword |
GET |
/v1/feed/{list} |
Download full domain feeds (primary, community, active) |
GET |
/v1/stats |
Live statistics & domain counts |
Threat Scoring
Every domain gets a risk score (0-100) based on multiple signals:
| Signal | Points | Description |
|---|---|---|
| Curated blocklist | +40 | In primary destroylist |
| Community reported | +20 | Reported by community sources |
| DNS active | +30 | Domain currently resolves |
| Multi-source | +10 | Confirmed by multiple feeds |
| Suspicious keywords | +5 each | metamask, wallet, airdrop, etc. |
| Risky TLD | +5 | .xyz, .top, .club, .icu, etc. |
🔴 Critical 70-100 · 🟠 High 40-69 · 🟡 Medium 20-39 · 🟢 Low 1-19
Quick Integration
cURL
curl "https://api.destroy.tools/v1/check?domain=suspicious-site.xyz"
Python
import requests
r = requests.get(f"https://api.destroy.tools/v1/check?domain={domain}")
if r.json()["threat"]:
print(f"BLOCKED: {r.json()['severity']} (score: {r.json()['risk_score']})")
JavaScript
const r = await fetch(`https://api.destroy.tools/v1/check?domain=${domain}`);
const data = await r.json();
if (data.threat) console.warn("PHISHING:", data.severity, data.risk_score);
Bulk Check
curl -X POST "https://api.destroy.tools/v1/check/bulk" \
-H "Content-Type: application/json" \
-d '{"domains":["site1.com","site2.xyz","site3.top"]}'
About Destroylist
Note
Live data collection began on July 1, 2025
Destroylist is a powerful tool against phishing and scams, powered by PhishDestroy. It provides reliable intel for:
- ✔️ Firewalls
- ✔️ DNS resolvers
- ✔️ Threat platforms
- ✔️ Security research
Protect the web, one domain at a time!
🔧 Quick Integration Examples (Python · Bash · DNS)
Python
import requests
blocklist = requests.get('https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.json').json()
is_malicious = "suspicious-domain.com" in blocklist
Bash
curl -s https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.txt | grep -q "suspicious-domain.com" && echo "BLOCKED"
DNS Blocklist (Pi-hole/AdGuard)
https://raw.githubusercontent.com/phishdestroy/destroylist/main/dns/active_domains.json
Threat Intelligence & Automated Remediation Workflow
| 🔍 DISCOVER | 📤 REPORT | ⚖️ LEGAL | 📡 PUBLISH |
|---|---|---|---|
| 30+ parsers | 50+ vendors | ICANN compliance | Real-time |
| CT logs, DNS | Google, Microsoft | Abuse notifications | GitHub, Telegram |
| Social media | VirusTotal, Cloudflare | Evidence packages | Twitter, Mastodon |
📖 Read Full Workflow Details
Phase 1: Pre-emptive Discovery & Ingestion
🔎 We utilize a distributed network of 30+ proprietary parsers to identify malicious domains at their earliest stage:
- Advanced Heuristics: Continuous monitoring of Google Ads (Malvertising), SEO-manipulated search results, and trending social media campaigns on Twitter (X), YouTube, and Telegram
- Infrastructure Analysis: Leveraging dnstwist and typosquatting detection to catch look-alike domains targeting established brands
- Community Intelligence: Real-time ingestion of community-reported threats via our Telegram Bot and partner intelligence feeds
📤 Phase 2: Global Ecosystem Contribution
Once a threat is confirmed, we submit data to over 50 industry-leading vendors:
Cloudflare Google Safe Browsing Microsoft Security VirusTotal
Netcraft ESET Bitdefender Norton Safe Web
Avira PhishTank Dr.Web Yandex Safe Browsing
URLScan.io PolySwarm SiteReview Urlquery
PhishStats PhishReport IsItPhish ThreatCenter
📝 Phase 3: Legal Notifications & Investigation Support
- Abuse Notifications: Formal alerts to domain registrars and hosting providers
- Forensic Evidence Disclosure: Complete evidence packages including metadata, screenshots, and PDF reports
- ICANN Compliance Support: Reports aligned with ICANN standards
- Conditional Re-Detection Logic: Follow-up alerts only if threat remains active beyond 24 hours
📢 Phase 4: Public Transparency & Community Alerts
- Open Database: Real-time commits to this GitHub repository
- Live Monitoring: Visual intelligence at phishdestroy.io/live
- Social Broadcasting: Automated alerts on Twitter, Telegram, and Mastodon
Key Info for Online Fraud Victims
Show details about complaints and transparency
💼 DestroyList aims to disable malicious domains: scams, phishing, and other illicit sites to enhance internet safety.
Before a domain is added, we:
🔍 Scan it across cybersecurity platforms for threat intelligence.
📥 Send an official complaint to the registrar and the hosting provider (via WHOIS), including scan results, screenshots, and a request for client investigation. The complaint also notifies them about inclusion in our public database.
🚔 According to ICANN rules, registrars must review such complaints within 24 hours.
🦖 We work hard to eliminate threats quickly. Every malicious domain is analyzed, documented, reported, and published transparently.
However, when a domain receives 10–30+ abuse reports and a registrar still ignores them for months, the situation changes: the registrar is no longer a passive party. It effectively provides infrastructure for illegal activity.
Some registrars behave as if their internal policies somehow override ICANN requirements and national laws — as if phishing and fraud are "allowed" as long as they personally decide not to act.
👮 We document this publicly so that anyone can see: threats persist not because they were unnoticed, but because the responsible providers simply chose to do nothing.
Requests from private individuals:
DestroyList is an open-source, non-commercial volunteer project.
Private individuals may request the number of abuse reports we have sent for a specific domain, but only through public channels:
- via GitHub issues
- via commit history: https://github.com/phishdestroy/destroylist/commits/main/
❗ We do not respond to private e-mail requests from individuals about report counts.
✔️ This is a legal requirement for transparency and equal access to information.
Official government or law-enforcement requests may be answered privately.
💔 If you were defrauded by a domain already listed here, check its addition date using the commit history or via our Telegram/Mastodon channels.
💬 If the fraud happened after the domain was already listed, the registrar's or host's delay may indicate they share responsibility for the loss. Future potential victims can also see this negligence documented publicly.
🔞 Registrars and hosts that tolerate scam operations may reasonably be expected to assist victims or their legal representatives.
Goals, Usage & Historical Vault
| ✔️ Network security | ✔️ Automation | ✔️ Threat research | ✔️ ML training |
|---|
| 🤖 | 🔬 | 📈 |
|---|---|---|
| AI Training | Research | Trend Analysis |
Important
Open collaboration = Stronger security. Let's team up!
Tip
📩 Historical Vault (500K+ domains, 5+ years archived): contact@phishdestroy.io
Appeals Process
Wrongly listed? Fix it fast:
 |
 |
|---|
- ✔️ Appeals Form — fastest option
- ✔️ GitHub Issue with proof
Accuracy first! 🔭
Connect With Us
📄 License
MIT — Free, open, yours to use!
Join the Fight!
Got ideas, sources, or improvements? We welcome:
- 💡 Detection algorithm tweaks
- 📢 Integration tips
- 🔍 Fresh threat intelligence
Drop an Issue or PR — let's crush phishing together! 💪