You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HIBP, ThreatFox, ransomware tracking, Tor .onion access, blockchain intel, exploit search, stealer logs, malware analysis — unified into a single MCP server.
Your AI agent gets full-spectrum dark web intelligence on demand, not 16 browser tabs and manual correlation.
Dark web intelligence is the missing layer in every security investigation. Breach databases, ransomware trackers, Tor hidden services, malware sandboxes, stealer logs, blockchain forensics, exploit databases — the data you need is scattered across dozens of platforms, each with its own API, its own auth, its own rate limits, its own output format. Today you check HIBP in one tab, ThreatFox in another, browse ransomware leak sites through Tor, pull up MalwareBazaar for a hash, check blockchain transactions on a block explorer, and then spend an hour manually piecing it all together.
Traditional dark web intel workflow:
check breach exposure -> HIBP web interface (paid API)
search leaked credentials -> IntelligenceX web interface
track ransomware groups -> ransomware.live + ransomlook.io (2 separate UIs)
access .onion hidden services -> Tor Browser manually
analyze malware samples -> Hybrid Analysis + MalwareBazaar (2 more UIs)
check IP abuse history -> AbuseIPDB + GreyNoise (2 more UIs)
trace cryptocurrency -> blockchain.info + ChainAbuse
search for exploits -> Vulners web interface
check phishing URLs -> PhishTank web interface
correlate everything -> copy-paste into a report
────────────────────────────────
Total: 60+ minutes per investigation, most of it switching contexts
darknet-mcp-server gives your AI agent 66 tools across 16 data sources via the Model Context Protocol. The agent queries all sources in parallel, correlates data across the surface and dark web, identifies threats, and presents a unified intelligence picture — in a single conversation.
With darknet-mcp-server:
You: "Investigate the breach exposure and threat landscape for target.com"
Agent: -> HIBP: 3 known breaches (Adobe 2013, LinkedIn 2021, Collection #1)
-> ThreatFox: 2 IOCs associated with domain (C2 callback, phishing)
-> URLhaus: 1 malicious URL hosted on subdomain
-> Ransomware: No victim listings found (good)
-> Stealer logs: 47 compromised employee credentials found
-> OTX: 5 threat pulses referencing the domain
-> AbuseIPDB: Primary IP has 12 abuse reports (brute force)
-> "target.com has been in 3 data breaches exposing 2.1M records.
47 employee credentials found in stealer logs — immediate
password reset recommended. 2 active ThreatFox IOCs suggest
ongoing targeting. No ransomware listings, but the abuse
reports on the primary IP warrant investigation."
How It's Different
Existing tools give you raw data one source at a time. darknet-mcp-server gives your AI agent the ability to reason across surface web and dark web intelligence simultaneously.
All API keys are optional. Without them, you still get ransomware tracking, breach listings, GreyNoise, blockchain intelligence, OTX, Tor exit node checks, onion search, CIRCL onion lookup, and more.
Connect to your AI agent
Claude Code
# With npx
claude mcp add darknet-mcp-server -- npx darknet-mcp-server
# With local clone
claude mcp add darknet-mcp-server -- bun run /path/to/darknet-mcp-server/src/index.ts
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
Same JSON config format. Point the command to npx darknet-mcp-server or your local installation path.
Tor setup (optional, for .onion access)
The 7 Tor tools (tor_fetch_onion, tor_scrape_onion, etc.) require a running Tor SOCKS5 proxy.
# macOS
brew install tor && brew services start tor
# Linux
sudo apt install tor && sudo systemctl start tor
# Docker
docker run -d -p 9050:9050 dperson/torproxy
# Verify connectivity
npx darknet-mcp-server --check-tor
Start querying
You: "Check if example.com has been in any data breaches and look for stealer logs"
That's it. The agent handles breach lookups, credential searches, threat correlation, and more automatically.
What The AI Can Do
Breach Investigation
You: "Check if example.com has been in any data breaches"
Agent: -> breachList {domain: "example.com"}
-> breachSearch {account: "admin@example.com"}
-> stealer_domain {domain: "example.com"}
-> intelx_search {term: "example.com"}
-> "example.com appears in 5 known breaches:
- ExampleDB 2023: 4.2M records (emails, passwords, IPs)
- Collection #1: credential stuffing list
- Combolist 2024: 890K email:password pairs
Stealer logs: 23 compromised machines with saved credentials
for example.com found in Hudson Rock database.
IntelligenceX: 47 results across paste sites and dark web."
Ransomware Tracking
You: "What ransomware groups are targeting healthcare?"
Agent: -> ransomwareBySector {sector: "healthcare"}
-> ransomwareRecent {}
-> ransomlookRecent {}
-> "Healthcare sector ransomware activity:
142 victims across 12 groups in the last 12 months.
Top groups: LockBit3 (38 victims), BlackCat/ALPHV (24),
Cl0p (19), Royal (15).
Most recent: MedCorp Inc. listed by LockBit3 (2 days ago).
3 new healthcare victims in the last week across
ransomware.live and RansomLook feeds."
Dark Web Recon
You: "Search for mentions of our company on .onion sites"
Agent: -> tor_search_onion {query: "AcmeCorp"}
-> intelx_search {term: "acmecorp.com"}
-> onion_lookup {address: "relevant-onion-address.onion"}
-> "Dark web search results for AcmeCorp:
Ahmia.fi: 3 .onion pages mention AcmeCorp
- Forum post discussing AcmeCorp employee list (leak forum)
- Marketplace listing for AcmeCorp database (unverified)
- Blog post referencing AcmeCorp breach
IntelligenceX: 12 results on paste sites
Recommendation: investigate the forum post and marketplace
listing for potential active data sales."
Malware Analysis
You: "Analyze this file hash for malware indicators: abc123def456..."
Agent: -> malware_search {hash: "abc123def456..."}
-> malware_overview {sha256: "abc123def456..."}
-> bazaarHash {hash: "abc123def456..."}
-> threatfoxSearch {searchTerm: "abc123def456..."}
-> otx_hash {hash: "abc123def456..."}
-> "Malware analysis for abc123def456:
Hybrid Analysis: MALICIOUS (threat score 95/100)
- Family: AgentTesla (info stealer)
- MITRE ATT&CK: T1555 (Credential Access), T1071 (C2)
- Network IOCs: 3 C2 domains, 2 IPs
MalwareBazaar: First seen 2024-03-15, tagged 'AgentTesla'
ThreatFox: 2 IOC entries linking to same campaign
OTX: Referenced in 4 threat pulses"
Tools Reference (66 tools)
Tor Network (7) — No API key (Tor daemon required for .onion tools)
Tool
Description
tor_status
Check if the local Tor SOCKS5 proxy daemon is running and accessible
tor_fetch_onion
Fetch raw HTML from a .onion URL via Tor SOCKS5 proxy (DNS leak prevention via socks5h)
tor_scrape_onion
Fetch and parse a .onion site — returns structured data: title, links, body text
tor_search_onion
Search for .onion sites using Ahmia.fi search engine
tor_exit_nodes
Get current Tor exit node IP addresses from the official Tor Project bulk exit list
tor_exit_check
Check if a specific IP address is a known Tor exit node
tor_exit_details
Get detailed Tor exit node information including fingerprints and publish timestamps
Ransomware Intelligence (9) — No API key
Tool
Description
ransomwareRecent
Fetch the most recent ransomware victims from ransomware.live
ransomwareGroups
List all known ransomware groups tracked by ransomware.live
ransomwareGroup
Get a detailed profile for a specific ransomware group by name
ransomwareGroupVictims
Get all victims claimed by a specific ransomware group
ransomwareSearch
Search ransomware victims by keyword (company name, domain, etc.)
ransomwareByCountry
Get ransomware victims filtered by ISO 3166-1 alpha-2 country code
ransomwareBySector
Get ransomware victims filtered by sector/industry (healthcare, finance, etc.)
ransomlookGroups
List all 582+ ransomware groups tracked by RansomLook
ransomlookRecent
Fetch the most recent ransomware posts and victim claims from RansomLook
16 providers, 1 server — Every data source is an independent module. The agent picks which tools to use based on the query.
Per-provider rate limiters — Each data source has its own RateLimiter instance calibrated to that API's limits. No shared bottleneck.
TTL caching — Ransomware data (15min), breach lists (10min), abuse.ch (5min) results are cached to avoid redundant API calls during multi-tool workflows.
Graceful degradation — Missing API keys don't crash the server. Tools return descriptive error messages: "Set HIBP_API_KEY to enable breach account search."
DNS leak prevention — Tor .onion tools use socks5h:// protocol to resolve DNS through Tor, preventing DNS leaks to the local resolver.
4 dependencies — @modelcontextprotocol/sdk, zod, socks-proxy-agent, and cheerio. All clearnet HTTP via native fetch. All Tor traffic via SOCKS5.
Limitations
HIBP account/paste search requires a paid API key ($3.50/month)
IntelligenceX, AbuseIPDB, Hudson Rock, and Hybrid Analysis require API keys for their tools
Tor .onion tools require a running Tor SOCKS5 proxy (not bundled)
abuse.ch free tier has lower rate limits without ABUSECH_AUTH_KEY
Ransomware.live and RansomLook data depends on upstream scraping frequency
Blockchain tools support Bitcoin only (no Ethereum/Monero)
PhishTank database can lag behind real-time phishing campaigns
For authorized security testing and assessment only.
Always ensure you have proper authorization before performing intelligence gathering on any target.
66-tool MCP server for dark web intelligence — breach data, ransomware tracking, Tor .onion access, malware analysis, blockchain intel, exploit search, stealer logs
