Destroylist

Destroylist: Phishing & Scam Domain Blacklist

Destroyolist Illustration

Last Commit Stars

Quick Access

Live Statistics

Primary	Primary Live	Community	Community Live

Primary Content	Community Content

	Today	Week	Month
Primary
Community

Data Feeds

Feed	Description	Update
Primary	Curated phishing domains	⚡ Real-time
Primary Live	DNS verified active	🕐 24h
Community	Aggregated from 13+ sources	🕐 2h
Community Live	Community DNS verified	🕐 24h
Primary Content	Curated + HTTP content verified	🕐 12h
Community Content	Aggregated + HTTP content verified	🕐 24h
Allowlist	False positive protection	✋ Manual

[!TIP] Production: list.json or active_domains.json · Max coverage: blocklist.json · Firewall/DNS: root lists

📁 All Download Formats (TXT, Hosts, AdBlock, Dnsmasq, Unbound, RPZ)

| Format | Primary | Primary Live | Community | Community Live | |:------:|:-------:|:------------:|:---------:|:--------------:| | **TXT** | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary/domains.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/domains.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community/domains.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community_active/domains.txt) | | **Hosts** | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary/hosts.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community/hosts.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community_active/hosts.txt) | | **AdBlock** | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary/adblock.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community/adblock.txt) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community_active/adblock.txt) | | **Dnsmasq** | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary/dnsmasq.conf) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community/dnsmasq.conf) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community_active/dnsmasq.conf) | | **Unbound** | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary/unbound.conf) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community/unbound.conf) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community_active/unbound.conf) | | **RPZ** | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary/rpz.zone) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community/rpz.zone) | [⬇️](https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/community_active/rpz.zone) | > **Hosts** → Pi-hole, /etc/hosts, Windows · **AdBlock** → uBlock Origin, AdGuard · **Dnsmasq** → dnsmasq DNS · **Unbound** → pfSense, OPNsense · **RPZ** → BIND, Knot DNS

Root Lists

[!TIP] Root domains only — no subdomains, hosting providers excluded

	All Roots	Live Only	Services Only
🔴 Primary	JSON · TXT	JSON · TXT	JSON · TXT
⚫ Community	JSON · TXT	JSON · TXT	JSON · TXT

All Roots — clean root domains (no infra) · Live Only — DNS-verified active · Services Only — hosting platform subdomains (Vercel, Pages.dev, Netlify, etc.)

Content-Verified Feeds

[!NOTE] Real HTTP content verification — not just DNS, but actual phishing page detection

Feed	Description	⏰ Update	Download
💥 Primary Content	Curated phishing with verified active content	`12h` (06:00 / 18:00 UTC)
🌐 Community Content	Aggregated feeds with verified active content	`24h` (03:00 UTC)

[!WARNING] Cloaking Alert: Scammers use cloaking to hide phishing from bots — showing blank/fake pages to scanners. Domain NOT in content list ≠ safe! Use Primary All or Community General for full protection.

Threat Intelligence API

API

Free, open, no API key. Real-time domain risk scoring (0-100) across 770K+ threats · Hourly sync · Single & bulk check (500/req) · Keyword search · Full feeds

📖 API Endpoints, Scoring & Integration Examples

### Endpoints | Method | Endpoint | Description | |:------:|:---------|:------------| | `GET` | [`/v1/check?domain=`](https://api.destroy.tools/v1/check?domain=example-phish.xyz) | Single domain check with risk score & severity | | `POST` | `/v1/check/bulk` | Bulk check up to **500 domains** per request | | `GET` | [`/v1/search?q=`](https://api.destroy.tools/v1/search?q=metamask) | Search blocklisted domains by keyword | | `GET` | [`/v1/feed/{list}`](https://api.destroy.tools/v1/feed/primary) | Download full domain feeds (primary, community, active) | | `GET` | [`/v1/stats`](https://api.destroy.tools/v1/stats) | Live statistics & domain counts | ### Threat Scoring Every domain gets a **risk score (0-100)** based on multiple signals: | Signal | Points | Description | |:-------|:------:|:------------| | Curated blocklist | **+40** | In primary destroylist | | Community reported | **+20** | Reported by community sources | | DNS active | **+30** | Domain currently resolves | | Multi-source | **+10** | Confirmed by multiple feeds | | Suspicious keywords | **+5 each** | metamask, wallet, airdrop, etc. | | Risky TLD | **+5** | .xyz, .top, .club, .icu, etc. | > 🔴 **Critical** 70-100 · 🟠 **High** 40-69 · 🟡 **Medium** 20-39 · 🟢 **Low** 1-19 ### Quick Integration **cURL** ```bash curl "https://api.destroy.tools/v1/check?domain=suspicious-site.xyz" ``` **Python** ```python import requests r = requests.get(f"https://api.destroy.tools/v1/check?domain={domain}") if r.json()["threat"]: print(f"BLOCKED: {r.json()['severity']} (score: {r.json()['risk_score']})") ``` **JavaScript** ```javascript const r = await fetch(`https://api.destroy.tools/v1/check?domain=${domain}`); const data = await r.json(); if (data.threat) console.warn("PHISHING:", data.severity, data.risk_score); ``` **Bulk Check** ```bash curl -X POST "https://api.destroy.tools/v1/check/bulk" \ -H "Content-Type: application/json" \ -d '{"domains":["site1.com","site2.xyz","site3.top"]}' ```

About Destroylist

[!NOTE] Live data collection began on July 1, 2025

Destroylist is a powerful tool against phishing and scams, powered by PhishDestroy. It provides reliable intel for:

✔️ Firewalls
✔️ DNS resolvers
✔️ Threat platforms
✔️ Security research

Protect the web, one domain at a time!

🔧 Quick Integration Examples (Subscribe URLs · curl · Python · Bash)

### One-Click Subscribe URLs | Tool | Format | URL | |:-----|:------:|:----| | **Pi-hole** | Hosts | `https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt` | | **AdGuard Home** | AdBlock | `https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt` | | **uBlock Origin** | AdBlock | `https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt` | | **pfSense / OPNsense (Unbound)** | Unbound | `https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf` | | **BIND / Knot DNS (RPZ)** | RPZ | `https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone` | | **Dnsmasq** | Dnsmasq | `https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf` | > **Pi-hole** — Settings > Blocklists > paste the Hosts URL
> **AdGuard Home** — Filters > DNS Blocklists > Add blocklist > paste the AdBlock URL
> **uBlock Origin** — Settings > Filter lists > Import > paste the AdBlock URL
> **pfSense** — Services > DNS Resolver > paste the Unbound URL
> **BIND/Knot** — Add the RPZ URL as a response-policy zone ### curl One-Liners ```bash # Plain domain list curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/domains.txt -o domains.txt # Hosts format (Pi-hole, /etc/hosts) curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt -o hosts_blocklist.txt # AdBlock format (uBlock Origin, AdGuard) curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt -o adblock.txt # Dnsmasq curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf -o dnsmasq_blocklist.conf # Unbound (pfSense / OPNsense) curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf -o unbound_blocklist.conf # RPZ (BIND / Knot) curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone -o rpz_blocklist.zone ``` ### Python ```python import requests blocklist = requests.get('https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.json').json() is_malicious = "suspicious-domain.com" in blocklist ``` ### Bash ```bash curl -s https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.txt | grep -q "suspicious-domain.com" && echo "BLOCKED" ```

Threat Intelligence & Automated Remediation Workflow

Workflow

📖 Read Full Workflow Details

### Phase 1: Pre-emptive Discovery & Ingestion 🔎 We utilize a distributed network of **30+ proprietary parsers** to identify malicious domains at their earliest stage: - **Advanced Heuristics:** Continuous monitoring of Google Ads (Malvertising), SEO-manipulated search results, and trending social media campaigns on Twitter (X), YouTube, and Telegram - **Infrastructure Analysis:** Leveraging *dnstwist* and typosquatting detection to catch look-alike domains targeting established brands - **Community Intelligence:** Real-time ingestion of community-reported threats via our Telegram Bot and partner intelligence feeds --- ### 📤 Phase 2: Global Ecosystem Contribution Once a threat is confirmed, we submit data to over **50 industry-leading vendors**: ``` Cloudflare Google Safe Browsing Microsoft Security VirusTotal Netcraft ESET Bitdefender Norton Safe Web Avira PhishTank Dr.Web Yandex Safe Browsing URLScan.io PolySwarm SiteReview Urlquery PhishStats PhishReport IsItPhish ThreatCenter ``` --- ### 📝 Phase 3: Legal Notifications & Investigation Support - **Abuse Notifications:** Formal alerts to domain registrars and hosting providers - **Forensic Evidence Disclosure:** Complete evidence packages including metadata, screenshots, and PDF reports - **ICANN Compliance Support:** Reports aligned with ICANN standards - **Conditional Re-Detection Logic:** Follow-up alerts only if threat remains active beyond 24 hours --- ### 📢 Phase 4: Public Transparency & Community Alerts - **Open Database:** Real-time commits to this GitHub repository - **Live Monitoring:** Visual intelligence at [phishdestroy.io/live](https://phishdestroy.io/live/) - **Social Broadcasting:** Automated alerts on Twitter, Telegram, and Mastodon

Key Info for Online Fraud Victims

Abuse Process

Show details about complaints and transparency

💼 DestroyList aims to disable malicious domains: scams, phishing, and other illicit sites to enhance internet safety. Before a domain is added, we: 🔍 Scan it across cybersecurity platforms for threat intelligence. 📥 Send an official complaint to the registrar and the hosting provider (via WHOIS), including scan results, screenshots, and a request for client investigation. The complaint also notifies them about inclusion in our public database. 🚔 According to ICANN rules, registrars must review such complaints within 24 hours. --- 🦖 We work hard to eliminate threats quickly. Every malicious domain is analyzed, documented, reported, and published transparently. However, when a domain receives 10–30+ abuse reports and a registrar still ignores them for months, the situation changes: the registrar is no longer a passive party. It effectively provides infrastructure for illegal activity. Some registrars behave as if their internal policies somehow override ICANN requirements and national laws — as if phishing and fraud are "allowed" as long as they personally decide not to act. 👮 We document this publicly so that anyone can see: threats persist not because they were unnoticed, but because the responsible providers simply chose to do nothing. --- **Requests from private individuals:** DestroyList is an open-source, non-commercial volunteer project. Private individuals may request the number of abuse reports we have sent for a specific domain, but only through public channels: - via GitHub issues - via commit history: https://github.com/phishdestroy/destroylist/commits/main/ ❗ We do not respond to private e-mail requests from individuals about report counts. ✔️ This is a legal requirement for transparency and equal access to information. Official government or law-enforcement requests may be answered privately. --- 💔 If you were defrauded by a domain already listed here, check its addition date using the commit history or via our Telegram/Mastodon channels. 💬 If the fraud happened after the domain was already listed, the registrar's or host's delay may indicate they share responsibility for the loss. Future potential victims can also see this negligence documented publicly. 🔞 Registrars and hosts that tolerate scam operations may reasonably be expected to assist victims or their legal representatives.