| Primary | Primary Live | Community | Community Live |
|---|---|---|---|
 |
 |
 |
 |
| Primary Content | Community Content |
|---|---|
 |
 |
| Today | Week | Month | |
|---|---|---|---|
| Primary |  |
 |
 |
| Community |  |
 |
 |
| Feed | Description | Update | Download |
|---|---|---|---|
| Primary | Curated phishing domains | ⚡ Real-time |   |
| Primary Live | DNS verified active | 🕐 24h |  |
| Community | Aggregated from 13+ sources | 🕐 2h |  |
| Community Live | Community DNS verified | 🕐 24h |  |
| Primary Content | Curated + HTTP content verified | 🕐 12h |  |
| Community Content | Aggregated + HTTP content verified | 🕐 24h |  |
| Allowlist | False positive protection | ✋ Manual |  |
Tip
Production: list.json or active_domains.json · Max coverage: blocklist.json · Firewall/DNS: root lists
📁 All Download Formats (TXT, Hosts, AdBlock, Dnsmasq, Unbound, RPZ)
| Format | Primary | Primary Live | Community | Community Live |
|---|---|---|---|---|
| TXT | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| Hosts | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| AdBlock | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| Dnsmasq | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| Unbound | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
| RPZ | ⬇️ | ⬇️ | ⬇️ | ⬇️ |
Hosts → Pi-hole, /etc/hosts, Windows · AdBlock → uBlock Origin, AdGuard · Dnsmasq → dnsmasq DNS · Unbound → pfSense, OPNsense · RPZ → BIND, Knot DNS
Tip
Root domains only — no subdomains, hosting providers excluded
| All Roots | Live Only | Services Only | |
|---|---|---|---|
| 🔴 Primary | JSON · TXT | JSON · TXT | JSON · TXT |
| ⚫ Community | JSON · TXT | JSON · TXT | JSON · TXT |
All Roots — clean root domains (no infra) · Live Only — DNS-verified active · Services Only — hosting platform subdomains (Vercel, Pages.dev, Netlify, etc.)
Note
Real HTTP content verification — not just DNS, but actual phishing page detection
| Feed | Description | ⏰ Update | Download |
|---|---|---|---|
| 💥 Primary Content | Curated phishing with verified active content | 12h (06:00 / 18:00 UTC) |
|
| 🌐 Community Content | Aggregated feeds with verified active content | 24h (03:00 UTC) |
|
Warning
Cloaking Alert: Scammers use cloaking to hide phishing from bots — showing blank/fake pages to scanners. Domain NOT in content list ≠ safe! Use Primary All or Community General for full protection.
Free, open, no API key. Real-time domain risk scoring (0-100) across 770K+ threats · Hourly sync · Single & bulk check (500/req) · Keyword search · Full feeds
📖 API Endpoints, Scoring & Integration Examples
| Method | Endpoint | Description |
|---|---|---|
GET |
/v1/check?domain= |
Single domain check with risk score & severity |
POST |
/v1/check/bulk |
Bulk check up to 500 domains per request |
GET |
/v1/search?q= |
Search blocklisted domains by keyword |
GET |
/v1/feed/{list} |
Download full domain feeds (primary, community, active) |
GET |
/v1/stats |
Live statistics & domain counts |
Every domain gets a risk score (0-100) based on multiple signals:
| Signal | Points | Description |
|---|---|---|
| Curated blocklist | +40 | In primary destroylist |
| Community reported | +20 | Reported by community sources |
| DNS active | +30 | Domain currently resolves |
| Multi-source | +10 | Confirmed by multiple feeds |
| Suspicious keywords | +5 each | metamask, wallet, airdrop, etc. |
| Risky TLD | +5 | .xyz, .top, .club, .icu, etc. |
🔴 Critical 70-100 · 🟠 High 40-69 · 🟡 Medium 20-39 · 🟢 Low 1-19
cURL
curl "https://api.destroy.tools/v1/check?domain=suspicious-site.xyz"Python
import requests
r = requests.get(f"https://api.destroy.tools/v1/check?domain={domain}")
if r.json()["threat"]:
print(f"BLOCKED: {r.json()['severity']} (score: {r.json()['risk_score']})")JavaScript
const r = await fetch(`https://api.destroy.tools/v1/check?domain=${domain}`);
const data = await r.json();
if (data.threat) console.warn("PHISHING:", data.severity, data.risk_score);Bulk Check
curl -X POST "https://api.destroy.tools/v1/check/bulk" \
-H "Content-Type: application/json" \
-d '{"domains":["site1.com","site2.xyz","site3.top"]}'
Note
Live data collection began on July 1, 2025
Destroylist is a powerful tool against phishing and scams, powered by PhishDestroy. It provides reliable intel for:
- ✔️ Firewalls
- ✔️ DNS resolvers
- ✔️ Threat platforms
- ✔️ Security research
Protect the web, one domain at a time!
🔧 Quick Integration Examples (Subscribe URLs · curl · Python · Bash)
| Tool | Format | URL |
|---|---|---|
| Pi-hole | Hosts | https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt |
| AdGuard Home | AdBlock | https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt |
| uBlock Origin | AdBlock | https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt |
| pfSense / OPNsense (Unbound) | Unbound | https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf |
| BIND / Knot DNS (RPZ) | RPZ | https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone |
| Dnsmasq | Dnsmasq | https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf |
Pi-hole — Settings > Blocklists > paste the Hosts URL
AdGuard Home — Filters > DNS Blocklists > Add blocklist > paste the AdBlock URL
uBlock Origin — Settings > Filter lists > Import > paste the AdBlock URL
pfSense — Services > DNS Resolver > paste the Unbound URL
BIND/Knot — Add the RPZ URL as a response-policy zone
# Plain domain list
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/domains.txt -o domains.txt
# Hosts format (Pi-hole, /etc/hosts)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/hosts.txt -o hosts_blocklist.txt
# AdBlock format (uBlock Origin, AdGuard)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/adblock.txt -o adblock.txt
# Dnsmasq
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/dnsmasq.conf -o dnsmasq_blocklist.conf
# Unbound (pfSense / OPNsense)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/unbound.conf -o unbound_blocklist.conf
# RPZ (BIND / Knot)
curl -fsSL https://raw.githubusercontent.com/phishdestroy/destroylist/main/rootlist/formats/primary_active/rpz.zone -o rpz_blocklist.zoneimport requests
blocklist = requests.get('https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.json').json()
is_malicious = "suspicious-domain.com" in blocklistcurl -s https://raw.githubusercontent.com/phishdestroy/destroylist/main/list.txt | grep -q "suspicious-domain.com" && echo "BLOCKED"
| 🔍 DISCOVER | 📤 REPORT | ⚖️ LEGAL | 📡 PUBLISH |
|---|---|---|---|
| 30+ parsers | 50+ vendors | ICANN compliance | Real-time |
| CT logs, DNS | Google, Microsoft | Abuse notifications | GitHub, Telegram |
| Social media | VirusTotal, Cloudflare | Evidence packages | Twitter, Mastodon |
📖 Read Full Workflow Details
🔎 We utilize a distributed network of 30+ proprietary parsers to identify malicious domains at their earliest stage:
- Advanced Heuristics: Continuous monitoring of Google Ads (Malvertising), SEO-manipulated search results, and trending social media campaigns on Twitter (X), YouTube, and Telegram
- Infrastructure Analysis: Leveraging dnstwist and typosquatting detection to catch look-alike domains targeting established brands
- Community Intelligence: Real-time ingestion of community-reported threats via our Telegram Bot and partner intelligence feeds
Once a threat is confirmed, we submit data to over 50 industry-leading vendors:
Cloudflare Google Safe Browsing Microsoft Security VirusTotal
Netcraft ESET Bitdefender Norton Safe Web
Avira PhishTank Dr.Web Yandex Safe Browsing
URLScan.io PolySwarm SiteReview Urlquery
PhishStats PhishReport IsItPhish ThreatCenter
- Abuse Notifications: Formal alerts to domain registrars and hosting providers
- Forensic Evidence Disclosure: Complete evidence packages including metadata, screenshots, and PDF reports
- ICANN Compliance Support: Reports aligned with ICANN standards
- Conditional Re-Detection Logic: Follow-up alerts only if threat remains active beyond 24 hours
- Open Database: Real-time commits to this GitHub repository
- Live Monitoring: Visual intelligence at phishdestroy.io/live
- Social Broadcasting: Automated alerts on Twitter, Telegram, and Mastodon
Show details about complaints and transparency
💼 DestroyList aims to disable malicious domains: scams, phishing, and other illicit sites to enhance internet safety.
Before a domain is added, we:
🔍 Scan it across cybersecurity platforms for threat intelligence.
📥 Send an official complaint to the registrar and the hosting provider (via WHOIS), including scan results, screenshots, and a request for client investigation. The complaint also notifies them about inclusion in our public database.
🚔 According to ICANN rules, registrars must review such complaints within 24 hours.
🦖 We work hard to eliminate threats quickly. Every malicious domain is analyzed, documented, reported, and published transparently.
However, when a domain receives 10–30+ abuse reports and a registrar still ignores them for months, the situation changes: the registrar is no longer a passive party. It effectively provides infrastructure for illegal activity.
Some registrars behave as if their internal policies somehow override ICANN requirements and national laws — as if phishing and fraud are "allowed" as long as they personally decide not to act.
👮 We document this publicly so that anyone can see: threats persist not because they were unnoticed, but because the responsible providers simply chose to do nothing.
Requests from private individuals:
DestroyList is an open-source, non-commercial volunteer project.
Private individuals may request the number of abuse reports we have sent for a specific domain, but only through public channels:
- via GitHub issues
- via commit history: https://github.com/phishdestroy/destroylist/commits/main/
❗ We do not respond to private e-mail requests from individuals about report counts.
✔️ This is a legal requirement for transparency and equal access to information.
Official government or law-enforcement requests may be answered privately.
💔 If you were defrauded by a domain already listed here, check its addition date using the commit history or via our Telegram/Mastodon channels.
💬 If the fraud happened after the domain was already listed, the registrar's or host's delay may indicate they share responsibility for the loss. Future potential victims can also see this negligence documented publicly.
🔞 Registrars and hosts that tolerate scam operations may reasonably be expected to assist victims or their legal representatives.
| ✔️ Network security | ✔️ Automation | ✔️ Threat research | ✔️ ML training |
|---|
| 🤖 | 🔬 | 📈 |
|---|---|---|
| AI Training | Research | Trend Analysis |
Important
Open collaboration = Stronger security. Let's team up!
Tip
📩 Historical Vault (500K+ domains, 5+ years archived): contact@phishdestroy.io
Wrongly listed? Fix it fast:
 |
 |
|---|
- ✔️ Appeals Form — fastest option
- ✔️ GitHub Issue with proof
Accuracy first! 🔭
MIT — Free, open, yours to use!
Got ideas, sources, or improvements? We welcome:
- 💡 Detection algorithm tweaks
- 📢 Integration tips
- 🔍 Fresh threat intelligence
Drop an Issue or PR — let's crush phishing together! 💪