Output

The Events API returns structured threat intelligence data related to monitored assets. Each response page includes up to 10 unique event items, representing individual cyber threat incidents.

Root Object

The Root Object is the top-level structure of the Events API response. It contains metadata about the query request and an array of matched events entries, each representing a distinct cyber event with its associated data.

Field NameTypeNullableDescription
sourcestringNoFixed value: lunar_threat_intel_feed
eventsarray of objectsNoList of event objects
totalEventsintegerNoTotal number of matching events
moreEventsAvailableintegerNoNumber of additional events available
nextstringYesURL for the next page (null if none)

EventInfo Object

The EventInfo Object Includes metadata about the event.

Field NameTypeNullableDescription
idstringNoUnique event ID (UUID)
linkstringNoURL to event detail
crawled_dateISO stringNoThe date and time when the original threat was fetched by Webz
created_dateISO stringNoThe date and time when the event was created
typestringNoEvent type. e.g. leaked_credentials
subtypestringNoEvent sub-types. e.g. leaked_credentials_infostealer
severitystringNolow, medium, high, critical
statusstringNoopen , fixed, closed
descriptionstringNoA brief description of the detected threat and its context
required_actionsstringYesRecommended actions to mitigate or remediate the identified threat

AssetInfo Object

The AssetInfo Object describes the affected asset involved in the event.

Field NameTypeNullableDescription
idintegerYesUnique asset ID
typestringNoAsset type. e.g. domain, email, ip
valuestringNoAsset value
group_namestringNoAsset group name

AccountInfo Object (Optional)

The AssetInfo Object provides details about a compromised account.

Field NameTypeNullableDescription
emailstringYesCompromised email address
account_namestringYesCompromised account username
passwordstringYesCompromised password
password_typestringYes*not available yet

DeviceInfo Object (Optional)

The DeviceInfo Object Includes details about the infected device, typically present in infostealer-related events.

Field Name

Type

Nullable

Description

exfiltration_date

ISO string

Yes

The date and time when the stealer log data was collected and exfiltrated from the infected device

log_file_name

string

Yes

Stealer log file name

hwid

string

Yes

Hardware ID of infected device

ip_address

string

Yes

IP address of infected device

location

object

Yes

Location details of the infected device

country

string

Yes

Country code. e.g. CA

city

string

Yes

City name

zip_code

string

Yes

Zip code

computer_username

string

Yes

Device username

os

string

Yes

Operating system

antivirus_software

array [list]

Yes

Installed AVs on the infected device

malware_family

string

Yes

Malware family name. e.g. Redline

malware_path

string

Yes

Path to malicious file on the infected device


BreachInfo Object (Optional)

The BreachInfo Object contains contextual information about the data breach in which the credentials were found, including the breach name, type, and compromised assets.

Field NameTypeNullableDescription
typestringYesAvailable breach types: infostealer, data_breach
sub_typestringYes*not available yet
breach_dateISO stringYesThe date and time when the data breach occurred or was first publicly disclosed
login_urlstringYesThe URL linked to the compromised credentials
login_domainstringYesThe domain extracted from the URL
breach_namestringYesThe name of the breach
compromised_assetsarrayYesList of all affected asset types in the data breach

PublicationSourceInfo Object (Optional)

The PublicationSourceInfo Object includes metadata about the original breach file, including its filename, publication date, and the source where Webz detected it.

Field Name

Type

Nullable

Description

published_date

ISO string

Yes

The date and time when the breach data was published online

file_name

string

Yes

The name of original data breach file

file_link

string

Yes

The download link of original data breach file

post_url

string

Yes

The original post URL where the data breach file was detected

site_domain

string

Yes

The site domain where the data breach file was detected

site_name

string

Yes

The site name where the data breach file was detected

site_type

string

Yes

The site type where the data breach file was detected. e.g. chat, market, discussions

network

string

Yes

The network associated with the site where the data breach file was detected. e.g. tor, telegram, openweb

categories

array

Yes

The categories associated with the site where the data breach file was detected. Categories include:cyber_threat_intelligence, financial_crime, illicit_trafficking, extremism_misinformation, brand_monitoring

For Telegram data only: group, channel

For more details , please refer to this page .


OriginalPostInfo Object (Optional)

The OriginalPostInfo Object provides metadata about the original dark web post in which the threat or compromised data was published.

Field Name

Type

Nullable

Description

title

string

Yes

The title of the post

text

string

Yes

The body text of the post

language

string

Yes

The primary language detected in the post text

org_in_thread

integer

Yes

The post’s position in the thread.0 indicates the first post.

categories

array

Yes

One or more cyber categories that the post content belong to. Categories include: hacking, data_breach, carding, crypto, phishing, malware, ransomware, stealer_logs, counterfeit, gaming, extremism, drugs, weapons, sexual

For more details , please refer to this page.

risk_score

integer

Yes

The site name where the data breach file was detected


AuthorExtendedInfo Object (Optional)

The AuthorExtendedInfo Object Includes metadata about the author who published the original post or file where the threat was detected.

Field NameTypeNullableDescription
usernamestringYesThe author's username (publisher) of the post
display_namestringYesThe author's visual name presented on the site
idstringYesThe unique identifier of the user on the site
linkintegerYesThe unique hyperlink to the user information on the site
adversary_grouparrayYes*not available yet

JSON Schema

{
  "source": "lunar_threat_intel_feed",
  "events": [
    {
      "event_info": {
        "id": "f7de9c73-30bc-328f-b226-58027512eb0f",
        "link": "https://lunar.api/events/XXXXXXXXX-XXXX-XXX-XXXX-XXXXXXXXX",
        "crawled_date": "2025-08-04T18:00:00.000+03:00",
        "created_date": "2025-08-04T18:12:00.000+03:00",
        "type": "leaked_credentials",
        "subtype": "leaked_credentials_infostealer",
        "severity": "critical",
        "status": "open",
        "description": "The email [email protected] was found in an infostealer leak. This stealer malware captures sensitive information, such as credentials from a device.",
        "required_actions": "1. Disconnect machine <HWID> from network. 2. Scan & Remove malware: start from the following path: <file path> 3. Scan the device for any additional malware; once clean - connect back to network. 4. Change Credentials: Update the password for the account linked to the leaked email. 5. Monitor accounts for suspicious activity. 6. Enforce MFA to prevent unauthorized access."
      },
      "asset_info": {
        "id": "94bd1d9fded1e40b8843f31df97b807eef35f6aa",
        "type": "domain",
        "value": "example.com",
        "group_name": "Example"
      },
      "account_info": {
        "email": "[email protected]",
        "account_name": null,
        "password": "admin123",
        "password_type": "plaintext"
      },
      "device_info": {
        "exfiltration_date": "2025-08-04T12:11:00.000+03:00",
        "log_file_name": "GR[7AFB0C*********EB27C90BA] [2025-08-04T12_11_52.1931867]",
        "hwid": "7AFB0C*********EB27C90BA",
        "ip_address": "102.38.248.0",
        "location": {
          "country": "GR",
          "city": "Portaria, Kentriki Makedonia",
          "zip_code": "63087"
        },
        "computer_username": "admin",
        "os": "Windows 10 Home x64",
        "antivirus_software": ["Windows Defender"],
        "malware_family": "Redline",
        "malware_path": "C:\\Users\\2024\\Pictures\\Minor Policy\\f1Lp2uk21C0jQ8KirMFAwKtq.exe"
      },
      "breach_info": {
        "type": "infostealer",
        "sub_type": null,
        "breach_date": null,
        "login_url": "https://abc.com/login/",
        "login_domain": "abc.com",
        "breach_name": null,
        "compromised_assets": ["email", "password"]
      },
      "publication_source_info": {
        "published_date": "2023-10-13T20:56:00.000+03:00",
        "file_name": null,
        "file_link": null,
        "post_url": null,
        "site_domain": "t.me",
        "site_name": null,
        "site_type": "chat",
        "network": "Telegram",
        "categories": ["group"]
      },
      "original_post_info": {
        "title": null,
        "text": null,
        "language": null,
        "ord_in_thread": null,
        "categories": null,
        "risk_score": null
      },
      "author_extended_info": {
        "username": "MoonLogsCloud",
        "display_name": "Moon Cloud | Free Logs",
        "id": "2475140777",
        "link": null,
        "adversary_group": null
      }
    }
  ],
  "totalEvents": 650,
  "moreEventsAvailable": 640,
  "next": "/LunarEventsFilter?token=XXXX-XXXX-XXXX-XXXX&since=0&to=1754226420000&from=10&severity=high"
}