IP as an Entity Use cases

Using the IP entity in your queries retrieves results with an identified IP address.
You can either apply a full IP value (a single one or in an array) or a range of IPs to this filter.
Note: The IP entity detects and is valid only for documents crawled from November 1, 2020.

Here are a few ways you can use this filter:

Query a specific IP address
You can query mentions and risks of a specific IP address using the filter in the following way:


The paste below shows a script that can activate a DOS attack. The mentioned IP ( seems to belong to Amazon (or possibly the AWS service), according to a check on an external service (3rd image).


Paste showing connection between DOS attack scripts and the specific IP


Checking a WhoIs service to see more information about this address

Monitoring mentions of specific IP addresses alerts you to any mentions of or spikes in malicious intentions against this IP address.

Query a series of IPs
Querying IP addresses with this filter can help you cover many IP addresses in one query and ensure that you monitor a wide range of IP addresses mentioned in the dark web.

In the example below we queried a series of German IP addresses. We detected a potential abuse of German IP addresses that are being shared as a SOCKS service.

enriched.ip.value:[ TO] AND (proxy AND socks)


A SOCKS5 proxy routes your data through its proxy server, creating a path through the network's firewall that assigns the user with a different IP address than their actual one. This makes it seem as though the user is browsing from a different location and protects their identity.

These IP addresses for anonymization are mostly advertised to hackers for sale or rent in hacking and cracking forums.

Querying doxxing threats on individuals

Doxing is a well-known phenomenon in the dark web. It’s the act of publicly revealing private personal information about an individual or organization, personal information can be: emails, credit cards, physical addresses, social accounts, and more. Leaked information is published in hacking forums or doxing sites and eventually being used by offenders to create even bigger damage.
At this example, we can see a doxed person that was breached with all personal details such as passport photo, profile photos,

site.domain:doxbin.org AND pwnd


A similar use case can be seen with hackers that leak financial information, usually related to online payments. The hackers leak the browser and user agent’s information, sometimes including credit card or bank account information. This allows other hackers to use this card and perform actions as if they are the real actor.

enriched.ip.value: AND (ccnum OR useragent OR browser OR victim)*