Skip to content

JSON and CSV export options

JSON and CSV exports help professional users ingest tracker events into internal systems.

Use exports when you need to:

  • archive new events
  • feed a SIEM, SOAR, TIP, or case-management system
  • compare eCrime.ch events with internal exposure lists
  • build recurring reports
  • trigger internal review workflows

Exports use the API key from your profile settings.

X-API-Key: <your-api-key>

Keep the key server-side and do not embed it in public scripts, shared notebooks, or screenshots.

Export views support practical time ranges such as recent hours, today, yesterday, this month, and last month. For reliable automation, poll on a schedule and store the last successful run time in your own system.

JSON is best for integrations that preserve field names and nested data.

Typical event fields include:

  • event ID
  • first seen and last seen timestamps
  • leak site and leak URL
  • actor or leak title
  • country and sector
  • company name and website
  • employee range
  • keyword match status
  • duplicate status
  • leaked-data status and timestamp

Exports can include two fields related to leaked-data observations:

  • data_leak is true when leaked data was observed, or when the event claim changed to a leaked-data status at some point.
  • data_leak_seen is the timestamp for when that leaked-data status was observed after the event was already being tracked.

data_leak_seen can be empty even when data_leak is true. This usually means the event was already in a leaked-data state when eCrime.ch first observed it, so there was no later transition timestamp to record. It does not necessarily mean that a leak was only threatened, or that no publication evidence existed.

For a simple “did this firm experience a data leak?” indicator, use data_leak. Use data_leak_seen when you specifically need the timestamp of a leaked-data observation or status change, and treat empty values as “no separate transition timestamp recorded” rather than as “no leak.”

Historical records from 2020 and 2021 should be interpreted with extra care, because leak-site date coverage and platform data quality were less consistent in the earlier years than they are now.

CSV is useful for spreadsheets, reporting, and simple ingestion jobs. It contains the core dashboard fields in tabular form.

The API returns event data but does not send email directly. A scheduled script can:

  1. request events first seen during the last 24 hours
  2. convert the returned event objects to CSV
  3. send the CSV as an attachment through your SMTP server

The script is available in the public eCrime.ch API examples repository:

ecrime_daily_csv_email.py

See API Examples for all published examples and the repository support policy.

The script reads its API and mail settings from environment variables:

Terminal window
export ECRIME_API_KEY="your-api-key"
export SMTP_HOST="smtp.example.com"
export SMTP_PORT="587"
export SMTP_USER="reports@example.com"
export SMTP_PASSWORD="your-smtp-password"
export MAIL_FROM="reports@example.com"
export MAIL_TO="recipient@example.com"

Test the API request and CSV generation without sending email:

Terminal window
python3 ecrime_daily_csv_email.py --dry-run report.csv

Send the report:

Terminal window
python3 ecrime_daily_csv_email.py

For daily delivery at 08:00, add a cron entry such as:

0 8 * * * /usr/bin/python3 /path/to/ecrime_daily_csv_email.py

Keep the API key and SMTP credentials outside the script and restrict access to the environment or configuration that contains them.

If your integration needs richer intelligence, use the API endpoints for search, file search, torrent intelligence, or event detail records where available.