Skip to content

What websites and sources are monitored?

eCrime.ch monitors ransomware blogs, extortion sites, data-leak sites, actor infrastructure, and related intelligence sources. The monitored catalog changes continuously as actors move infrastructure, retire brands, launch mirrors, or reappear under new names.

The live application is the source of truth. Use Leaksites in the tracker to search the current catalog, inspect a leak-site URL, and see whether eCrime.ch has recently observed it online.

The legacy help article listed monitored actors manually. That became stale quickly. The current catalog contains hundreds of visible leak-site records and URLs, including active sites, inactive sites, mirrors, rebrands, historical entries, and sources retained for event context.

Instead of maintaining a static public list, eCrime.ch keeps the monitored source catalog in the product itself.

The monitored catalog can include:

  • ransomware and double-extortion leak sites
  • standalone data-leak markets or publication sites
  • mirror URLs and replaced infrastructure
  • actor profile pages and announcement channels
  • sources used for event validation or historical continuity

Use one of these workflows:

  1. Open Leaksites and search by actor, brand, domain, or onion URL.
  2. Use Search for a broader investigation across events, actors, news, and leak-site records.
  3. Open an Actor Profile to see known infrastructure and screenshot evidence for one actor.

If a source is missing or appears incorrectly grouped, contact support with the URL, actor name, and any context you have.