[C&C: 22700] - [ZbotScan+CCAM: 4464]
[RSS] - [Full List] - [Tracker] - [ZbotScan] - [Submit C&C] - [Tools] - [VX] - [Stats] - [Relax] - [About]

16/07/2020: Dell PowerEdge T330

Some parts of CCT run on our own server at home, which is a good thing. We always did that but it was time to update again the backend infra.
We now have a Xeon E3-1220 v6, 8 GB RAM, and a huge HDD space of 57 TB, new service include also a cape v2 sandbox instance, reopening of the glftpd for vx sharing (got optical fiber too since the beginning of the year).

1 1 1

CCT Bot got another code update and the live malwares who are throw on irc will be proceeded also to the internal cape v2 sandbox.
Yep, CCTBot is still running on Raspberry Pi zero and everything is fine, we still ❤ Python.

1 1

18/05/2020: 2 0 k - c o l l e c t i o n

Today cybercrime-tracker.net hit over 20,000 submitted/curated C&C!
Thanks also to the amazing work of a few key submitter and see y'a for the 25k !

25/09/2018: 1 5 k - c o l l e c t i o n

OHH BOY.. we have something for ya, it's called cct15k.exe
Go find a way to get it.
edit 05/11/2020: it's here cct15k.zip


It's that time again, so we just flipped the snow on.
2017 was a good year. Between bouts of breaking the shit out of zeus, we managed to make a bunch of improvements to the tracker, and upgrade our backend to something beefier. Thanks to all of you out there who do this just for the sake of helping.

We've also actually got some courriers now, because honestly the Sysops can't be fucked to do it.

Anyway, thanks for everything, and enjoy the snow. I'd tell you to step away from the computer and spend time with family or something, but I know you guys are way too gone for that.
so see ya on irc (21h, french time) we have a special gift and a malware actor gonna have bad times.

06/12/2017: Site cleanup

A bit of cleanup was needed on tools and relax section.
2 new ANSI added, more cleanup to come (and more ANSI too :))

28/10/2017: Feed update part 2

The remainings rss feeds got updated: ccam, ccpm, phishtracker, zbotscan.
CCTBot service is also back on irc.
1 1

21/10/2017: Feed update

Time to update scripts !
Just some minor change on the main rss feed, other feeds will be updated as well soon.
We de-blacklisted also a bunch of IPs addresses, all is forgotten ;)


23/03/2017: 1 0 k - c o l l e c t i o n

We reached 10k C&C today.
Small update for the occasion, CSV download are now available.
Thanks for choosing (C)yber(C)rime (T)racker!.

09/02/2017: PhishTracker is live !

Phishtracker is in beta test since the beginning of the year. (2 months now)
If you want to see some live action, we released 2 videos on how things working internally.
- Inside CCAM.
- Inside PhishTracker.

People also requested us to use our logo, you can find a scalable SVG with transparent background here.
The great ANSi was originally made by Tempus Thales of iCE.

07/09/2016: CCAM / CCPM

Since beginning of the week you might have ear of these two mini-trackers on some private mailing-lists.
We are now opening to public CCAM (Atmos tracker) as our previous project (ZbotScan) is still in stand-by.
And CCPM (Pony tracker) Both trackers are in public-beta, RSS feed available as well as sample downloading (send us a mail for access request)
We are using as engine the tool of JPCERT and ponyExtractor.

07/04/2016: Feed update

The tracker got some minor changes.
If you are running a crawler and use our raw feed you will probably need to update your code.
The list is now with a download header and using this naming convention: CYBERCRiME-04-07-16.txt
Where 04-07-16 stand for m-d-y
A twitter account got also opened, @CyberCrimeWHQ for status update and tracker alerts.


ZbotScan is temporarily offline (no idea when it will be back.)
Reason is simple, script is getting old and need to be updated for newest Zeus versions.
Price of the dedic is also part of the problem and some other things.
Generic zeus exploit is also now offline as well as other exploits for preventives reasons.
The beta version proofed that this was working really great.
In fact, it was working so great that we hit a spamhaus zeus honeypot (
mins later we got trouble with thoses fuckers, and i had to take actions.
Anyway, tracker is now back to normal, enjoy your stay.


ZbotScan reached 2k+ samples !
I added another chart to compare the number of URLs reported VS the number of binaries reported for the Zeus family.
Also regarding the status of certain malware families like 'Stresser' or 'Mailer' they should be considered as illegal or questionable (ethical issue), not necessarily 'malicious'


Added 2 geomap for statistical purpose, google geomap rocks!
One is displaying C&C localisations based on IPs [Click Me]
The second geomap is more for me than my visitors, but i put it public anyway [Click Me]
This one is displaying blacklisted IP of CyberCrime-Tracker who attempted to attack the site (sql injections, etc...)


1000 Samples reached ZbotScan ! \o/
I wasn't expecting reaching this amount of samples on this short period of time
but i've really worked hard on this tracker and i've passed most of my free time trying to feed the tracker.
Don't blame me if i slowed the pace, i need to breath and stabilize my problems in real life (no job etc...)
We received a lot of mails from people wondering if they can use our feeds into their projects (thanks for asking !).
The informations/feeds provided here are under CC-0, in clear: do what's you want with it, feel free to use the datas provided here for your research or projects.

One remark though: it's unnecessary to crawl our feeds each 20 secs.


ZbotScan service successfully launched and operational. (don't ask for samples, they are flush after being reported)
Added an API feature. (output in JSON)
Usage: http://cybercrime-tracker.net/query.php?url=[IP-OR-URL]
Generic Zeus Exploit added *beta* should work on everything except the zeus version who use rijndael and Citadel.
In addition you can have a look on ZbotScan to get easilly the RC4 Keystream and pwn everything !


Moved to OVH for stability purpose
New interface of the tracker
Added an RSS feed feature and some other small things.
1 1


Sad day, @stéroH passed away.
Since the beginning that i'm behind a computer, i've meet and learn many things from a lot of exceptional people.
And even if it's virtual, that hurt when you know guys like Rock4eveR or @stéroH who will never be online again.
My condolences to his family and friends.
I've added a small note on the footer, never forget.


Emiliano of VirusTotal asked me to participate as URL scanner with CyberCrime in VirusTotal
I've took the decision to remove all private part and sensitive stuff, CyberCrime is now only about C&C tracking and fully open to public


Huge period of inactivity due to the shutdown of MalwareIntelligence VPS.
The tracker got also damaged with a stupid manipulation, almost everything is lost. (no backup)


After monitoring domains and repack of winlocks, XyliThreats goes under the name 'CyberCrime'
It's a reference to an underground BBS created in 1997, CCi: CyberCrime International
The goal have also changed, focused on SpyEye C&C tracking and sample repack
The tracker is also updated automatically via some tools running on MalwareIntelligence VPS.
Weeks later CyberCrime goes into Blackhole tracking and C&C general.
The project turned more personal but the private part of the tracker goes semi-private: access delivered on request
I've also started to work in real life.. less time for the tracker
1 1 1


The project moved from malware analysis to TDS monitoring and malware repack (essentially winlocks)
A part of the tracker is closed to public, and is used mainly to monitor the BestAV Affiliate network
1 1


Project started under the name XyliThreats
The work is inspired from Secubox Labs

At first the project was not about C&C tracking but malware analysis:

CyberCrime... Not dead yet !

>2024 - inquiries: contact☆cybercrime-tracker.net - R.I.P à notre ami Nico