Try Claude
DNS & DomainDNS, WHOIS, SSL & domain checks
AI Tools for Cybercrime Investigators
AI tools that help cybercrime investigators research threat actors, analyze vulnerabilities, scan domains, trace IPs, monitor dark web activity, and compile digital forensics reports.
Get started for free
Works in Chat, Cowork and Code
Threat Verdict
18/70 engines flagged — PhishTank, URLhaus, VirusTotal confirmed
Domain Age
3 days old (registered April 1, 2026) — newly registered malicious domain
Registrar
Namecheap — anonymized registrant via privacy proxy
Hosting IP
185.220.101.45 — known Tor exit node, Amsterdam, NL
Pattern
New domain + Tor-adjacent IP = high confidence malicious infrastructure
Domain and IP threat intelligence
Investigate suspicious domains and IP addresses: check against 70+ threat feeds, identify hosting infrastructure, look up WHOIS records, and build a network map of attacker infrastructure.
Investigate the domain malicious-download.xyz — scan for threat flags, look up its WHOIS registration, DNS records, and the hosting IP geolocation.
Threat scan: flagged by 18/70 engines (PhishTank, URLhaus, VirusTotal). Domain registration: 3 days old (registered April 1, 2026), anonymized registrant via Namecheap proxy. DNS: A record → 185.220.101.45 (known Tor exit node). IP geolocation: Amsterdam, NL, ASN: AS12714 (high abuse score, 847 prior threat reports). Pattern: newly registered domain on Tor-adjacent IP — high confidence malicious infrastructure.
ToolRouter scan_url
Threat Feeds
18/70 engines flagged — PhishTank, URLhaus, VirusTotal
Domain Age
3 days old (Apr 1, 2026) · Namecheap privacy proxy
DNS A Record
185.220.101.45 — known Tor exit node
Verdict
High-confidence malicious infrastructure
ToolRouter lookup_ip
FieldValue
LocationAmsterdam, Netherlands
ASNAS12714 — high abuse score
ClassificationTor exit node / bulletproof hosting
AbuseIPDB847 reports in 30 days · score 100/100
Do not initiate connections to this IP
Phishing and email fraud analysis
Analyze suspicious emails for phishing indicators, spoofed sender addresses, malicious links, and social engineering patterns. Document findings for victim support and prosecution.
Analyze this suspicious email: From: accounts@microsoft-securityalert.com, Subject: Your account has been compromised. Contains link: http://microsoft-securityalert.com/verify/login?token=abc123
Analysis: HIGH CONFIDENCE PHISHING. Sender domain: microsoft-securityalert.com — not a Microsoft domain. SPF: FAIL. DKIM: not present. Domain registered 8 days ago. URL: redirects to credential harvesting page (5 AV flags). Techniques used: urgency language, Microsoft brand impersonation, lookalike domain. Recommended action: block domain, notify victim organization, preserve headers for prosecution. Similar campaign targeting 3 other organizations detected in threat intelligence feeds.
ToolRouter analyze_email
Verdict
HIGH CONFIDENCE PHISHING — Microsoft brand impersonation
Sender Domain
microsoft-securityalert.com — not Microsoft · registered 8 days ago
SPF / DKIM
SPF: FAIL · DKIM: not present
URL Analysis
Redirects to credential harvesting page · 5 AV flags
Campaign Match
Similar TTPs detected in 3 other organization reports
Vulnerability and exploit research
Research CVEs being actively exploited in ongoing attack campaigns, look up exploit details, and track which threat actors are using specific vulnerabilities. Critical for attribution and incident response.
Look up CVE-2025-21234 — full technical details, CVSS score, affected systems, known exploit code, and which threat actors have used it in attacks.
CVE-2025-21234: Ivanti Connect Secure, remote code execution pre-authentication. CVSS: 9.8 (Critical). Affected versions: 22.6.x and prior. Exploit: heap overflow in SSL VPN authentication handler — proof-of-concept published on GitHub. Threat actors: CISA KEV listed. Attributed campaigns: Volt Typhoon (Chinese state actor), LockBit 4.0 affiliate initial access broker. Patch: Ivanti hotfix available Jan 2025. 7,200+ internet-exposed instances unpatched as of April 2026.
ToolRouter search_cves
CVSS Score
9.8 Critical — remote code execution, pre-authentication
Affected Versions
Ivanti Connect Secure 22.6.x and prior
Exploit Status
PoC published on GitHub · heap overflow in SSL VPN auth handler
Threat Actors
Volt Typhoon (CN state) · LockBit 4.0 affiliates · CISA KEV listed
Exposure
7,200+ unpatched internet-exposed instances as of April 2026
Threat actor profiling
Build comprehensive profiles of ransomware groups, APT actors, and cybercriminal organizations: TTPs, known infrastructure, affiliate relationships, and recent campaigns.
Build a threat actor profile on RansomHub — their RaaS model, notable attacks, TTPs (MITRE ATT&CK), demanded ransom amounts, and how they evolved from ALPHV/BlackCat.
RansomHub profile: Emerged March 2024 as RaaS successor to ALPHV/BlackCat following FBI disruption. Recruited displaced ALPHV affiliates. TTPs (MITRE): Initial access via VPN exploits (T1190), lateral movement via Living-off-the-Land (T1059), exfiltration before encryption (T1041) for double extortion. 2025 stats: 150+ victims claimed; average demanded ransom $2.3M; sectors: healthcare (34%), legal, government. Infrastructure: .onion leak site; affiliate split 90/10. Notable victim: UnitedHealth Group Change Healthcare (Feb 2024, $22M ransom paid).
ToolRouter research
Origin
Emerged Mar 2024 · recruited ALPHV/BlackCat affiliates post-FBI disruption
TTPs (MITRE)
T1190 (VPN exploits) · T1059 (LoTL) · T1041 (double extortion)
Scale (2025)
150+ victims · avg ransom demand $2.3M · healthcare 34%
Notable Attack
Change Healthcare (UHG) · $22M ransom paid · Feb 2024
Affiliate Model
Supply chain and dependency vulnerability scanning
Audit open-source packages used by victim organizations for known advisories and supply chain compromises. Essential for software supply chain attack investigations.
Audit the top 5 npm packages used by the victim organization — lodash 4.17.21, axios 1.6.0, express 4.18.2, react 18.2.0, and webpack 5.88.0 — for known CVEs and supply chain advisories.
Audit results: lodash 4.17.21 — No active critical CVEs. axios 1.6.0 — CVE-2023-45857 (CSRF token exposure, medium severity, patched in 1.6.2, this version vulnerable). express 4.18.2 — No critical CVEs. react 18.2.0 — No CVEs. webpack 5.88.0 — CVE-2024-43788 (cross-site scripting in dev server, fixed in 5.94.0). Recommend patching axios and webpack. Supply chain integrity: all 5 packages verified against published npm checksums — no tampering detected.
ToolRouter audit_packages
PackageVersionCves found
axios1.6.0CVE-2023-45857 (CSRF, medium)
webpack5.88.0CVE-2024-43788 (XSS, medium)
lodash4.17.21None
express4.18.2None
react18.2.0None
Supply chain integrity verified · no tampering detected
Cybercrime investigation report writing
Compile digital forensics findings, threat intelligence, and attack timelines into professional investigation reports for law enforcement, legal proceedings, and victim organizations.
Write a cybercrime investigation report from these findings: victim hit by RansomHub, initial access via unpatched Ivanti VPN, dwell time 14 days, 350GB exfiltrated before encryption, $1.5M ransom demanded, ransom not paid. Indicators of compromise: 4 malicious IPs, 2 domains, 3 malware hashes.
Cybercrime Investigation Report — Case #2026-CCI-0104. Victim: [Organization]. Attack Type: Ransomware (RansomHub). Summary: Threat actor gained initial access via CVE-2025-21234 (Ivanti VPN) on March 18, 2026. Dwell time: 14 days. Activity: lateral movement, credential harvesting, 350GB data exfiltration (March 25–31). Encryption deployed April 1. Ransom: $1.5M USD (not paid). IoCs: [4 IPs, 2 domains, 3 hashes listed]. Attribution confidence: MODERATE (RansomHub TTPs and infrastructure consistent). Recommended actions: Ivanti patch, credential resets, network segmentation review.
ToolRouter repurpose_content
Initial Access
CVE-2025-21234 (Ivanti VPN) · March 18, 2026
Dwell Time
14 days — lateral movement + credential harvesting undetected
Exfiltration
350GB data exfiltrated March 25–31 before encryption
Ransom
$1.5M demanded · not paid · decryption keys not recovered
IoCs
Ready-to-use prompts
Scan suspicious domain
Scan the domain phish-site.net across all available threat intelligence engines — check for malware, phishing, botnet indicators, and recent abuse reports.
Investigate IP address
Look up IP 45.33.32.156 — geolocation, ASN, abuse reputation, and any associated threat intelligence or prior incident reports.
Research ransomware group
Build a profile on LockBit 4.0 — their RaaS affiliate structure, current TTPs, notable 2025–2026 attacks, ransom demand patterns, and known decryptors.
Analyze phishing email
Analyze this suspicious email for phishing indicators: From: noreply@paypal-account-services.com, Subject: Unauthorized login from Russia — verify now. Include header analysis and link analysis.
CVE exploit details
Look up CVE-2024-49104 — full technical details, CVSS score, affected Microsoft Exchange versions, known exploit status, and any attributed ransomware campaigns.
Audit npm packages
Audit these npm packages for known CVEs and supply chain advisories: lodash 4.17.20, moment 2.29.4, minimist 1.2.6, node-fetch 2.6.7.
Write investigation report
Write a cybercrime investigation report: victim organization hit by business email compromise (BEC), CFO credentials compromised via spearphishing, $340K fraudulent wire transfer initiated. Three sending IPs identified. Investigation timeline April 1–3, 2026.
Tools to power your best work
WHOIS & RDAPDomain owner, registrar & expiry
Security ScannerScan URLs, IPs, domains and files for threats
Phishing Email CheckerCheck suspicious emails, screenshots, and links
Vulnerability DatabaseSearch CVEs & track new advisories
IP GeolocationIP to location, ISP & network
Content RepurposerTurn any content into posts, scripts, and articles
Deep ResearchAI research reports with citations
NewsSearch and track news worldwide
165+ tools.
One conversation.
Everything cybercrime investigators need from AI, connected to the assistant you already use. No extra apps, no switching tabs.
Incident investigation package
Investigate a cyber incident end-to-end: scan attacker infrastructure, research threat actor, audit victim packages, and compile the full investigation report.
Phishing campaign investigation
Investigate a phishing campaign: analyze emails, scan malicious links, research sending infrastructure, and build victim notification content.
Frequently Asked Questions
Can these tools help me identify the geographic source of an attack?
IP Geolocation can identify the city, country, and ASN associated with an attacker IP. However, sophisticated attackers use VPNs, Tor exit nodes, and compromised infrastructure. Geolocation identifies hosting location, not necessarily the attacker's location. Always corroborate with additional intelligence.
Is scanning someone else's domain legal?
The Security Scanner tool retrieves publicly visible information about a domain — threat feed lookups, WHOIS data, SSL checks — similar to what any browser makes visible. Active penetration testing requires authorization. For investigation of potentially malicious infrastructure you don't control, consult your agency's legal guidance before active testing.
How current is the CVE and threat intelligence data?
Vulnerability Database syncs with the NVD (National Vulnerability Database) and CISA KEV list, typically within hours of publication. Security Scanner checks against 70+ real-time threat feeds. Threat actor research from Deep Research reflects published reporting, which may lag active operations.
Can I use these tools to investigate darknet activity?
These tools operate exclusively on the public internet. They can research threat actor groups, ransomware operations, and cybercrime trends through published reporting and threat intelligence feeds, but do not provide access to darknet marketplaces or forums.
Give your AI superpowers.
Get started for free
Works in Chat, Cowork and Code