Statistics
URLhaus produces detailed statistics on malicious URLs shared, including detections - find the available statistics below.
You can also access Spamhaus's Malware Digest report, based on URLhaus data:
Most Delivery Payload
Average Takedown TimeNumber of submissions (past 30 days)
The chart below documents the number of submissions (unique malware URL) to URLhaus per day over a period of 30 days.
Top Reporters
It wouldn't be possible to operate URLhaus without the help of volunteers who report malware URLs to URLhaus. The table below shows the top reporters and their Twitter handle.
| Rank | Reporter | Submissions |
|---|---|---|
| 1 |  lrz_urlhaus | 1'249'443 |
| 2 |  geenensp | 806'789 |
| 3 |  Cryptolaemus1 | 259'862 |
| 4 |  NDA0E | 185'175 |
| 5 |  Gandylyan1 | 149'354 |
| 6 |  zbetcheckin | 136'265 |
| 7 | tammeto | 73'499 |
| 8 |  abuse_ch | 69'072 |
| 9 |  abus3reports | 55'121 |
| 10 | p5yb34m | 48'052 |
| 11 |  DaveLikesMalwre | 44'770 |
| 12 |  tolisec | 42'133 |
| 13 |  spamhaus | 39'159 |
| 14 | Petras_Simeon | 26'161 |
| 15 |  shotgunner101 | 19'210 |
Blocklist Comparison
URLhaus reports malware distribution sites to Spamhaus DBL, SURBL and Google Safe Browsing (GSB). In addition, several vendors of IT-security software are consuming URLhaus feeds to enrich their product(s). The statistics below measures the perfomance of several blocklists and DNS providers by counting the number of blacklisted domain names and compare them against each other.
Spamhaus DBL
SURBL
AdGuard DNS
Quad9 DNS
Cloudflare DNS
dns0.eu DNS
ProtonDNS
OpenBLD
DNS4EU
Most Delivered Payload
Malware URLs deliver all kind of different payloads. This chart shows the number of payload per malware family (signature) identified / crawled by URLhaus.
Top Tags
Most seen tag associated with malware URLs tracked by URLhaus.
Top Malware Hosting Networks
The chart below shows the top malware hosting network by ASN. Please consider that some of them just offer CDN or proxy services and are hence not hosting the malicious content it self rather than facilitate delivering the malicious payload to the user.
Top malware hosting networks in total (counting online and offline malware distribution sites):
| Rank | ASN | Country | Average Reaction Time | Malware URLs |
|---|---|---|---|---|
| 1 | AS4837 CHINA169-Backbone |  CN | 2 days, 13 hours, 12 minutes | 929'155 |
| 2 | AS9829 BSNL-NIB |  IN | 9 hours, 29 minutes | 437'155 |
| 3 | AS4134 CHINANET-BACKBONE | CN | 4 days, 6 hours, 12 minutes | 194'091 |
| 4 | AS17488 HATHWAY-NET-AP | IN | 5 hours, 56 minutes | 142'692 |
| 5 | AS13335 CLOUDFLARENET |  US | 3 days, 7 hours, 9 minutes | 107'087 |
| 6 | AS8661 PTK |  AL | 2 days, 1 hours, 28 minutes | 97'550 |
| 7 | AS207569 I-SERVERS-NORTH-EU |  RU | 23 hours, 40 minutes | 91'344 |
| 8 | AS17816 CHINA169-GZ | CN | 1 day, 10 hours, 19 minutes | 85'018 |
| 9 | AS14061 DIGITALOCEAN-ASN | US | 5 days, 3 hours, 34 minutes | 60'221 |
| 10 | AS16509 AMAZON-02 | US | 3 days, 12 hours, 13 minutes | 58'326 |
| 11 | AS46606 UNIFIEDLAYER-AS-1 | US | 14 days, 2 hours, 6 minutes | 56'762 |
| 12 | AS17622 CNCGROUP-GZ | CN | 22 hours, 37 minutes | 50'855 |
| 13 | AS19871 NETWORK-SOLUTIONS-HOSTING | US | 13 days, 9 hours, 19 minutes | 38'032 |
| 14 | AS16276 OVH |  FR | 10 days, 11 hours, 54 minutes | 35'500 |
| 15 | AS36352 AS-COLOCROSSING | US | 11 days, 14 hours, 3 minutes | 33'168 |
Top malware hosting networks, hosting active malware content (counting online malware distribution sites only):
| Rank | ASN | Country | ASN-DROP | Average Reaction Time | Malware URLs |
|---|---|---|---|---|---|
| 1 | AS36459 GITHUB | US | 18 days, 12 hours, 5 minutes | 2'144 | |
| 2 | AS20940 AKAMAI-ASN1 | US | 19 days, 13 hours, 10 minutes | 1'102 | |
| 3 | AS26496 AS-26496-GO-DADDY-COM-LLC | US | 18 days, 20 hours, 45 minutes | 928 | |
| 4 | AS54113 FASTLY |  DE | 19 days, 19 hours, 33 minutes | 526 | |
| 5 | AS214943 RAILNET | US | Blocked | 8 days, 12 hours, 41 minutes | 256 |
| 6 | AS53667 PONYNET |  CA | 14 days, 12 hours, 19 minutes | 242 | |
| 7 | AS37963 ALIBABA-CN-NET | CN | 1 month, 18 days, 11 hours, 25 minutes | 178 | |
| 8 | AS45102 ALIBABA-CN-NET | CN | 3 days, 7 hours, 45 minutes | 142 | |
| 9 | AS13335 CLOUDFLARENET | US | 3 days, 7 hours, 9 minutes | 140 | |
| 10 | AS15169 GOOGLE | US | 12 days, 1 hours, 57 minutes | 139 | |
| 11 | AS4837 CHINA169-Backbone | CN | 2 days, 13 hours, 13 minutes | 107 | |
| 12 | AS4134 CHINANET-BACKBONE | CN | 4 days, 6 hours, 12 minutes | 105 | |
| 13 | AS135918 DVS-AS-VN |  VN | 11 days, 20 hours, 7 minutes | 92 | |
| 14 | AS202306 HOSTGLOBALPLUS-AS | RU | Blocked | 4 months, 16 days, 18 hours, 53 minutes | 84 |
| 15 | AS214351 FEMOIT |  GB | Blocked | 25 days, 20 hours, 35 minutes | 79 |
Takedown Statistics
URLhaus is sending out abuse reports to hosting providers, hosting malware distribution sites. The following chart shows the number of active malware distribution sites and the number of unique abuse reports sent per day.
The following table shows the top 15 hosting providers with the fastest abuse desks. To generated these statistics, URLhaus measures the time between when URLhaus sent the abuse complaint to the hosting provider and when the reported content goes offline. Please consider that the accuracy is +/- 1 hour.
| Rank | ASN  | Country | Online | Offline | Average Reaction Time |
|---|---|---|---|---|---|
| 1 | AS58772 ChinaNet-Fujian-Fuzhou-IDC | CN | 0 | 1 | 0 minute |
| 2 | AS13022 STREAMS_GMBH |  AT | 0 | 1 | 5 minutes |
| 3 | AS52564 Biazi_Telecom |  BR | 0 | 1 | 6 minutes |
| 4 | AS7020 QDATA-AS |  NZ | 0 | 1 | 7 minutes |
| 5 | AS263948 NEW_LIFE_TELECOM | BR | 0 | 1 | 7 minutes |
| 6 | AS197684 ASHOSTUA |  UA | 0 | 2 | 7 minutes |
| 7 | AS134929 ORANGECITY-AS |  None | 0 | 1 | 7 minutes |
| 8 | AS55441 TTSLMEIS-AS-AP | IN | 0 | 1 | 7 minutes |
| 9 | AS55486 NETWORX-AS-AP | None | 0 | 1 | 8 minutes |
| 10 | AS268490 A.I.P._INTERNET | BR | 0 | 1 | 9 minutes |
| 11 | AS267060 Jspnet_servios_de_comunicaes_multimidia_eireli | None | 0 | 1 | 9 minutes |
| 12 | AS268824 CONNECTMAX_TELECOM | BR | 0 | 2 | 10 minutes |
| 13 | AS139261 METROLINK-AS-AP | None | 0 | 2 | 10 minutes |
| 14 | AS273690 SHIELD_TELECOM_LTDA | BR | 0 | 1 | 10 minutes |
| 15 | AS19517 VISUAL-LINK-INOC | US | 0 | 1 | 10 minutes |
The following table shows the top 15 hosting providers with the slowest abuse desks. To generated these statistics, URLhaus measures the time between when URLhaus sent the abuse complaint to the hosting provider and when the reported content goes offline. Please consider that the accuracy is +/- 1 hour.
| Rank | ASN  | Country | Online | Offline | Average Reaction Time |
|---|---|---|---|---|---|
| 1 | AS23520 LIBERTY-NETWORKS | US | 0 | 1 | 4 years, 6 months, 14 days, 16 hours, 19 minutes |
| 2 | AS6 BULL-HN | US | 0 | 1 | 4 years, 2 months, 23 days, 19 hours, 10 minutes |
| 3 | AS40015 MOVECLICKLLC | US | 2 | 9 | 3 years, 11 months, 8 days, 1 hours, 57 minutes |
| 4 | AS10099 UNICOM-Global |  HK | 0 | 11 | 3 years, 9 months, 6 days, 10 hours, 11 minutes |
| 5 | AS197838 CHEELOO-AS |  PL | 0 | 1 | 3 years, 8 months, 1 days, 17 hours, 58 minutes |
| 6 | AS199391 XGlobe-199391 |  IL | 0 | 3 | 3 years, 6 months, 25 days, 19 hours, 21 minutes |
| 7 | AS44547 NetundWeb |  TR | 0 | 1 | 3 years, 5 months, 20 days, 12 hours, 33 minutes |
| 8 | AS263057 Connect_Network | BR | 0 | 1 | 3 years, 5 months, 14 days, 4 hours, 29 minutes |
| 9 | AS12556 internet-solutions-ke |  ZA | 0 | 2 | 3 years, 5 months, 13 days, 13 hours, 58 minutes |
| 10 | AS135523 MULTINET-IE-AS-AP |  PK | 0 | 2 | 3 years, 4 months, 16 days, 7 hours, 23 minutes |
| 11 | AS24164 UBBNET-AS-TW |  TW | 3 | 1 | 3 years, 1 months, 15 days, 18 hours, 40 minutes |
| 12 | AS30782 TOYA-KRAKOW-AS | PL | 0 | 1 | 3 years, 1 months, 4 days, 20 hours, 34 minutes |
| 13 | AS37024 Yoprov |  ZW | 0 | 1 | 2 years, 9 months, 27 days, 23 hours, 58 minutes |
| 14 | AS60822 WISP1 |  IT | 0 | 1 | 2 years, 9 months, 15 days, 2 hours, 6 minutes |
| 15 | AS9811 DRCSCNET | CN | 2 | 2 | 2 years, 9 months, 5 days, 8 hours, 32 minutes |
The full list of average reaction time over all hosting providers (ASNs) can be found here:
If you are a hosting provider, network owner or national CERT, you can subscribe to the URLhaus feed for your ASN or country here: