Genesis of Criminal IP

With the global surge in cybercrimes, we are witnessing that the demand for intelligence-driven security is shooting up at an unprecedented rate. But in order to meet this demand, exorbitant initial cost is inevitable, which is further compounded by the necessity to secure enough manpower and collect information. Therefore, we have come up with our own service that perfectly aligns with this urgent need to diagnoses cyberthreats.

The most decisive clue for tracking down cybercrimes is the IP address. Setting our sights on data-driven security, we have conceived the idea of creating a criminal record book that provides comprehensive history on network activities associated with a specific IP address, and converged it with machine learning, artificial intelligence, and behavior-based anomaly detection.

What is IP address-based Cyber Threat Intelligence?

Before we take a deep dive into the fundamentals, the concept boils down to the compilation of evidential security information that minimizes the risk of cyber threats impacting business decision-making process. Just as we go after criminals through fingerprints left at the crime scene, in cybercrime, anonymous attacks such as fraudulent access, account theft, payment scams, money laundering, and credential stuffing can all be traced back to the biggest footprint, namely IP addresses. Using Criminal IP, you can get a live view into how many and randomly your IT assets including DB servers, file servers, middleware servers, administrator servers, IoT systems, and malicious sites are populating the network. This eventually allows you to monitor potential attack vectors one step ahead of opportunistic malicious actors as well. Furthermore, it is a comprehensive solution that aggregates vast amounts of OSINT (Open-Source Intelligence) through unique crawling technology, which is also overlaid with AI, machine learning-based fraud detection algorithm, and network scanning at record speed.

What exactly is Criminal IP?

Criminal IP is a comprehensive threat intelligence search engine that detects vulnerabilities of personal or corporate cyber assets in real time and facilitates preemptive responses accordingly. It is largely divided into SEARCH and INTELLIGENCE feature,  whereby it is possible to receive detailed threat-relevant information through detailed banners and malicious behavior history. You can find all types of internet-facing information on malicious IPs, phishing sites, malicious links, certificates, industrial control systems, IoTs, servers, CCTVs, and so forth.

Through integration with our developer API, security practitioners within companies or institutions can timely block attackers infiltrating internal assets and monitor assets that may unknowingly be exposed on the attack surface. Just like how you retrieve information through Google search, it is possible to search for all the internet-exposed assets and vulnerabilities through various filters and tags on Criminal IP. In addition, you can get a glimpse of the latest threat intelligence that gives you actionable insights augmented by multifaceted analytics.

1. Asset Search



Directly search for the service name through keywords or type in the CVE number to look up related IP address information.

  • Triage of inbound and outbound IP risk scores into 5 straightforward levels (SAFE, LOW, MODERATE, DANGEROUS, CRITICAL)
  • Connection of all the contextual information on the IP address owner, country, SSL certificate, associated domain
  • Detection of suspicious VPN IP, TOR IP, Hosting IP, CDN, Scanner IP
  • Summary on open ports running,  past abuse history, and vulnerabilities hidden within

2. Domain Search

Domain search feature scans your target domain in real time and provides exhaustive information on that domain with a final risk score, which is determined by whether it is being used as a phishing domain, embeds malicious links, or contains valid certificates.

The domain risk score is also presented according to a 5-level risk matrix. Through domain summary feature, you can identify fake domain, fake SSL, abuse record, phishing record, hidden elements in html, program traps, network redirection, and suspicious cookies.

This domain search is designed under the initiative “Use Criminal IP before clicking on suspicious links”, which is the one and only feature warranting detection of the malicious links that have only recently seen the light of the world and are yet to be registered in the existing database. Given a certain domain URL, a chrome is launched to conduct scanning and AI-driven analysis, which allows us to diagnose whether any new URLs are malicious and should be blocked accordingly.

3. Exploit Search

Using this exploit feature, you can comb through all the known vulnerabilities (CVEs) around the world and get the details on the actual exploit code for each corresponding service. When you search with CVE information, you can access the whole EXPLOIT information matching your search term so that you can easily ascertain their attack patterns as well. Moreover, if you search by specific platforms instead of CVE, you can check the related EXPLOIT list and screen the result items through various filters (e.g., authors, types, years).

4. Image search

After running an image search with various example search terms such as RDP, phishing, webcam, RTSP, you can view the specific images of assets being left wide open to cyberthreats. This feature parallels how we search for images on Google, but it differs in the fact that only images signaling potential cyberthreats are retrieved for your reference.

The Criminal IP Difference

1. Unmatched quality and quantity of data

Criminal IP prides itself on the unprecedentedly vast amount of data pertaining to IP address. Just to name a few, they include proprietary risk score, C&C and phishing domain, identification of URLs embedding malicious links, network devices  exposed on the attack surface and domain similarity algorithm.

Our data stands out not only in terms of quantity but also in terms of quality, and you can rest assured of the freshness of the data amounting to as much as 4.2 billion IP addresses and domains, all of which are only a subset of cyber asset information that are gathered and refreshed in real time.

Along with information on the most widely used VPN IPs, Criminal IP also singles out various types of abnormal IPs masquerading as Tor, Proxy, Hosting IPs and helps stave off attacks that could potentially be launched through them.

2. Reduction of operational risks through vulnerability detection

Criminal IP already comes with a massive database that stores information on past and current IP address vulnerabilities, so it is purpose-built to assist in various types of research or risk management. Just to illustrate a few, it would be possible to extract a whole database on “US-wide lookup of IP addresses with RDP vulnerabilities” or “lookup of IP addresses with designated CVEs”. We also have established an offline database for various VPN IPs collected at global scale, which is all accessible upon request.

This is where Criminal IP comes in

1. User Identification

Through identification of abnormal users, you can utilize Criminal IP for screening out malicious activities such as credentials leakage, payment scams, and web crawling. Most notably, we provide strictly data-backed evidence that lets you to determine whether threat actors are attempting login through VPN IP, Cloud IP, Proxy IPs and foreign servers. In addition to preventing leakage of personal information, it also has the effect of heading off brute-force attacks that capitalize on those leakages. When integrated into login platforms of online services, we send out alert notifications in the event that any logins are attempted through suspicious IP addresses, and minimize damages incurred by such activities.

2. Security Control

When it comes to security control, we streamline operations and boost efficiency by conducting a deep-dive analysis of inbound and outbound IP addresses and domains. Criminal IP is easy to integrate with other already existing security products such as Intrusion Detection System (IDS), Endpoint Detection and Response (EDR), spam mail filters as well as firewalls within an organization. In accordance with the assigned risk score of IP addresses, IP blocking policy is  implemented, which considerably cuts down on resources that would normally go into establishing a separate IP-based security control system from the ground up. Coupled with our other flagship product RMR which is an enterprise version of Criminal IP, there is absolutely no need to provide confidential log record information.

More to the point, using Criminal IP facilitates advanced detection of phishing attacks and even without direct access, the malicious domains could be blocked and taken down without much effort. Even after occurrence of an incident, we analyze the entire access history of the dangerous IP and provide relevant information such as domain, vulnerability, and favicon.

3. Attack Surface Management

All companies around the world possess their proprietary IP addresses on which their servers, network devices, databases all run. Because these could be easy entry points for threat actors, their management is of paramount importance in implementing effective attack surface management.

With Criminal IP in place for them, corporate security managers can spot hidden assets scattered on clouds that they were not aware of, verify ASName and service ports, view the latest vulnerabilities of their assets and certificates. In this way, they can constantly stay on top of all their newly discovered and already existing assets.

Not only can you secure unified visibility into your obscure assets, but you can also manage your IT assets in real time without any deployment of separate programs. With Criminal IP, you can get a firm handle on how your cyber posture stacks up against your peers and realize the most flawless security control, which would not have been made possible if not for Criminal IP illuminating every hidden nook and cranny of your assets.

Claim your free Criminal IP beta right now!

Prior to the official launch scheduled in July, Criminal IP will be running a free beta service for 3 consecutive months starting from April 28th. AI Spera, the provider of Criminal IP, shores up various verticals where Criminal IP defends against ever-evolving cyber threats, which spans education & research, corporate security teams, white hackers, national agencies, and cybercrime investigation organizations. We have decided to launch this beta service with the aim of receiving feedback that would help us further improve on our product. We are currently recruiting beta testers on the pre-registration page and users who register before April 28 will receive a free license for 3 months after the official launch scheduled in July. Don’t miss a beat because another 1 month free license will be coming your way once you complete the feedback survey!