TweetFeed API

Free REST API for Threat Intelligence queries (limited to 10k results per search)


TweetFeed API

TweetFeed.live API (limited to 10k results per search)

Introduction

Free API to get IOCs shared by the community on Twitter/X. Building an AI agent? Use the MCP server instead.


Endpoint

GET https://api.tweetfeed.live/v1/{time}/{filter1}/{filter2}
Example 1: IOCs posted today 
https://api.tweetfeed.live/v1/today
Example 2: URLs posted today with phishing tag 
https://api.tweetfeed.live/v1/today/phishing/url
Example 3: IPs posted in the last 7 days with CobaltStrike tag 
https://api.tweetfeed.live/v1/week/cobaltstrike/ip
Example 4: SHA256 hashes posted by  @malwrhunterteam  in the last month 
https://api.tweetfeed.live/v1/month/@malwrhunterteam/sha256

Diff endpoint (incremental sync)

Returns IOCs added after the given ISO 8601 timestamp. Useful for delta-syncing a blocklist or a Threat Intelligence pipeline without re-pulling the full window. Same /{filter1}/{filter2} syntax as the time-window routes. Use the Z form for unambiguous UTC.

GET https://api.tweetfeed.live/v1/since/{ISO8601}/{filter1}/{filter2}
Example A: phishing IOCs added since a given timestamp 
https://api.tweetfeed.live/v1/since/2026-05-01T00:00:00Z/phishing

Edge cases: future timestamp returns 200 with an empty array. Timestamp older than 365 days returns 410 Gone. Malformed ISO returns 400. Strict ISO 8601 with Z or +HH:MM offset is required (no ambiguous local-time forms).


Details

Key Required? Possible values
time Required Select 1 of these timeframes.

today (Today starting 00:00 UTC)
week (Last 7 days)
month (Last 30 days)
year (Last 365 days)
filter1 Optional Can be an specific user, type or tag.

Type (url / domain / ip / sha256 / md5)
Tag (phishing / ransomware / CobaltStrike ...)
User (@malwrhunterteam / @1ZRR4H / @MBThreatIntel ...)
filter2 Optional Can be an specific user, type or tag.

Type (url / domain / ip / sha256 / md5)
Tag (phishing / ransomware / CobaltStrike ...)
User (@malwrhunterteam / @1ZRR4H / @MBThreatIntel ...)

Output example

[
	{
        "date": "2022-05-11 19:39:06",
        "user": "Unit42_Intel",
        "type": "ip",
        "value": "138.124.183.147",
        "tags": [
            "#CobaltStrike",
            "#IcedID"
        ],
        "tweet": "https://x.com/Unit42_Intel/status/1524474195471745028"
    },
    {
        "date": "2022-05-11 19:43:48",
        "user": "GootLoaderSites",
        "type": "url",
        "value": "https://www.kipperfamily.co.uk/forum.php",
        "tags": [
            "#GootLoader"
        ],
        "tweet": "https://x.com/GootLoaderSites/status/1524475379997675522"
    },
    {
        "date": "2022-05-11 20:00:44",
        "user": "ecarlesi",
        "type": "url",
        "value": "https://tinpan.top/bancocuscatlan/",
        "tags": [
            "#phishing"
        ],
        "tweet": "https://x.com/ecarlesi/status/1524479640584466432"
    },
    ...
]

Frequently asked questions

Does the TweetFeed API require authentication?

No. The TweetFeed REST API is open and does not require an API key, OAuth token or registration.

How do I query IOCs by type?

Call GET https://api.tweetfeed.live/v1/{time}/{type} where time is today, week, month or year and type is url, domain, ip, sha256 or md5. The response is JSON by default.

Can I filter by tag or malware family?

Yes. Chain a second filter: GET /v1/{time}/{filter1}/{filter2}. Filters can be an IOC type, a generic tag (phishing, malware) or a malware family (LockBit, RansomHub, and others).

Is there a rate limit on the TweetFeed API?

No hard rate limit for normal use. The API runs on Cloudflare Workers with edge caching; typical global volume is around 7 to 8 thousand requests per day.