Malicious IPs

Free feed of C2, scanner and malware-delivery IPs from Twitter/X researchers


Malicious IPs

C2, scanner and malware-delivery IPs from Twitter/X


Related Threat Intelligence feeds: URLs · Domains · SHA-256 · MD5 · All IOC types

IPs by window

Today

-

malicious IPs

Week

-

malicious IPs

Month

-

malicious IPs

Year

-

malicious IPs

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • C2 servers, malware-delivery hosts, scanners and known abuse IPs.
  • IPv4 only in the current dataset. Onion infrastructure surfaced as URLs/domains, not IPs.
  • Caveat: many IPs sit on shared hosting or CDN ranges. Treat as enrichment signal, not standalone block decision.

Recent samples

Latest 10 IPs from the past 7 days. Live from api.tweetfeed.live/v1/week/ip.

Loading samples

Top tags for malicious IPs

Filter the IP feed by malware family or category. Each tag has its own landing page with recent samples and context.

See all tags on the Dashboard or browse the full IOC feed.

Formats and how to use

Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious IPs are available in four formats:

FormatWhereBest for
JSON APIapi.tweetfeed.live/v1/<window>/ipSOAR / SIEM enrichment, scripts
CSVtoday / week / month / year .csvbulk import, spreadsheets, blocklists
RSSrss.xmlwatch new IOCs in a reader
MCPmcp.tweetfeed.livelive lookups from AI agents / Claude

Load the IP list into your firewall or IDS/IPS as a deny rule, or query the JSON API from your SIEM. IP feeds carry higher false-positive risk on shared hosting, so scope blocks carefully. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

Frequently asked questions

What is a malicious IP feed?

A malicious IP feed is a continuously updated list of IPv4 addresses observed in adversary infrastructure. Common categories include C2 servers, malware-delivery hosts, port scanners and brute-force sources. Security teams ingest these into firewalls, IDS/IPS and SIEM correlation rules. TweetFeed publishes the IPs spotted by ~95 infosec researchers on Twitter/X, refreshed every 15 minutes.

Where can I download this malicious IP list?

Straight from this page. The malicious IP list is published as CSV (one IP per row with date, source and tags), as JSON through the free API, and as an RSS feed. It refreshes every 15 minutes, covers today, week and month windows, and is CC0 licensed, so you can feed it to your firewall or SIEM without a key or sign-up.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts IPv4 addresses from tweets, deduplicates against the past year, tags them with malware family and category, and republishes the result in CSV, JSON and RSS.

Should I block these IPs at the firewall?

Block with caution. Shared hosting providers, CDNs and cloud platforms reuse IPs across legitimate and malicious tenants, so blanket blocking creates collateral damage. Use IP feeds as one signal among several: alert on connections, correlate with other indicators, and block only on high-confidence matches or in combination with active malicious activity from the same host.

Are these IPs verified malicious?

TweetFeed is OSINT, not a sandbox. IPs are sourced from public posts by infosec researchers, then deduplicated and tagged. False positives are higher for IPs than for URLs or hashes, especially when researchers post infrastructure observed for a single campaign that has since rotated. Cross-reference Shodan, AbuseIPDB or your sandbox before blocking.

Is the malicious IPs list free?

Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.

How do I use these IPs to block threats?

Load the IP list into your firewall or IDS/IPS as a deny rule, or query the JSON API from your SIEM. IP feeds carry higher false-positive risk on shared hosting, so scope blocks carefully. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

License

Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).