Study 001 · Cyber infrastructure

The phishing web is smaller than it looks.

Five thousand active lures resolved to 2,020 hosts. The concentration behind that apparent sprawl points defenders toward infrastructure, certificates and criminal tooling—not an endless queue of individual URLs.

Published 13 July 20265,000 active URLsFrozen edition

Phishing feels infinite because victims encounter it one message at a time. Infrastructure data tells a different story: many seemingly separate lures share the same underlying machinery.

In a frozen DataVault capture of 5,000 URLs reported as active by PhishDB, we found 2,020 unique hosts. Nearly 70% of the URLs addressed an IP directly rather than using a domain name. The twelve busiest hosts accounted for 710 URLs, or 14.2% of the entire sample.

5,000active URLs examinedCYB-PHISHDB-ACT
2,020unique hostsURL host extraction
70.0%used an IP literal3,499 URLs
14.2%on the top 12 hosts710 URLs

The unit of defence is not always the URL

A blocklist treats each URL as an item. An investigation treats it as a clue. When thousands of lures collapse onto a smaller set of hosts, certificates and malware families, defenders can look for shared infrastructure and intervene higher in the chain.

That does not mean taking down one server makes phishing disappear. Hosts can be compromised, rapidly replaced or deliberately disposable. It does mean the denominator changes: 5,000 incidents are not necessarily 5,000 independent adversaries.

The visible lure is disposable. The infrastructure underneath it is where repetition—and therefore defensive leverage—appears.

A feed with an unusual fingerprint

The sample’s 70% IP-literal share is striking. It should not be universalised. Academic work has shown that phishing sites frequently use HTTPS, and certificate-transparency research can reveal phishing campaigns. Our feed-specific capture instead skews toward direct-IP, non-HTTPS URLs. That difference is itself useful: every threat feed sees a different slice of the ecosystem.

The URLs averaged 86 characters; the longest ran to 662. Length alone is not a detection rule, but unusually long paths can encode campaign, victim or redirect information. Joined with first-seen time, hosting, certificate and malware metadata, these strings become investigative pivots rather than isolated artefacts.

The certificate layer names recurring tools

A second DataVault source, SSLBL’s malicious SHA-1 certificate feed, connected the web layer to malware operations. The largest labelled certificate families in the current capture included AsyncRAT (1,416), Dridex (735), QuasarRAT (684), Vidar (599) and LummaStealer (555).

Those counts are observations in the feed, not a ranking of global prevalence. Yet they show why certificate intelligence matters: a certificate can persist across an operator’s infrastructure even when domains and IPs change. That creates another join key for analysts searching the vault.

Safety by designWe do not publish the active hosts or URLs in this article. Analysts can work with governed evidence inside the platform; raw malware is never executed, and hazardous samples remain quarantined.

Analytical plate

From noisy lures to reusable pivots

The study links reported URLs to hosts and certificate families. The join does not identify an attacker; it reveals shared technical infrastructure worth investigating.

Host concentration

Share of all 5,000 URLs

Top host
4.6%
Top 12
14.2%
All others
85.8%

Investigation path

Evidence is more useful after the joins

lure URLhost / IPcertificatemalware familytime window

Evidence ledger

What the study used

PhishDB active feed

5,000 URL records; host, scheme and path extracted without publishing live indicators.

CYB-PHISHDB-ACT

SSLBL malicious certificate SHA-1 feed

19,905 cumulative rows seen; family labels used as investigative metadata.

CYB-SSLBL-SHA1

URLhaus text feed

2,999,460 cumulative snapshot rows used as corpus context, not unique-URL count.

CYB-URLHAUS-TXT

Method & limits

A bounded sample, not the whole internet.

We parsed one 5,000-record active-feed snapshot, normalised URL hosts and schemes, and counted concentration. We separately aggregated family labels in the SSLBL certificate capture. Cumulative snapshot rows are explicitly not deduplicated observations.

What this cannot proveThe sample is shaped by each provider’s collection and takedown process. IP literals can be compromised systems, not attacker-owned servers. A shared host or certificate does not by itself prove common control, and feed labels can be incomplete.