Phishing feels infinite because victims encounter it one message at a time. Infrastructure data tells a different story: many seemingly separate lures share the same underlying machinery.
In a frozen DataVault capture of 5,000 URLs reported as active by PhishDB, we found 2,020 unique hosts. Nearly 70% of the URLs addressed an IP directly rather than using a domain name. The twelve busiest hosts accounted for 710 URLs, or 14.2% of the entire sample.
The unit of defence is not always the URL
A blocklist treats each URL as an item. An investigation treats it as a clue. When thousands of lures collapse onto a smaller set of hosts, certificates and malware families, defenders can look for shared infrastructure and intervene higher in the chain.
That does not mean taking down one server makes phishing disappear. Hosts can be compromised, rapidly replaced or deliberately disposable. It does mean the denominator changes: 5,000 incidents are not necessarily 5,000 independent adversaries.
A feed with an unusual fingerprint
The sample’s 70% IP-literal share is striking. It should not be universalised. Academic work has shown that phishing sites frequently use HTTPS, and certificate-transparency research can reveal phishing campaigns. Our feed-specific capture instead skews toward direct-IP, non-HTTPS URLs. That difference is itself useful: every threat feed sees a different slice of the ecosystem.
The URLs averaged 86 characters; the longest ran to 662. Length alone is not a detection rule, but unusually long paths can encode campaign, victim or redirect information. Joined with first-seen time, hosting, certificate and malware metadata, these strings become investigative pivots rather than isolated artefacts.
The certificate layer names recurring tools
A second DataVault source, SSLBL’s malicious SHA-1 certificate feed, connected the web layer to malware operations. The largest labelled certificate families in the current capture included AsyncRAT (1,416), Dridex (735), QuasarRAT (684), Vidar (599) and LummaStealer (555).
Those counts are observations in the feed, not a ranking of global prevalence. Yet they show why certificate intelligence matters: a certificate can persist across an operator’s infrastructure even when domains and IPs change. That creates another join key for analysts searching the vault.