CRDF Labs is a non-commercial, totally independent and self-financed structure. We don't make money running this service and we love it because it allows us to make the web safer.
The goal of CRDF Labs is to make the web better by finding and uncovering websites that do not meet our detection criteria. We actively fight via our systems against any form of cybercrime.
By making a donation to CRDF Labs, you are helping us to maintain the service and make the web safer. In fact, we invest 100% of the money donated in CRDF Labs.
There are several ways to make a donation:
Cryptocurrency / Bitcoin via our "bc1qhjdlwgwr63x090vq9qgwsevl5rnqqrkjeks07c" (BTC) address
Thank you for your support. All donations, even small ones, allow us to develop our systems and maintain our infrastructure.
PLEASE NOTE: you are currently using an anonymous connection (VPN, Proxy, etc.) and our general conditions of use prohibit this use. The site is currently read-only. For more information, please see this page.
Contact us
If you would like to contact CRDF Labs, you are on the right page. In order to best respond to your request, please select the reason for contacting us from the menu below.
Please note that the CRDF Threat Center and CRDF Labs are non-commercial projects. CRDF Labs maintains this system for free and on a voluntary basis to make the Web better. We try to provide a precise and rapid response to our users. However, it is quite impossible to respond to all the requests we personally receive since we are providing voluntary assistance. The procedures allow us to process requests quickly and we thank you for using them to make our life easier and so that we can respond quickly to your request. Thanks for your understanding.
The answer to this problem can already be found in our FAQ. You can find the answer below:
What is the CRDF Threat Center?
The CRDF Threat Center is a service published by the independent French laboratory CRDF Labs. This service detects malicious URLs that violate our detection criteria and integrates these URLs into our databases to combat cybercrime.
CRDF Labs develops its own detection systems, sharing with others our threat intelligence data and technologies to fight and detect security risks. CRDF Labs is a nonprofit laboratory, independent and completely transparent to its users.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How do you detect malicious URLs?
The CRDF Labs laboratory has its own R & D and its own detection and analysis tools. The CRDF Threat Center is a demonstration of our unique know-how in the detection of security risks on the Internet.
These technologies are based on our old Blockulicious, Blockulicious DNS and CRDF Sandbox products.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Why are URLs censored on your homepage?
We do not want anyone to be infected with this homepage accessible to everyone. We prefer someone interested in our databases to come forward and contact us to discuss possible access to CRDF Threat Center's private area.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Do you sell your technologies?
No. The CRDF Threat Center is a non-commercial project and our internal technologies are not for sale.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Your database is distributed under what license?
If you wish to use our services or our database, you must comply with this license and our terms of use (ToS).
The answer to this problem can already be found in our FAQ. You can find the answer below:
Why is my website in your database?
If your website is contained in our database, our systems have found a violation of our detection criteria. Thank you for complying with it to be removed from our database and make a false positive statement. CRDF Labs never indicates exactly why a URL is embedded in our database.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Can you tell me exactly which detection criteria my website does not respect?
No, sorry. CRDF Labs never gives more information about a website considered contrary to our detection criteria. CRDF Labs is not intended to provide any evidence that a website is against our detection criteria. The purpose of CRDF Labs is to protect its users against security risks associated with a browser over the Internet.
You should understand that CRDF Labs is a non-commercial and voluntary project. As such, we do not wish to respond to these requests for reasons of efficiency. Indeed, it would be impossible for our services to give a personalised answer to all the people who contact us.
If you contact us for a specific reason, you will not receive a reply from us. Please take this into consideration before contacting us.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Why does your false positive reporting system tell me that the URL is not contained in our databases?
If our system tells you that the URL is not contained in our database, your website is not contained in our database and your website is not blacklisted. No need to contact us to ask for information, we would have nothing more to communicate to you.
The answer to this problem can already be found in our FAQ. You can find the answer below:
I made a false positive statement and your system tells me that the offending URL has been removed and yet I still see on Virustotal. Is it normal?
This is perfectly normal. The propagation can take several hours to get synchronized with VirusTotal. It is not necessary to contact us to report this error. Everything is automatic and the process will automatically delete the detection on VirusTotal at the next occurrence.
If you still have it after hours, consider refreshing the report when scanning a VirusTotal URL.
To update the report on VirusTotal, please click on this icon:
The answer to this problem can already be found in our FAQ. You can find the answer below:
How to get access to the private part?
All data accessible on the private part of the CRDF Threat Center are classified: TLP:AMBER
What is the purpose of accessing this private database?
The private part of the CRDF Threat Center gives you unlimited access to malicious samples and malicious URLs. Without this access, you cannot get our entire database. We recommend you if you want to get our threat intelligence to get private access.
How to formulate my request?
If you wish to have access to our database, please contact us by answering the following questions:
- who are you ? - what are you looking for ? - your motivations - how are you going to use our data? - your company ? - will you exchange data with us (threat intelligence)? - are you a computer security professional? - Will you use our threat intelligence as commercial in your company? - How do you integrate our data in your project? - What is the valuable of our feed in your project? - Can you send an sample of your threat intelligence that we can integrate in our feed in back of our private access?
With your request, please send us an example of the data you wish to exchange with CRDF Labs. For example, you can send us a sample of 100 URLs / samples so that we can study them.
You must understand that CRDF Labs is a completely non-commercial project and that a partnership allows us to develop on our side by exchanging data with you and vice versa. Without the exchange of data, we cannot exist.
We will study your request and we will get back to you shortly.
Required conditions : - prohibited use of our database in a commercial context - share data from the private party without authorization - exchange data or Threat Intelligence with us on a regular basis
If you cannot exchange threat intelligence data with us, we can come to an agreement.
In all cases, we have a confidentiality agreement (NDA) signed to protect our data and protect the information contained. We no longer give access to our data without signing this confidentiality agreement allowing us to guarantee the confidentiality of the data exchanged.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Do your services have products that block websites?
No. We no longer have any products that allow us to block malicious sites in our database. Only users / companies using our database will block websites that we report as not meeting our detection criteria.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Where are you based?
We are French and we are based in Paris. We are not a company but an independent laboratory and without any legal status.
The answer to this problem can already be found in our FAQ. You can find the answer below:
The captcha on your forms is not showing and tells me it is blocked. Why ?
If our captcha tells you that your IP address is suspicious and that it is not displayed, it means that you are using a VPN, Proxy, an IP address of a non-private Internet connection, an anonymized Internet connection, etc. .. If you want the captcha to appear, you must deactivate your VPN, Proxy or anonymization system.
We no longer whitelist IP addresses except in specific and specific cases. Please contact us only if you are a regular user of our systems. In all cases and for simplicity, we invite you to use our API which allows you to submit simply and without this restriction.
The answer to this problem can already be found in our FAQ. You can find the answer below:
I would like free access to your entire database, is it possible?
Yes it is possible as long as you respect our license of use, that you use it non-commercial and that you share threat intelligence data with us.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Classification of malicious URLs
* Phishing:URL : this web address is recognized by our engines as a phishing address * Malware:URL : this address is recognized by our engines as an address distributing malware (exe, dll, dmg, etc.) * Malicious:URL : this address is recognized by our engines as an address being in disharmony with our detection criteria * Suspect:URL : this address is recognized by our engines as a suspicious address and is probably an infection source / does not meet our detection criteria * GPDR/Law:URL : This website or company does not comply with current laws regarding GPDR (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_fr). We have the necessary evidence to demonstrate non-compliance with this European law.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Are malicious domain names deleted from your databases?
Yes, we have an automatic system that ensures the overall consistency of the database. A website that meets our new detection criteria will be automatically removed from the database after a certain period of time. This time is random and we can not guarantee that your Site will be deleted. Please refer to the false positive statement.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How do I get whitelisted and never get into the CRDF Threat Center again?
WARNING: this procedure does not allow you to have CRDF Labs remove your website from our databases. This PROCEDURE ONLY allows you to request that your domain name be added to our system so that it is never added again. If you wish to report a false positive and have your website removed from our database, please go to the appropriate procedure accessible from the CRDF Threat Center.
CRDF Labs integrates in its analysis systems a white list allowing it to consider domain names as safe and which will be automatically ignored by our engines.
We can only whitelist one or more domain names. We cannot recognize a specific marker other than a domain name and/or IP address.
If you want to be added to our whitelist, you must meet the following conditions:
- be a site with a large audience and/or recognized in your field of activity - demonstrate that your activity does not violate our detection criteria (if you have been added to our database, there is a reason) - have completed three (*3*) false positive requests through our removal process
If you meet these criteria, you can contact us and request to be added to our whitelist. Don't forget to demonstrate that your activity is legitimate according to our detection criteria.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Can you provide evidence of non-compliance with your detection criteria?
CRDF Labs is under no obligation to provide evidence of non-compliance with our detection criteria. The service is provided as is without warranty and is non-commercial. CRDF Labs is completely independent and when we add a site to our database, it is not blocked anywhere and it can not be harmful such as antivirus or blockages from Google SafeBrowing for example. We will provide evidence in specific cases and within a legal framework governed by French law.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How to use the free feed?
The Free Feed allows you to download our hashed database to verify that a domain name is included in our database. You should not use our feed for commercial use. By using this feed, you agree to accept our legal notice and conditions of use.
We make a hash256 which domain name to prevent theft of our data. If you wish to obtain our database without this constraining system, you can contact us to obtain access to the private part of the CRDF Threat Center.
This feed is updated every 15 days. No need to download it 20 times a day therefore. We will block malicious behavior that does not follow these rules.
Each domain name is hashed with sha256 and each line corresponds respectively to a domain name without the www.
On your side, you must process this file to make it readable. With this hash system, you can for example search for a domain name in our database. Example: sha256 (the domain name to search for) = hashA - Search in each line of hashA. If it is contained in the file then it is in our database. If it is no longer contained or not contained, then it is not in our database.
Example of use of our database:
The hashes correspond to the sha256 of domain names. Example: sha256 (www.crdf.fr) = sha256 (crdf.fr) = 05deeefd3ed03fe034b55100256306dad3ceaecd51ea8a58c6b253a43a96d7e3 (You must delete the "www." in the domain name.).
The answer to this problem can already be found in our FAQ. You can find the answer below:
Can you help us finance your laboratory?
Thank you for your help and your desire to help us. Unfortunately, CRDF Labs is a completely independent laboratory that is completely for non-commercial purposes.
If we agree to be funded by different organizations or individuals, we will no longer be independent. CRDF Labs is 100% self-funded and we want to stay in this format for the time being.
We are therefore sorry but cannot accept your help.
The answer to this problem can already be found in our FAQ. You can find the answer below:
Why did I not receive a response to my emails?
If you have not received a response to your email, you should not have followed the procedure indicated to declare a false positive, declare an error in the treatment of your false positive or you did not follow a specific procedure. These procedures allow us to deal with the many requests that we constantly receive.
Please follow the procedure and contact us if you have a problem with this procedure.
The answer to this problem can already be found in our FAQ. You can find the answer below:
What antiviral engines do you use?
For our static analyzes, we use the following engines:
- Avast (thank you very much to them, we like this engine very much) - Dr.Web - ClamAV - Ikarus (thank you very much to them)
The Avast and Ikarus engine is provided to us free of charge as part of a partnership between the publisher and CRDF Labs. Thank you very much to them for their trust.
The answer to this problem can already be found in our FAQ. You can find the answer below:
From which IP addresses do you scan the Internet network?
We cannot clearly tell you our output IP addresses from our scanning tools for security reasons. Indeed, malicious individuals could block our IP addresses to prevent us from scanning their infrastructures.
The answer to this problem can already be found in our FAQ. You can find the answer below:
What is the forensic tool?
The CRDF Threat Center Forensic allows you to search for markers (IoCs) corresponding to infections. This system allows you to view the data associated with an IP address or a domain name over time. Thus, the system will be able to correlate all the data.
It allows you to search for the following indicators: - domain names - ip addresses
Each marker is analyzed several times by our system and it is able to give you an overview over time of a given marker.
The data that we save (not exhaustive):
- associated IP addresses - Headers - NS - MX - Open TCP / UDP ports - Reverse DNS - DNSBL - Malicious activity - Evolution of the marker - IP and related domain names
A search engine allows you to search our databases for specific markers and also in data (IP addresses, specific threats, etc.).
Some screenshots of the service:
The answer to this problem can already be found in our FAQ. You can find the answer below:
I am a service provider who receives your abuse reports. How to stop these alerts?
To stop these alerts, you can click on this link indicated in our emails which will allow you to block all future alerts.
If you host products shared via the same IP address (VPN, Various services, Proxy, etc.), it is your responsibility to secure these accesses. CRDF Labs does not detect illegal activity for nothing. We will also not be able to delete you from our databases.
The answer to this problem can already be found in our FAQ. You can find the answer below:
You are impacting my business with your company because you consider us malicious. Is it possible ?
This argument is totally false. We cannot impact your business with our detection because we are not blocking anything.
Like antiviral products, their customers cannot access detected malicious websites. With us, we do not carry out any blocking. It is simply a directory.
This argument is therefore totally false. Your business may not be impacted by our services.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How to increase the limitation imposed by the API?
To increase the limitations imposed by your API key, you must contact us with a precise description of your needs.
After study, we will come back to you to give you our decision.
The answer to this problem can already be found in our FAQ. You can find the answer below:
I received an email after a false positive request asking me for more information. How can I provide it?
After a false positive request via our form, you may be contacted by our experts to ask you for information and to clarify certain things.
This is the email you should have received:
Hello,
False Positive Reference #XXXXXXXXXXXXXXX
At your request, CRDF Labs conducted a new analysis of the domain name "domain.com".
We regret to inform you that we can not delete your domain name to our database since it corresponds to a malicious website (in confirmation with our criteria for detection and characterization of malicious websites).
Thank you kindly refer to the following page in our Knowledge Base to know our detection criteria: https://threatcenter.crdf.fr/criteria.html. Thank you kindly note that we take very seriously the claims of false positives and we take all measures to respond favorably to your request.
/////// WARNING ///////
PLEASE READ CAREFULLY THE INFORMATION CONTAINED BELOW. THIS INFORMATION WILL LET YOU KNOW THAT YOU DO NOT AGREE WITH OUR DECISION. PLEASE DO NOT CONTACT US WITHOUT FOLLOWING THIS PROCEDURE.
*** Important notes ***: CRDF Labs never gives more information about a website considered contrary to our detection criteria. CRDF Labs is not intended to provide any evidence that a website is against our detection criteria. The purpose of CRDF Labs is to protect its users against security risks associated with a browser over the Internet. So, you have to understand we cannot give you more details on adding a domain name in our database.
----
If you do not agree with this decision, please follow these few steps:
1/ A report containing additional data on your application is available at the following address: https://threatcenter.crdf.fr/false_positive.php?ref=XXXXXXXXXXXXXXX
2/ If you want to report an error from our expert during the analysis of the website, please click on the following URL: https://threatcenter.crdf.fr/false_positive.php?ref=XXXXXXXXXXXXXXX&recall
(By clicking on this URL, an expert will analyze the website again, please do not contact us if you do not click on this link)
WARNING: If you wish to report an error in the processing of your request, please report it to us by the above procedure (by following this link: https://threatcenter.crdf.fr/false_positive.php?ref=XXXXXXXXXXXXXXX&recall). We will not respond to your request if you do not follow the procedure.
----
As stated in this email, you do not need to contact us. You must click on the link provided which will allow you to specify the elements to the CRDF Labs expert via a form.
If you contact us to make comments outside of this procedure, you will not receive any response from us. Only this procedure allows us to process the false positive request. By following this process, you can be assured of a quick and reliable response.
Reporting a false positive
To report a false positive, you must click on the button below to go to the form allowing you to report a false positive. There is no need to contact us as this form is used to answer these requests.
Submitting malicious sites
If you wish to submit malicious sites that do not match our detection criteria, you can click on the button below to access the form provided. Thank you for your help in making the web a better place.
The answer to this problem can already be found in our FAQ. You can find the answer below:
I made a false positive statement and your system tells me that the offending URL has been removed and yet I still see on Virustotal. Is it normal?
This is perfectly normal. The propagation can take several hours to get synchronized with VirusTotal. It is not necessary to contact us to report this error. Everything is automatic and the process will automatically delete the detection on VirusTotal at the next occurrence.
If you still have it after hours, consider refreshing the report when scanning a VirusTotal URL.
To update the report on VirusTotal, please click on this icon:
The answer to this problem can already be found in our FAQ. You can find the answer below:
How do I get whitelisted and never get into the CRDF Threat Center again?
WARNING: this procedure does not allow you to have CRDF Labs remove your website from our databases. This PROCEDURE ONLY allows you to request that your domain name be added to our system so that it is never added again. If you wish to report a false positive and have your website removed from our database, please go to the appropriate procedure accessible from the CRDF Threat Center.
CRDF Labs integrates in its analysis systems a white list allowing it to consider domain names as safe and which will be automatically ignored by our engines.
We can only whitelist one or more domain names. We cannot recognize a specific marker other than a domain name and/or IP address.
If you want to be added to our whitelist, you must meet the following conditions:
- be a site with a large audience and/or recognized in your field of activity - demonstrate that your activity does not violate our detection criteria (if you have been added to our database, there is a reason) - have completed three (*3*) false positive requests through our removal process
If you meet these criteria, you can contact us and request to be added to our whitelist. Don't forget to demonstrate that your activity is legitimate according to our detection criteria.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How to get access to the private part?
All data accessible on the private part of the CRDF Threat Center are classified: TLP:AMBER
What is the purpose of accessing this private database?
The private part of the CRDF Threat Center gives you unlimited access to malicious samples and malicious URLs. Without this access, you cannot get our entire database. We recommend you if you want to get our threat intelligence to get private access.
How to formulate my request?
If you wish to have access to our database, please contact us by answering the following questions:
- who are you ? - what are you looking for ? - your motivations - how are you going to use our data? - your company ? - will you exchange data with us (threat intelligence)? - are you a computer security professional? - Will you use our threat intelligence as commercial in your company? - How do you integrate our data in your project? - What is the valuable of our feed in your project? - Can you send an sample of your threat intelligence that we can integrate in our feed in back of our private access?
With your request, please send us an example of the data you wish to exchange with CRDF Labs. For example, you can send us a sample of 100 URLs / samples so that we can study them.
You must understand that CRDF Labs is a completely non-commercial project and that a partnership allows us to develop on our side by exchanging data with you and vice versa. Without the exchange of data, we cannot exist.
We will study your request and we will get back to you shortly.
Required conditions : - prohibited use of our database in a commercial context - share data from the private party without authorization - exchange data or Threat Intelligence with us on a regular basis
If you cannot exchange threat intelligence data with us, we can come to an agreement.
In all cases, we have a confidentiality agreement (NDA) signed to protect our data and protect the information contained. We no longer give access to our data without signing this confidentiality agreement allowing us to guarantee the confidentiality of the data exchanged.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How to get access to the private part?
All data accessible on the private part of the CRDF Threat Center are classified: TLP:AMBER
What is the purpose of accessing this private database?
The private part of the CRDF Threat Center gives you unlimited access to malicious samples and malicious URLs. Without this access, you cannot get our entire database. We recommend you if you want to get our threat intelligence to get private access.
How to formulate my request?
If you wish to have access to our database, please contact us by answering the following questions:
- who are you ? - what are you looking for ? - your motivations - how are you going to use our data? - your company ? - will you exchange data with us (threat intelligence)? - are you a computer security professional? - Will you use our threat intelligence as commercial in your company? - How do you integrate our data in your project? - What is the valuable of our feed in your project? - Can you send an sample of your threat intelligence that we can integrate in our feed in back of our private access?
With your request, please send us an example of the data you wish to exchange with CRDF Labs. For example, you can send us a sample of 100 URLs / samples so that we can study them.
You must understand that CRDF Labs is a completely non-commercial project and that a partnership allows us to develop on our side by exchanging data with you and vice versa. Without the exchange of data, we cannot exist.
We will study your request and we will get back to you shortly.
Required conditions : - prohibited use of our database in a commercial context - share data from the private party without authorization - exchange data or Threat Intelligence with us on a regular basis
If you cannot exchange threat intelligence data with us, we can come to an agreement.
In all cases, we have a confidentiality agreement (NDA) signed to protect our data and protect the information contained. We no longer give access to our data without signing this confidentiality agreement allowing us to guarantee the confidentiality of the data exchanged.
The answer to this problem can already be found in our FAQ. You can find the answer below:
How to increase the limitation imposed by the API?
To increase the limitations imposed by your API key, you must contact us with a precise description of your needs.
After study, we will come back to you to give you our decision.
Contact us
You can contact us via our unique address:
If you want to encrypt our exchanges, you can use our public PGP keys: pgp.crdf.fr
Please make sure to check that our FAQ/procedures do not answer your questions/query before contacting us. As a reminder, if your website has been added to our databases and you contact us, you will not receive a response from us.