explaingit

ivancastl/darkforums-ip-intel

20PythonAudience · ops devopsComplexity · 2/5LicenseSetup · easy

TLDR

An open-source intelligence tool that plots IP addresses linked to DarkForums cybercrime threat actors on an interactive map, with offline geolocation and optional enrichment via the ipinfo.io API.

Mindmap

mindmap
  root((darkforums-ip-intel))
    What it does
      Visualize threat actor IPs
      Interactive browser map
      Actor username search
      Country filter
    Data sources
      GeoLite2 offline database
      ipinfo.io API enrichment
      DarkForums IP dataset
    Tech Stack
      Python
      Flask
      Leaflet.js
      GeoLite2
    Use cases
      Threat intelligence research
      Cybercrime investigation
      IP attribution analysis
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Map IP addresses linked to specific DarkForums threat actors to see their geographic distribution at a glance

USE CASE 2

Search by username to filter the map to one actor's known IP addresses during an investigation

USE CASE 3

Run offline geolocation without any API key using the bundled GeoLite2 database

USE CASE 4

Enrich a selected IP with city, ISP, timezone, and hostname details via the ipinfo.io free tier

Tech stack

PythonFlaskLeaflet.jsGeoLite2ipinfo.io

Getting it running

Difficulty · easy Time to first run · 5min

Clone, install Python dependencies, and optionally add an ipinfo.io token, works offline without the token using GeoLite2.

MIT license, use freely for any purpose, including commercial, as long as you keep the copyright notice.

In plain English

This project is an open-source intelligence tool for visualizing IP addresses associated with DarkForums, a cybercrime forum. The README is written in Spanish. The tool takes a database of IP addresses linked to specific threat actors from that forum and plots them on an interactive dark-themed map in a web browser. Geolocation is handled offline using the GeoLite2 database, which maps IP addresses to countries and approximate locations without requiring any internet connection. When you click on a pin on the map, the tool calls the ipinfo.io API to enrich the result with more precise details: city, internet service provider, timezone, and hostname. The ipinfo.io free tier allows 50,000 lookups per month, and the map continues working without a token using GeoLite2 alone. The interface includes username search with autocomplete, so you can type part of a name and jump to that actor's IP addresses. Clicking a suggestion filters the map to show only that actor's pins. There is also a country filter and a small inset map in the side panel that shows the exact location of whichever pin you selected. Duplicate IPs per actor are removed automatically. To run it, you clone the repository, install the Python dependencies, optionally enter an ipinfo.io token when prompted, and open a local web address in your browser. The backend is a Flask web server and the map is rendered with Leaflet.js. The project is released under the MIT license. The data in the repository covers IP addresses attributed to DarkForums activity. This is intended as a threat intelligence reference for security researchers.

Copy-paste prompts

Prompt 1
I cloned darkforums-ip-intel and installed the dependencies. Walk me through running the Flask server and loading the IP map in my browser, with and without an ipinfo.io token.
Prompt 2
How does darkforums-ip-intel use GeoLite2 to geolocate IPs offline? Show me the Python code pattern it uses to look up a country and coordinates from an IP address.
Prompt 3
I want to add my own IP dataset to darkforums-ip-intel. What format does the IP database need to be in, and where do I add it so the map picks it up?
Prompt 4
Explain how the username autocomplete search in darkforums-ip-intel filters the Leaflet.js map markers to show only one actor's pins.
Prompt 5
I hit the 50,000/month ipinfo.io free-tier limit. How do I configure darkforums-ip-intel to fall back to GeoLite2-only mode for all lookups?
Open on GitHub → Explain another repo

← ivancastl on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.