Intelligence X (IntelX)

Intelligence X (IntelX) is a powerful OSINT search engine indexing leaked databases, darknet markets, WHOIS records, pastes, and public web archives. It enables security researchers to discover exposed credentials, track data breaches, map infrastructure, and conduct comprehensive threat intelligence operations through both web interface and API.

Overview

IntelX aggregates multiple data sources including paste sites, leaked databases, darknet content, public records, and historical WHOIS snapshots. Free tier provides limited searches; professional and enterprise tiers unlock API access, higher rate limits, and advanced features.

Feature	Free	Professional	Enterprise
Web search	Yes	Yes	Yes
API access	No	Yes	Yes
Rate limit	20/month	1,000/month	Custom
Result limit	100	1,000	Unlimited
Buckets	All	All	All
File download	No	Yes	Yes
Phone book	No	Yes	Yes

Web Interface

Basic Search

Access IntelX via web browser and search by identifier type. The search bar auto-detects input and applies intelligent matching.

Search bar accepts:
- Email addresses: user@example.com
- Domains: example.com
- IP addresses: 192.168.1.1
- URLs: https://example.com/path
- Bitcoin addresses: 1A1z7agoat
- IBAN: DE89370400440532013000
- UUIDs: 550e8400-e29b-41d4-a716-446655440000
- Usernames: john_doe

Search Selectors

Refine searches with boolean operators and filters:

Selector syntax:
- AND: term1 AND term2
- OR: term1 OR term2
- NOT: term1 NOT term2
- Exact match: "exact phrase"
- Domain: inurl:example.com
- Wildcard: admin*
- Date range: created:[2023-01-01 TO 2024-12-31]

Date Filtering

Most leaked data includes timestamps. Filter results by publication or data collection date:

Date filter examples:
- Last 24 hours: created:[now-1d TO now]
- Last month: created:[now-30d TO now]
- Specific range: created:[2023-01-01 TO 2023-12-31]
- Before date: created:[* TO 2023-12-31]

Source Filtering

IntelX organizes data into buckets. Filter by specific leak source or data type:

Bucket	Content	Use Case
Pastes	Pastebin, PasteBin.com, Slexy	Quick leak discovery
Leaks	Database breaches, dumps	Credential exposure
Darknet	Market listings, forums	Threat actor activity
WHOIS	Historical domain registration	Infrastructure mapping
Web	Public web archive	Historical content
Dumpster	Archived email, logs	Administrative records
Usenet	Historical Usenet posts	Legacy data

API Authentication

Setting Up API Access

Create account and upgrade to Professional or Enterprise tier
Navigate to Account Settings → API
Generate API key (store securely)
Include key in request headers as x-key

Rate Limits

Professional tier: 1,000 requests/month (~33/day) Enterprise tier: Custom limits (contact sales)

# Rate limit headers in response:
x-ratelimit-limit: 1000
x-ratelimit-remaining: 999
x-ratelimit-reset: 1704067200

Search API

GET /intelligent/search

Execute full-text search across all indexed content.

# Basic search
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/intelligent/search" \
  -d "term=user@example.com&buckets=pastes,leaks&limit=100"

# Advanced search with date range
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/intelligent/search" \
  -d "term=admin@corp.com&from=2023-01-01&to=2024-12-31&buckets=leaks&limit=500"

Request Parameters

Parameter	Type	Required	Description
term	string	Yes	Search query (email, domain, IP, username)
buckets	string	No	Comma-separated bucket names (default: all)
limit	integer	No	Results per request (max 1000)
from	string	No	Start date (YYYY-MM-DD)
to	string	No	End date (YYYY-MM-DD)
offset	integer	No	Pagination offset
mode	string	No	`contains` (default), `exact`

Response Format

{
  "status": 0,
  "id": "request-uuid",
  "bucket": "leaks",
  "records": [
    {
      "id": "record-id",
      "type": 1,
      "date": "2023-06-15T10:30:00Z",
      "name": "Database breach June 2023",
      "description": "Exposed customer records",
      "bucket": "leaks",
      "size": 2048576
    }
  ],
  "took": 245
}

Phonebook API

GET /phonebook/search

Search phonebook index for email and domain enumeration. Faster than full search for reconnaissance.

# Find emails for domain
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/phonebook/search" \
  -d "term=@example.com&limit=100"

# Enumerate email variations
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/phonebook/search" \
  -d "term=user%40example.com"

# Find related domains
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/phonebook/search" \
  -d "term=example.com&type=domain"

Phonebook Parameters

Parameter	Type	Values
term	string	Email prefix/domain/IP range
type	string	`email` (default), `domain`
limit	integer	1-10000
offset	integer	Pagination offset

File Preview and Download

Viewing Results

After searching, click results to preview content. IntelX renders previews for:

Text files (email dumps, credential lists, logs)
JSON (API responses, configuration files)
CSV (user databases, account lists)

Downloading Content

Professional and Enterprise tiers can download full files:

# Get file metadata and download link
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/file/read" \
  -d "id=FILE_ID"

Storage API

Upload reconnaissance notes and findings to IntelX storage:

curl -H "x-key: YOUR_API_KEY" \
  -X POST \
  -F "file=@findings.txt" \
  "https://intelx.io/api/storage/upload"

Python SDK

Installation

pip install intelx

Basic Setup

from intelx import intelx

# Initialize with API key
ix = intelx(apikey="YOUR_API_KEY")

Search Examples

# Search for email breaches
results = ix.search("user@example.com", buckets=["pastes", "leaks"], limit=100)
for result in results["records"]:
    print(f"{result['name']} - {result['date']}")

# Search by domain with date range
results = ix.search(
    "example.com",
    buckets=["leaks"],
    from_date="2023-01-01",
    to_date="2024-12-31",
    limit=500
)

# Get phonebook results
phonebook = ix.phonebook("@example.com", limit=1000)
print(f"Found {len(phonebook['records'])} email addresses")

File Operations

# Download file by ID
file_content = ix.file_read("FILE_ID")
with open("downloaded.txt", "wb") as f:
    f.write(file_content)

# Upload file to storage
ix.storage_upload("reconnaissance_notes.txt")

Common OSINT Workflows

Email Breach Exposure

Determine if email appears in leaked databases:

# Step 1: Search IntelX for email
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/intelligent/search" \
  -d "term=target@company.com&buckets=leaks,pastes"

# Step 2: Review results for breach source
# Step 3: Check if password exposed in same leak
# Step 4: Cross-reference with known password databases

Domain Reconnaissance

Map organization infrastructure and find exposed credentials:

from intelx import intelx

ix = intelx(apikey="YOUR_API_KEY")

# Find all emails for domain
emails = ix.phonebook("@target.com", limit=5000)
print(f"Email enumeration: {len(emails['records'])} addresses")

# Search domain in breaches
breaches = ix.search("target.com", buckets=["leaks"])
print(f"Found in {len(breaches['records'])} breaches")

# Check subdomains via WHOIS history
subdomains = ix.search("*.target.com", buckets=["whois"])

Credential Analysis

Find usernames and passwords exposed together:

# Search for specific breach dump
results = ix.search("2024-corp-breach.sql", buckets=["leaks"])

# Filter results containing credentials
for result in results["records"]:
    if "password" in result["description"].lower():
        print(f"Credential file: {result['name']}")

Infrastructure Mapping

Discover IP ranges, domains, and services:

# Search WHOIS history for domain changes
whois_history = ix.search("target.com", buckets=["whois"])

# Find associated IPs
ip_results = ix.search("192.168.0.0/16", buckets=["whois", "web"])

# Enumerate nameservers and infrastructure
for result in ip_results["records"]:
    print(f"IP {result['name']} registered {result['date']}")

Darknet Monitoring

Track threat actors and marketplace activity:

# Monitor darknet market listings
darknet_results = ix.search("target.com", buckets=["darknet"])

# Search for known threat actors
actor_results = ix.search("threat-actor-name", buckets=["darknet"])

# Find malware command & control infrastructure
c2_results = ix.search("C2-domain.onion", buckets=["darknet", "pastes"])

Buckets and Sources

Pastes

Paste site aggregation (Pastebin, HasteBin, Slexy). High velocity, frequently updated.

Leaks

Organized breach databases and data dumps. Larger datasets with structured data.

Darknet

Tor marketplace listings, forum posts, and threat actor communications.

WHOIS

Historical domain registration snapshots. Track ownership and infrastructure changes.

Web

Archived web pages and historical content. Wayback machine-style access.

Dumpster

Email archives, system logs, and administrative records.

Usenet

Historical Usenet group posts (1990s-2000s era content).

Integration with Other Tools

Feeding Maltego

Export IntelX results to Maltego transforms:

Create new investigation in Maltego
Add entity (email/domain)
Run custom transform using IntelX API
Maltego automatically enriches graph

Combining with DeHashed

Cross-reference IntelX breach data with DeHashed:

from intelx import intelx
import requests

ix = intelx(apikey="INTELX_KEY")
dehashed_api = "YOUR_DEHASHED_TOKEN"

# Find breaches in IntelX
intelx_results = ix.search("user@example.com")

# Cross-check with DeHashed
for result in intelx_results["records"]:
    dehashed_response = requests.post(
        "https://www.dehashed.com/api/",
        json={"query": "user@example.com", "type": "email"},
        headers={"Authorization": dehashed_api}
    )

Enriching BloodHound

Correlate internal AD users with external breach data:

# Export AD user list from BloodHound
# Format: email addresses from user@domain.com

# Batch search IntelX
for user_email in ad_user_list:
    results = ix.search(user_email, limit=50)
    if results["records"]:
        print(f"RISK: {user_email} in {len(results['records'])} breaches")

Troubleshooting

No Results Despite Known Breaches

Verify search term format (exact email vs domain)
Check bucket selection (breach might be in specific bucket)
Try wildcard: *@example.com
Adjust date range
Check API key rate limit

API Rate Limit Exceeded

x-ratelimit-remaining: 0
Error: Rate limit exceeded

Solutions:

Upgrade tier (Professional 1000/month → Enterprise unlimited)
Batch requests and cache results
Wait until monthly reset (if on Free/Professional)
Implement request throttling (1 req/sec)

Authentication Errors

# Verify API key in header
curl -H "x-key: ACTUAL_KEY_HERE" \
  "https://intelx.io/api/intelligent/search" \
  -d "term=test"

# Check account tier allows API access
# Free tier cannot use API

Timeout on Large Downloads

Use pagination with offset parameter:

# First batch
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/intelligent/search" \
  -d "term=example.com&limit=1000&offset=0"

# Second batch
curl -H "x-key: YOUR_API_KEY" \
  "https://intelx.io/api/intelligent/search" \
  -d "term=example.com&limit=1000&offset=1000"

Best Practices

Legal and Responsible Use

Use IntelX only for authorized security research and defensive operations
Respect applicable laws (CFAA, GDPR, CCPA)
Only access data relevant to your investigation
Do not use exposed credentials for unauthorized access
Document findings appropriately for compliance teams
Verify with legal/compliance before using results operationally

Data Hygiene

Export results to secure, encrypted storage
Never save credentials in plaintext in reports
Anonymize PII when sharing findings internally
Use unique, strong passwords after exposure disclosure
Implement credential rotation after breach discovery

Investigation Techniques

Start with email/domain rather than individual passwords
Use phonebook for bulk enumeration (faster)
Cross-reference multiple buckets for validation
Track dates to identify patterns and timeline
Correlate with other OSINT sources
Document chain of custody for legal cases

API Best Practices

Implement exponential backoff for rate limiting
Cache results to minimize API calls
Use pagination for large result sets
Filter buckets to reduce noise
Log all searches for audit trail
Rotate API keys regularly

Tool	Specialty	Integration
DeHashed	Credential-focused searches	Cross-reference breaches
SpyCloud	Enterprise breach data	Risk assessment
HaveIBeenPwned	Public breach notifications	Breach confirmation
Shodan	Device/service fingerprinting	Infrastructure discovery
SecurityTrails	DNS history and subdomain enumeration	Domain reconnaissance
Maltego	OSINT graph visualization	Custom transforms
The Harvester	Email enumeration	Domain profiling
Grep.app	GitHub code search	Exposed secrets detection