The APWG eCrime eXchange (eCX)
Designed for Counter-Cybercrime Developers, Responders, Investigators and Cyber Risk Managers
APWG's eCrime Exchange (eCX) is the oldest and most trusted repository purpose-built for cybercrime event data exchange. In its operational objective and data fidelity architecture, eCX is a sectoral risk data clearinghouse for the curated exchange of cybercrime-related machine events, Internet events and the meta-data essential to forensic routines and security/counter-fraud applications.
eCX's architectural conceit places the globally recognized clearinghouse in an echelon with underwriters' property & casualty event data archives; maritime piracy event clearinghouses; and public health agencies' strain data archives — models categorically distinct from inauditable, ad hoc threat feeds all too typical to the cybersecurity domain. eCX's data fidelity architecture emulates underwriters' property & casualty event databases; maritime piracy clearinghouses; and public health agencies' strain archives — categorically distinct models from inauditable threat feedsAnimated by this time-tested data fidelity framework, the eCX currently maintains cybercrime related machine-event data and Internet-event data endpoints on its API for six distinct data/event types, delivering billions of data field elements per month outbound to its members in the four corners of the globe through the eCX API.
Data Flows Framed by Semantic DisciplineAPWG member organizations contribute new data and extract archived records to inform products, services and research programs as well as to drive security applications and forensic routines, leveraging eCX's Confidence Factors and deeply defined record schema to make precision-dependent decisions on data integration and event reporting. (eCX offers a RESTful API for programming environments as well as a fully featured Web UI for researchers and responders to query eCX data sets as well as to submit their own reports.)
Submitting data into the eCX protects both member organization’s users and the wider public. Data reported to the eCX are immediately available to eCX users, including browser developers and security vendors who use the data to block phishing and responder / investigator organizations working to prevent attacks and halt criminal campaigns.
![]() Entries are consistently categorized with fresh, reliability rated (with numeric Confidence Factors) data records flowing in continuously. Taxonomic fidelity of submissions by APWG members into eCX is also actively enforced as the foundational curational remit for this global clearinghouse - since 2004.
The event data types that APWG eCX archives for exchange between its corresponding members are as follows with more detailed descriptions in a table at the end of this page:
eCX's Architectural Lineage Examined![]()
eCX's trust instrumentation—legal governance; semantic discipline; and report record provenance tracking—maintained in a single curated system provides a keystone resource of rationally trustable cybercrime event data for industries and enterprises engaged in the cybersecurity domain. In this way, eCX's essential data fidelity architecture, emulates the discipline that undergirds underwriters' calculation of rational premiums; guides ships at sea around piracy trouble spots; and informs epidemiological interventions like the seasonal flu programs. For these domains, as in programmatic cybercrime suppression, data accuracy and taxonomic fidelity aren't an option but the bedrock of a global response to predictable, persistent risks like cybercrime. APWG eCrime eXchange fuses legal governance, semantic discipline and report record provenance tracking into a single, rigorously curated systemSectoral risk data exchanges like eCX rely on the same trust instrumentation that eCX adapts to its curational mission as a cybercrime risk data exchange. These sectoral risk data exchanges and repositories are examples of policy-bound, semantically governed clearinghouses, a long-tenured institutional role that is separate and distinct from ad hoc sharing models employed in most cyber threat feeds, distinguished in substantive ways that redound to keystone operational efficiencies for cybersecurity routines and counter-cybercrime applications.
Sectoral risk data exchanges are similarly:
This plexus of trust instrumentation stands in contrast to many threat-sharing feeds (e.g., open STIX/TAXII endpoints, IOC repositories, commercial blacklists), which:
While underwriters' event data clearinghouses (e.g. ISO), seaonsal flu program data archivs (e.g. GISAID) and the APWG may not publish formal ontologies (e.g. in OWL or RDF, etc.), each of these sectoral risk data clearinghouse define semantically rigorous, controlled data models which are ontology-like in practice by maintaining schemas governing how data elements are related, coded, and validated, even if not formalized in semantic web languages.
eCX, for the nonce, enforces its ontological model through traditional, rigorously detailed API schema and data conventions. Still, APWG is always considering the community of stakeholding data users and their ever-evolving needs as interveners, investigators and policy makers and other representatives of eCX data are always in development.
Risk Exchanges: APWG eCX / P&C Archives / Flu Strain IDs / Maritime Piracy Events
Proven Trust Schema Animates eCX Data ExchangeThe eCX formally animates auditable cybercrime event data exchange by requiring contractual instrumentation and curation of data submission for all users. At once, this component of the eCX data fidelity architecture satisfies the risk-management requirements of corporate counsel — and incentivizes contribution of data of measurable reliability.
Bilateral data sharing requires corporate legal teams to forge agreements with everyone they want to share data with. That approach often requires years of legal work, and many times does not result in effective data sharing. This model of trust architecture also ensures that counterparties are vetted by the process itself, so that data consumed or sent can be verified as being from known parties, accountable by design.
APWG spent years refining a simple legal framework that allows data exchange to take place (among usually non-correspondent parties) while limiting and precisely defining the risk to submitters and receivers.
eCX Development Arc Over the DecadesThe eCX and its progenitors have served the counter-cybercrime communities since 2004, initially distributing confirmed phishing URLs among APWG member companies and institutions, since expanding its purview to include six discrete cybercrime event types. [See: Data types table below.]
Currently, total report flow inbound to all endpoints on the eCX from all member sources numbers in the hundreds of thousands of new records per month from scores upon scores of institutions (many reporting on behalf of any number of enterprises and any number of client brands). Outbound flow of data elements from eCX to its users runs to billions per month through the eCX API.
As importantly, Arizona State University researchers found, in recent research, that eCX was alone in its class in one keystone metric: reports lodged at https://docs.apwg.org/documents/phishfarm_ieee_sp_2019_oest.pdf on the eCX generated the highest level of crawler traffic of any entity.[1] | |||||||||||||||||||||||||||||||||||||||||||||||||
eCX archives six event data types on its API’s endpoints:Phishing: The eCX receives hundreds to thousands of new, unique phishing URLs every day. The listings include confidence scores and brand (target) tags, so you can assess the data’s reliability. Learn about new attacks against hundreds of companies across the Internet, including the ones you need to protect.
Report Phishing: a repository of reported phishing emails, including header data, body text and images.
Malicious IPs: This feed contains IP addresses that have been recently observed as sources of malicious activity, such as fraudulent transactions and tell-tale port scanning.
Malicious Domains: An archive of maliciously registered domain names, including fake stores and fraud/identity theft websites. Supporting data can be added and forwarded to registrar and registry operators, or other APWG members, to aid in suspensions.
Cryptocurrency: This repository of problematic virtual currency addresses helps APWG members identify sources of malicious transactions and enrich your analytic tools. It’s high-value data for cryptocurrency exchanges, wallet providers, trading platforms, and investment funds who have to protect themselves and their customers against phishing and cybercrime. APWG members, to aid in takedowns.
Malicious SMS/Text: This repository of malicious text messages via SMS protocol and over-the-top text messaging service helps APWG members report and manage criminal texting.
| THE APWG ECRIME EXCHANGE IS AVAILABLE TO APWG MEMBERS VIEW THE ECX API DOCUMENTATION FOR MORE INFORMATION: APWG MEMBERS
|

[1]PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists, in the Proceedings of the 40th IEEE Symposium on Security & Privacy, May 2019, San Francisco, CA. Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and Kevin Tyers.
https://docs.apwg.org/documents/phishfarm_ieee_sp_2019_oest.pdf