Each actor JSON includes:

0–100 metric from blacklist sources.

Brands the actor is currently abusing:

• MetaMask
• Coinbase
• Ledger
• Bank logins
• Microsoft
• Email providers

Thumbnails of phishing pages.

Where domain was reported earlier:

• PhishTank
• destroylist
• Cloudflare block pages

Full set of domains used by actor.

JS, HTML, or drainer fingerprints.

Actor files allow investigators to:

• Track evolution
• Identify infrastructure reuse
• Map campaigns