DEV.co
Open-Source Observability · DarkWebInformer

FBI_Watchdog

FBI Watchdog is a Python-based domain monitoring tool that detects law enforcement seizures, DNS changes, and infrastructure shifts across clearnet domains and Tor onion sites. It monitors multiple attack surfaces (DNS, HTTP headers, WHOIS, IP, onion content) and sends real-time alerts via Discord and Telegram when seizure signals are detected.

Source: GitHub — github.com/DarkWebInformer/FBI_Watchdog
686
GitHub stars
113
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryDarkWebInformer/FBI_Watchdog
OwnerDarkWebInformer
Primary languagePython
LicenseMIT — OSI-approved
Stars686
Forks113
Open issues1
Latest releaseUnknown
Last updated2026-03-17
Sourcehttps://github.com/DarkWebInformer/FBI_Watchdog

What FBI_Watchdog is

The tool implements five independent monitoring layers (DNS via dnspython, HTTP fingerprinting via requests, WHOIS via python-whois, IP tracking via reverse DNS, Tor onion scanning via SOCKS5) with a cross-monitor escalation engine that triggers full audits and screenshots via Playwright on seizure detection. State is maintained in JSON files; alerts include embedded screenshots and are dispatched to Discord webhooks and Telegram bot API.

Quickstart

Get the FBI_Watchdog source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/DarkWebInformer/FBI_Watchdog.gitcd FBI_Watchdog# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Cyber Threat Intelligence Operations

Track indicators of compromise and domain takeovers in real time across clearnet and dark web targets. Automate detection of law enforcement seizures and government domain redirects to reduce analyst manual checking.

Security Research & Dark Web Monitoring

Monitor known threat actor infrastructure for seizure events, DNS poisoning, or infrastructure migrations. Capture forensic evidence (screenshots, WHOIS snapshots) automatically for incident reports.

Abuse/Takedown Operations

Detect when monitored malicious domains are seized by law enforcement or providers. Validate seizure completeness by cross-checking DNS, HTTP, and IP changes against known LE infrastructure patterns.

Implementation considerations

  • Python 3.9+ required. Must install Tor daemon and Chromium via Playwright for full feature set; adds deployment footprint and attack surface.
  • Discord and Telegram credentials stored in .env file; ensure strict file permissions (chmod 600) and use secrets management in production to avoid credential leakage.
  • SOCKS5 proxy support exists for clearnet requests but Playwright screenshot capture falls back to direct connection if proxy auth is configured—may leak identity on screenshot requests.
  • State persistence via local JSON files; no database abstraction. Concurrent execution of multiple watchdog instances on same state files will cause race conditions and data loss.
  • Hot-reload of monitored_sites.json every cycle allows dynamic site addition but parsing errors silently fail—validate site file format before deploying.

When to avoid it — and what to weigh

  • Monitoring mission-critical production domains — This tool is purpose-built for threat monitoring, not production domain health. Use dedicated uptime monitoring (Pingdom, DataDog) for production infrastructure.
  • Requires enterprise-grade SLA/support — No formal support structure, no security incident response SLA, no commercial backing. Early-stage project (created Feb 2025) with minimal release history and unknown maintenance commitment.
  • Need compliance-audited alerting — Alerts are sent via Discord/Telegram webhooks without encryption, signature verification, or audit logging. Does not meet regulatory requirements for evidence chain-of-custody in legal proceedings.
  • Large-scale monitoring (1000+ domains) — Architecture uses sequential polling of all monitors per domain per cycle. Scalability limits unknown; resource consumption and API rate-limit handling not documented.

License & commercial use

MIT License (permissive OSI-approved). Permits unrestricted commercial use, modification, and distribution with attribution. No warranty or liability. Suitable for commercial integration.

MIT License explicitly permits commercial use without restrictions. No licensing fees, commercial support, or vendor lock-in. However, the project is early-stage (created Feb 2025), unmarked version 3.0.0 with no tagged releases, and no SLA or commercial support structure. Organizations deploying this commercially should budget for internal maintenance, custom enhancements, and risk of upstream abandonment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceUnknown
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceMedium
Security considerations

Credentials (.env) stored locally; ensure file permissions and use encrypted secrets in production. SOCKS5 proxy support for anonymity exists but screenshot capture falls back to direct connection, potentially leaking identity on Tor-monitored sites. Tor connections validated for circuit rotation but no mention of exit node fingerprinting or guard node security. Event feed and state files are local JSON with no encryption at rest. No input validation issues noted in documentation but parsing of WHOIS/DNS/HTTP responses from untrusted sources could expose to injection/parsing bugs. Tool monitors potentially illegal content (seized dark web sites); use within applicable legal jurisdiction and with appropriate organizational policies.

Alternatives to consider

Splunk Phantom / Splunk SOAR + custom playbooks

Enterprise SIEM with multi-source monitoring, alert aggregation, and ticketing integration. Requires licensing; significantly higher operational overhead but includes support and audit logging.

Shadowserver Foundation & Team Cymru DNS monitoring services

Purpose-built threat intel feeds for seized domains and malware C2 infrastructure. Subscription-based, curated data, no infrastructure required. Less customizable than FBI Watchdog but more reliable for production CTI.

Build a tailored domain monitoring pipeline with database persistence, horizontal scaling, and real-time dashboarding. Higher initial investment but full control over data retention, privacy, and integration.

Software development agency

Build on FBI_Watchdog with DEV.co software developers

Integrate FBI Watchdog into your threat intelligence pipeline. Monitor clearnet and dark web infrastructure for law enforcement seizures and infrastructure changes in real time.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

FBI_Watchdog FAQ

Does this tool require internet access to detect seizures?
Yes. The tool makes external DNS queries, WHOIS lookups, HTTP requests, and connects to Tor to monitor domains. It cannot operate in air-gapped environments. Tor SOCKS5 and optional clearnet SOCKS5 proxy allow routing through external proxies but do not eliminate internet dependency.
What happens if Discord/Telegram webhooks are not configured?
The tool runs normally and logs all detections to console output and the JSON event feed file. Alerts are not suppressed; they are simply not sent externally. Useful for testing or integration with other monitoring systems.
Can I monitor 10,000+ domains simultaneously?
Unknown. Architecture uses sequential polling (all monitors run for each domain per cycle). Scalability limits are not documented. Large-scale deployments should test resource usage and API rate limits (DNS, WHOIS, HTTP) before committing to production.
Is this tool legal to use for monitoring dark web sites?
Legal use depends on jurisdiction, site content, and organizational policy. Monitoring seized sites for law enforcement activity is legal in most cases. Monitoring active illegal marketplaces or content may violate local laws. Consult legal counsel before deployment.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like FBI_Watchdog. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.

Deploy Automated Domain Seizure Detection

Integrate FBI Watchdog into your threat intelligence pipeline. Monitor clearnet and dark web infrastructure for law enforcement seizures and infrastructure changes in real time.