FBI_Watchdog
FBI Watchdog is a Python-based domain monitoring tool that detects law enforcement seizures, DNS changes, and infrastructure shifts across clearnet domains and Tor onion sites. It monitors multiple attack surfaces (DNS, HTTP headers, WHOIS, IP, onion content) and sends real-time alerts via Discord and Telegram when seizure signals are detected.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | DarkWebInformer/FBI_Watchdog |
| Owner | DarkWebInformer |
| Primary language | Python |
| License | MIT — OSI-approved |
| Stars | 686 |
| Forks | 113 |
| Open issues | 1 |
| Latest release | Unknown |
| Last updated | 2026-03-17 |
| Source | https://github.com/DarkWebInformer/FBI_Watchdog |
What FBI_Watchdog is
The tool implements five independent monitoring layers (DNS via dnspython, HTTP fingerprinting via requests, WHOIS via python-whois, IP tracking via reverse DNS, Tor onion scanning via SOCKS5) with a cross-monitor escalation engine that triggers full audits and screenshots via Playwright on seizure detection. State is maintained in JSON files; alerts include embedded screenshots and are dispatched to Discord webhooks and Telegram bot API.
Get the FBI_Watchdog source
Clone the repository and explore it locally.
git clone https://github.com/DarkWebInformer/FBI_Watchdog.gitcd FBI_Watchdog# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Python 3.9+ required. Must install Tor daemon and Chromium via Playwright for full feature set; adds deployment footprint and attack surface.
- Discord and Telegram credentials stored in .env file; ensure strict file permissions (chmod 600) and use secrets management in production to avoid credential leakage.
- SOCKS5 proxy support exists for clearnet requests but Playwright screenshot capture falls back to direct connection if proxy auth is configured—may leak identity on screenshot requests.
- State persistence via local JSON files; no database abstraction. Concurrent execution of multiple watchdog instances on same state files will cause race conditions and data loss.
- Hot-reload of monitored_sites.json every cycle allows dynamic site addition but parsing errors silently fail—validate site file format before deploying.
When to avoid it — and what to weigh
- Monitoring mission-critical production domains — This tool is purpose-built for threat monitoring, not production domain health. Use dedicated uptime monitoring (Pingdom, DataDog) for production infrastructure.
- Requires enterprise-grade SLA/support — No formal support structure, no security incident response SLA, no commercial backing. Early-stage project (created Feb 2025) with minimal release history and unknown maintenance commitment.
- Need compliance-audited alerting — Alerts are sent via Discord/Telegram webhooks without encryption, signature verification, or audit logging. Does not meet regulatory requirements for evidence chain-of-custody in legal proceedings.
- Large-scale monitoring (1000+ domains) — Architecture uses sequential polling of all monitors per domain per cycle. Scalability limits unknown; resource consumption and API rate-limit handling not documented.
License & commercial use
MIT License (permissive OSI-approved). Permits unrestricted commercial use, modification, and distribution with attribution. No warranty or liability. Suitable for commercial integration.
MIT License explicitly permits commercial use without restrictions. No licensing fees, commercial support, or vendor lock-in. However, the project is early-stage (created Feb 2025), unmarked version 3.0.0 with no tagged releases, and no SLA or commercial support structure. Organizations deploying this commercially should budget for internal maintenance, custom enhancements, and risk of upstream abandonment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Unknown |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | Medium |
Credentials (.env) stored locally; ensure file permissions and use encrypted secrets in production. SOCKS5 proxy support for anonymity exists but screenshot capture falls back to direct connection, potentially leaking identity on Tor-monitored sites. Tor connections validated for circuit rotation but no mention of exit node fingerprinting or guard node security. Event feed and state files are local JSON with no encryption at rest. No input validation issues noted in documentation but parsing of WHOIS/DNS/HTTP responses from untrusted sources could expose to injection/parsing bugs. Tool monitors potentially illegal content (seized dark web sites); use within applicable legal jurisdiction and with appropriate organizational policies.
Alternatives to consider
Splunk Phantom / Splunk SOAR + custom playbooks
Enterprise SIEM with multi-source monitoring, alert aggregation, and ticketing integration. Requires licensing; significantly higher operational overhead but includes support and audit logging.
Shadowserver Foundation & Team Cymru DNS monitoring services
Purpose-built threat intel feeds for seized domains and malware C2 infrastructure. Subscription-based, curated data, no infrastructure required. Less customizable than FBI Watchdog but more reliable for production CTI.
Build a tailored domain monitoring pipeline with database persistence, horizontal scaling, and real-time dashboarding. Higher initial investment but full control over data retention, privacy, and integration.
Build on FBI_Watchdog with DEV.co software developers
Integrate FBI Watchdog into your threat intelligence pipeline. Monitor clearnet and dark web infrastructure for law enforcement seizures and infrastructure changes in real time.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
FBI_Watchdog FAQ
Does this tool require internet access to detect seizures?
What happens if Discord/Telegram webhooks are not configured?
Can I monitor 10,000+ domains simultaneously?
Is this tool legal to use for monitoring dark web sites?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like FBI_Watchdog. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.
Deploy Automated Domain Seizure Detection
Integrate FBI Watchdog into your threat intelligence pipeline. Monitor clearnet and dark web infrastructure for law enforcement seizures and infrastructure changes in real time.