Data Model - VantaPrism API

Where this data comes from

When infostealer malware (RedLine, Raccoon, Lumma, Vidar, etc.) runs on a victim’s machine, it harvests everything saved by installed browsers and a handful of common applications, then bundles it into a folder structure (“a log”) that gets uploaded to the attacker’s panel. A typical log looks something like this:

RL-2026-AC91F3/
├── UserInformation.txt        # OS, hardware, IP, geolocation, installed apps
├── Passwords.txt               # saved browser logins (url, login, password)
├── Cookies/
│   ├── Chrome_Default.txt
│   └── Edge_Profile1.txt
├── Autofills/
│   └── Chrome_Default.txt      # saved form data — names, addresses, phones
├── CreditCards/
│   └── Chrome_Default.txt
├── Wallets/
│   ├── MetaMask/                # extension storage, may include seed phrase
│   └── Exodus/
├── FileGrabber/
│   └── Desktop/wallet_seed.txt  # arbitrary files matching grabber rules
├── Telegram/, Discord/, Steam/  # session tokens for common apps
└── ProcessList.txt

VantaPrism’s ingestion pipeline parses every file in every log, normalizes the records into the schemas below, deduplicates against previously-seen victims, and indexes everything for search. One log = one Victim, with zero or more rows in each of the categories below attached to it.

Victim

Returned by GET /v1/victims/{victim_id}. Identifies one infected machine.

Field	Type	Description
`victim_id`	string	SHA-256 hash — the stable, primary identifier
`log_victim_id`	string	The identifier from the original log (e.g. `RL-2026-AC91F3`)
`stealer_family`	string	e.g. `RedLine`, `Raccoon`, `Lumma`, `Vidar`
`stealer_version`	string	Malware build/version string
`ip`	string	Infected machine’s IP — masked via `subnet_mask` on free tier
`country`	string	ISO 3166-1 alpha-2
`os`	string	Operating system
`computer_name`	string	Masked via `partial_identifier` on free tier
`user_name`	string	OS username — masked via `partial_identifier` on free tier
`hwid`	string	Hardware ID — masked via `partial_identifier` on free tier
`machine_id`	string	Masked via `partial_identifier` on free tier
`log_date`	string \| null	When the log was captured
`malware_location`	string	Masked via `partial_filepath` on free tier
`timezone`	string
`cpu_name`	string
`ram_total_bytes`	integer
`anti_viruses`	string[]	Detected AV products
`installed_browsers`	string[]
`installed_software`	string[]
`has_system_password`	boolean	Boolean-flag substitute for raw `system_password` on free/pro
`processes`	object[]	Running processes at infection time — only populated with `include_processes=true`

Credential

Returned by domain/email/username/IP search endpoints, /v1/data/credentials, and /v1/victims/{id}/credentials.

Field	Type	Description
`victim_id`	string
`domain`	string	Registrable domain extracted from `url`
`url`	string	Masked to `scheme://host/***` on free tier
`login`	string	Masked via `partial_login` on free tier (unless it’s a value you searched for — see Data Masking)
`password`	string	Masked to `"••••"` on free tier
`browser`	string
`profile`	string	Browser profile name
`inserted_at`	string (date-time)

Returned by /v1/data/cookies and /v1/victims/{id}/cookies.

Field	Type	Description
`victim_id`	string
`domain`	string
`name`	string	Cookie name
`value`	string	Returned as `"[REDACTED]"` on free tier
`path`	string
`secure`	boolean
`http_only`	boolean
`expiration`	integer \| null	Unix timestamp
`expiration_utc`	string \| null (date-time)
`browser`	string
`profile`	string
`inserted_at`	string (date-time)

Autofill

Returned by /v1/data/autofill and /v1/victims/{id}/autofill.

Field	Type	Description
`victim_id`	string
`browser`	string
`profile`	string
`name`	string	Form field name (e.g. `email`, `phone`, `address`)
`value`	string	Returned as `"[REDACTED]"` on free tier
`inserted_at`	string (date-time)

Card

Returned by /v1/data/cards and /v1/victims/{id}/cards.

Field	Type	Description
`victim_id`	string
`card_number`	string	Masked via `bin_last_four` on every tier — first 6 + last 4 digits visible
`card_type`	string	e.g. `Visa`, `Mastercard`
`holder`	string	Cardholder name
`expiration_year`	string
`expiration_month`	string
`has_cvv`	boolean	Boolean-flag substitute for raw `cvv` on free/pro
`browser`	string
`profile`	string
`inserted_at`	string (date-time)

Wallet

Returned by /v1/data/wallets and /v1/victims/{id}/wallets.

Field	Type	Description
`victim_id`	string
`family`	string	Stealer family that captured this wallet
`wallet_type`	string	e.g. `MetaMask`, `Exodus`
`wallet_kind`	string	`browser_extension` \| `desktop_app` \| etc.
`browser`	string
`profile`	string
`extension_id`	string \| null
`source_dir`	string
`wallet_storage_format`	string
`chain_primary`	string	e.g. `ethereum`, `bitcoin`, `solana`
`evm_addresses`, `btc_addresses`, `tron_addresses`, `solana_addresses`, `cosmos_addresses`, `ton_addresses`, `other_addresses`	string[]	Public addresses found in wallet storage
`vault_kdf`	string \| null	Key-derivation function used by the encrypted vault
`vault_iterations`	integer \| null
`password_hint`	string \| null
`windows_username`	string
`has_wallet_files`	boolean	Boolean-flag substitute for raw `wallet_files`
`has_seed_phrase`	boolean	Boolean-flag substitute for raw `seed_phrase`
`has_private_key`	boolean	Boolean-flag substitute for raw `private_key`
`has_encrypted_vault`	boolean	Boolean-flag substitute for raw `encrypted_vault`
`inserted_at`	string (date-time)

FTP credential

Returned by /v1/data/ftp and /v1/victims/{id}/ftp.

Field	Type	Description
`victim_id`	string
`server`	string
`username`	string	Masked via `partial_login` on free tier
`password`	string	Returned as `"[REDACTED]"` on free tier (raw field: `ftp_password`)
`inserted_at`	string (date-time)

Keychain entry

Returned by /v1/data/keychain and /v1/victims/{id}/keychain. Ultra tier only.

Field	Type	Description
`victim_id`	string
`name`	string	Keychain item name
`value`	string	Returned as `"[REDACTED]"` on free/pro tiers (raw field: `keychain_value`)
`inserted_at`	string (date-time)

Command

Returned by /v1/data/commands and /v1/victims/{id}/commands.

Field	Type	Description
`victim_id`	string
`shell`	string	e.g. `bash`, `zsh`, `powershell`
`command`	string
`inserted_at`	string (date-time)

History

Returned by /v1/victims/{id}/history.

Field	Type	Description
`victim_id`	string
`url`	string	Masked to `scheme://host/***` on free tier
`title`	string
`browser`	string
`profile`	string
`visited_at`	string \| null (date-time)
`visit_count`	integer
`inserted_at`	string (date-time)

File (file grabber)

Returned by /v1/search/file and /v1/victims/{id}/files.

Field	Type	Description
`stealer_id`	string
`victim_id`	string
`original_path`	string	Masked to drive/root + `"***"` on free tier via `partial_filepath`
`filename`	string	Stem masked, extension preserved on free tier via `partial_filename`
`ip`	string	Masked via `subnet_mask` on free tier
`country`	string
`stealer_family`	string
`infection_date`	string \| null (date-time)

Full machine-readable schemas

Every object above — plus every request body — is fully defined in openapi.yaml, browsable in the API Reference tab.

​Where this data comes from

​Victim

​Credential

​Cookie

​Autofill

​Card

​Wallet

​FTP credential

​Keychain entry

​Command

​History

​File (file grabber)

​Full machine-readable schemas