This documents contains the indicators of canary tokens generated using canarytokens.org or any of their associated subsidiaries.
There are several domains that are associated with Thinkst Canary which can be used to generate canary tokens. The table below shows the domains associated with the canary tokens that are used in the generation of the tokens -
| Domains | Status (Confirmed ✅ / Unconfirmed Usage ❌) |
|---|---|
| honeypdfs.net | ✅ |
| canarytokens.com | ✅ |
| o3n.io | ✅ |
| cnr.io | ✅ |
| canarytokens.org | ✅ |
| ssl-secure-srv.com | ✅ |
| ssl-srv72.com | ✅ |
| canarytokens.net | ✅ |
| tok4n.info | ❌ |
| tok3n.info | ❌ |
| secure-redirector.com | ❌ |
| thinkstcanary.tools | ❌ |
| canary.help | ❌ |
The information mentioned above was obtained through a reverse WHOIS scan, and its usage has been confirmed through manual verification.
The confirmed domains have their IP addresses which can be traced back to the Thinkst Canary -
| Domain Name | IP Address |
|---|---|
| honeypdfs.net | 54.74.148.87 |
| canarytokens.com | 52.18.63.80 |
| o3n.io | - |
| cnr.io | - |
| canarytokens.org | 52.18.63.80 |
| ssl-secure-srv.com | 52.49.19.247 |
| ssl-srv72.com | 44.213.25.175 |
| canarytokens.net | - |
Domains like o3n.io, cnr.io and canarytokens.net typically do not have directly associated IP addresses because they are often used for callback or redirection purposes, which commonly involve subdomains for specific actions or tracking.
Each token is concealed in a unique location, and the methods to determine if they are canary tokens are also distinct and varied in each instance. Therefore, this repository offers guidance on identifying these tokens without inadvertently triggering them.