Free infostealer & stealer-log check
Check whether a domain, email, or username appears in Hudson Rock's Cavalier database of credentials harvested by infostealer malware. Three lookup modes: domain (company-wide exposure), email (specific account), username (cross-service handle).
For OSINT and incident response: a positive result means a device with access to credentials for this identifier was infected. The credentials are most likely already circulating in dark-web markets like Russian Market, BidenCash, etc. Treat the result as a "high probability of compromise" signal.
Hudson Rock's free Cavalier API is rate-limited but works without an API key. For broader credential-exposure intelligence pair this with Pwned Passwords (password-level k-anonymity check) and HIBP catalog (breach-level history).
Frequently asked questions
What is an infostealer?
Infostealers are malware families that harvest credentials, cookies, autofill data, browser passwords, crypto wallets, and screenshots from infected devices. Active families in 2025-2026 include Redline, Vidar, Raccoon, Lumma, Aurora, Stealc, and dozens more. Stolen "logs" are sold in cybercrime markets.
How is this different from HIBP?
HIBP catalogs data breaches — when a service was hacked. Hudson Rock catalogs device compromises — when an individual user's computer was infected. They're complementary: a service might never have been breached, but if a user typed their credentials into the service from an infected device, the credentials are still in stealer markets.
Why does Cavalier ask for a domain?
A domain check reveals two numbers: employees (people with corporate-domain emails who got infected) and users (anyone whose stealer log contained credentials for that domain — i.e. customer/end-user exposure).
My domain shows zero — am I safe?
Not necessarily. Cavalier covers known stealer families on a refresh cadence. Brand-new campaigns or under-the-radar families may not be reflected. A clean result lowers the probability but doesn't eliminate it.