What we collect
PhishNet collects public, submitted, trusted, partner or explicitly authorized evidence and metadata. The public dashboard summarizes source families rather than exposing raw operational rows.
What we do not collect
Public publication is intentionally conservative. The dashboard is not a place to expose victims, private communications, or attacker-enabling details.
How we count
Live evidence checks means an item was technically observed or corroborated in the current public-safe cut. All-time stored findings is a high-water corpus counter. Active campaign means related indicators share campaign-like structure, source overlap, timing, infrastructure or kit features.
Worked example: three defanged domains sharing certificate hash, page hash and source-run timing may count as three indicators and one campaign-like cluster. The public view shows the sector and country pattern, not the real brand target.
Time windows
Live threat board windows are computed in UTC. Live intake counters can update more frequently than the public daily board because they are public-safe movement indicators. Citable cuts are materialized separately so journalists and researchers can quote a stable number.
Defanging policy
Public examples replace dots with [.], remove protocols, and mask portions of domains when the visible string would help locate a working kit. Examples are illustrative and safe to copy into an article.
Example: secure-login-xx[.]eu shows the impersonation pattern without distributing a working phishing destination.
Withholding policy
We never publish specific brand names, victim identities, active case details, subscriber names, sanctions matches, unrestricted raw evidence, or fresh operational takedown state on the public dashboard.
The rationale is simple: public intelligence should inform citizens, journalists and decision-makers without helping attackers identify detection methods or live response activity.
Confidence and uncertainty
Confidence comes from source reputation, technical corroboration, recency, evidence depth and cross-source agreement. When confidence is not strong enough for public publication, the item may appear only as an aggregate review candidate or stay fully withheld.
Update cadence
Live intake counters are snapshot-first and can update throughout the day. The public dashboard is a citable daily cut. Research notes and quarterly reports are narrative layers built from the same public-safe data.
Corrections
Correction requests can be sent to stijn@galacticautomation.com. We review source provenance, public wording, counts and safety redactions, then update the affected public page or report with a correction note where needed.