An investigator's toolkit for the open web.
FalconEye is a free, self-hosted OSINT workbench built for cybersecurity investigators, fraud analysts, and journalists. It collapses the dozen browser tabs an investigator usually juggles — wallet explorers, RDAP lookups, certificate transparency, ASN tools, phishing kit analysis, malware databases, Telegram channel inspection — into one focused interface.
Every tab takes a single indicator as input and returns structured intelligence pulled from free, reputable public data sources. There is no paywall, no enterprise sales call, no API budget. Just the tools.
Built and maintained by OSINT-PH — a Philippine-based OSINT and incident response practice. The platform is open source under AGPL-3.0 at github.com/osintph/falconeye.
What this does
- → Trace crypto wallets across BTC, ETH, and USDT TRC20
- → Fingerprint phishing kits by their indicators
- → Profile domains with RDAP, DNS, and CT logs
- → Check IP reputation, open ports, and scanner activity
- → Inspect public Telegram channels for IOCs
- → Look up URLs and file hashes in community threat databases
PH Threat Pulse
live from URLhaus PH feedLoading PH threat data...
Start with a sample investigation
Latest from the cyber news desk
Loading latest headlines...
Crypto Investigation Workbench
Paste a Bitcoin, Ethereum, or USDT TRC20 wallet address to investigate transaction history and counterparties.
Transaction Graph
Transaction Timeline
Phishing Kit Scanner
Paste a suspected URL or raw HTML to fingerprint known PH phishing kit indicators.
Domain Intelligence
Paste a domain for unified RDAP, DNS, certificate transparency, and ASN intelligence. Results cached for 6 hours.
Telegram Channel Inspector
Paste a public Telegram channel name or t.me link to extract metadata, recent messages, and IOCs. Results cached for 6 hours. Private channels and groups not supported.
IP Reputation & Threat Lookup
Paste a public IPv4 or IPv6 address for ASN, geolocation, open ports, vulnerabilities, scanner activity, and URLhaus history. Results cached for 6 hours.
File & URL Sandbox History
Paste a URL or a file hash (MD5, SHA1, SHA256) to query URLhaus and MalwareBazaar for community threat intel. Results cached for 6 hours.
Reverse Image Search
Query Google Lens and Yandex Reverse Image Search in parallel. Paste a public image URL or upload a local file. Results cached 24 hours.
Drag and drop an image here, or click to select
JPEG, PNG, WebP, GIF. Max 10 MB.
Email Header Analyzer
Paste a complete email header (and optionally the body) to analyze authentication, sender alignment, routing, and scam patterns. You can also upload a .eml or .msg file to skip the copy-paste step.
Click to upload or drag a file here
Supported: .eml (Apple Mail, Thunderbird, raw email), .msg (Outlook), .txt
Max 5MB. File is parsed in memory and discarded immediately.
How to get the raw email header (or export the email as a file)
Open the message you want to analyze, then follow the steps for your mail client below. The "View source" / "Show original" option gives you the FULL raw email. You can paste it into the Header textarea, or export as .eml / .msg and upload above.
Tip: Privacy headers stripped by your mail provider cannot be recovered. The header reflects what was visible at delivery time.
Email body (optional) - adds scam / phishing pattern detection
Tip: If you already pasted the full raw email above, or uploaded a file, the body is extracted automatically.
Google Dork Generator
Describe what you want to find and get LLM-generated Google search queries with explanations and defensive-use notes. Powered by Claude Haiku 4.5.
Quick presets
This tool is intended for defensive surface monitoring, authorized penetration testing, and OSINT research on organizations or domains you have permission to investigate. Each dork comes with a defensive-use note.
Suspicious Script Decoder
Paste obfuscated PowerShell, encoded Base64, packed JavaScript, VBA macros, or any suspicious code. Claude Haiku 4.5 deobfuscates the code, explains what it does, extracts IOCs, and suggests detections.
Optional hint - tell the analyzer what you think this is
A short hint about the context helps the LLM produce a more accurate analysis. Optional.
Contact
Found a bug, have a feature request, or want to suggest a new OSINT tab? Send a note. Replies go to the OSINT-PH operator inbox.
Direct channels
Security disclosures
security@osintph.infoBlog
blog.osintph.infoWhat we want to hear
- →Bugs in any tab, especially with reproducible steps
- →Detection false positives or missed scams in the email analyzer
- →Ideas for new tabs that solve real OSINT problems
- →Data sources you'd like integrated
- →Partnership inquiries (vendors, content collabs)
Company
Six-card commercial intelligence dossier for any domain: Google identity, Google Ads (30-day and historical), Meta Ad Library, hiring signals, recent news, and a unified activity timeline. Results cached for 6 hours.
Cyber News
Aggregated from global and Philippine cybersecurity sources. Refreshed every 30 minutes.