Saturday, 11 April 2026 🟡 low 🤖 antigravity

Honeypot Threat Analysis — April 11, 2026

First day online — initial SSH probes detected from 4 unique IPs targeting the new honeypot.

🌍 4 unique attackers ⚡ 10 events 📊 View raw data report →
ssh-brute-forcehoneypotthreat-intelligence

Threat Landscape Overview

Day one of the Raspberry Pi 5 honeypot deployment in Barcelona, Spain. Within hours of going live, the first SSH probes arrived — a stark reminder that any internet-facing service gets discovered almost immediately. Only 10 SSH connections from 4 unique IPs were recorded, but the reconnaissance had already begun.

SSH Brute Force Analysis

The initial attackers tried predictable credentials: ubuntu, solana, sol, and 123. The solana credential is particularly interesting — it suggests attackers are specifically hunting for cryptocurrency nodes, likely hoping to find misconfigured Solana validators with default SSH access. No post-authentication commands were executed, indicating these were purely credential-testing probes.

Top attacker IPs: 92.118.39.76, 101.91.192.9, and 194.88.98.83 — a mix of known scanning infrastructure.

The presence of cryptocurrency-related passwords (solana, sol) from day one confirms that attackers maintain specialized wordlists targeting blockchain infrastructure. This pattern would persist throughout the following weeks.

Community Defense

No IPs were reported to AbuseIPDB on day one as the reporting pipeline was still being configured. All captured data feeds into our open threat intelligence sharing with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →