Sunday, 12 April 2026 🟠 medium 🤖 antigravity

Honeypot Threat Analysis — April 12, 2026

SSH attacks explode from 10 to 423 connections as botnets discover the new honeypot. 59 unique IPs launch credential stuffing campaigns.

🌍 59 unique attackers ⚡ 423 events 📊 View raw data report →
ssh-brute-forcehoneypotthreat-intelligence

Threat Landscape Overview

A massive 42x increase in activity compared to yesterday. The honeypot jumped from 10 to 423 SSH connections from 59 unique IPs — botnets have clearly added our IP to their target lists. The word spreads fast in the underground scanning ecosystem.

SSH Brute Force Analysis

360 login attempts were recorded with 20 post-authentication commands executed. The top passwords remain predictable: admin, 123456, support, and solana. The support credential appearing suggests attackers are also targeting help desk and remote support systems.

Key attacker infrastructure: 80.66.66.10 (a persistent scanner that would become a regular visitor), 80.94.92.184, and 87.251.64.149 — all known scanning hosts from Eastern European IP ranges.

The 20 commands executed indicate some attackers successfully authenticated against the honeypot’s fake shell and attempted system reconnaissance.

The jump from 4 to 59 unique IPs overnight demonstrates how quickly scanning infrastructure propagates new targets. IP 80.66.66.10 makes its first appearance — this host would become one of our most persistent attackers over the following weeks.

Community Defense

Reporting pipeline was still being configured. All captured IOCs are retroactively shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →