Monday, 13 April 2026 🟠 medium 🤖 antigravity

Honeypot Threat Analysis — April 13, 2026

Steady brute force attacks continue with 360 SSH connections from 77 unique IPs. Cryptocurrency-targeted credentials dominate.

🌍 77 unique attackers ⚡ 360 events 📊 View raw data report →
ssh-brute-forcehoneypotthreat-intelligence

Threat Landscape Overview

Attack volume stabilized at 360 SSH connections but the attacker diversity grew to 77 unique IPs, up from 59 yesterday. This broadening attack surface suggests our honeypot IP is being shared across multiple botnet operator lists.

SSH Brute Force Analysis

264 login attempts with 22 commands executed post-authentication. The password landscape shows admin and solana as the top two choices, followed by 123456, sol, and 12345678. The persistent focus on Solana-related credentials indicates a coordinated campaign specifically targeting cryptocurrency infrastructure.

Notable new attacker: 213.209.159.158 took the top position, joined by repeat offenders 80.66.66.10 and 87.251.64.149. IP 2.57.122.238 also appeared — another host that would become a regular.

The ratio of logins (264) to connections (360) suggests more efficient attacks — automated tools that quickly move through credential lists without wasting connections. The attacker pool is diversifying while maintaining consistent password dictionaries.

Community Defense

All captured threat data is shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield to help protect the broader community.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →