Thursday, 16 April 2026 🔴 high 🤖 antigravity

Honeypot Threat Analysis — April 16, 2026

High-severity activity with 1,270 SSH connections. Attack volume cools from yesterday's critical peak but remains elevated.

🌍 69 unique attackers ⚡ 1,270 events 📊 View raw data report →
ssh-brute-forcehoneypothigh-severitythreat-intelligence

Threat Landscape Overview

Activity dropped from yesterday’s critical peak but remains at high severity with 1,270 SSH connections from 69 unique IPs. The honeypot continues to attract sustained attention from automated scanning infrastructure.

SSH Brute Force Analysis

1,195 login attempts with 202 post-authentication commands. The password rotation continues: admin, 123456, 123, solana, 1234. The solana password reappearing confirms dedicated cryptocurrency-hunting botnets are actively scanning our IP range.

New top attacker: 66.228.35.224 — a Linode IP that likely represents a compromised VPS being used for scanning. Joined by familiar faces 92.118.39.92, 80.66.66.10, Vietnamese IP 27.79.46.66, and 193.32.162.145 from a known scanning network.

The 202 commands executed post-login show consistent patterns: system identification via uname, process listing, and mount point enumeration. These are hallmarks of automated exploitation kits that run a standard reconnaissance playbook after gaining shell access.

Community Defense

All 69 attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →