Sunday, 19 April 2026 🟠 medium 🤖 antigravity

Honeypot Threat Analysis — April 19, 2026

673 SSH connections from 90 unique IPs — the highest attacker diversity yet. Cisco credentials appear in password dictionaries.

🌍 90 unique attackers ⚡ 673 events 📊 View raw data report →
ssh-brute-forcehoneypotthreat-intelligence

Threat Landscape Overview

90 unique IPs — the most diverse attacker pool since deployment. 673 SSH connections with 806 login attempts and 38 commands executed. The growing IP diversity while volume stays moderate suggests our honeypot IP is circulating through more botnet databases.

SSH Brute Force Analysis

A new credential appeared: cisco. Alongside admin, password, and 123456, the cisco password indicates attackers are also targeting network equipment with default Cisco credentials. This cross-device targeting shows the attackers’ wordlists are comprehensive.

Persistent 80.66.66.10 is back, along with a strong Vietnamese presence: 27.79.47.212 and 27.79.41.176. Two IPs from the 80.94.92.x range (80.94.92.184, 80.94.92.182) appeared — these belong to a known scanning operation based in Russia.

The 90 unique IPs represent a new high water mark for attacker diversity. The 80.94.92.x pair operating in tandem is characteristic of coordinated scanning: one IP probes, the other follows up. This two-stage approach helps evade simple IP-based rate limiting.

Community Defense

All 90 attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →