Tuesday, 21 April 2026 🔴 high 🤖 antigravity

Honeypot Threat Analysis — April 21, 2026

High-severity day with 1,540 connections and 424 post-auth commands — the most exploitation activity ever recorded.

🌍 83 unique attackers ⚡ 1,540 events 📊 View raw data report →
ssh-brute-forcehoneypothigh-severitythreat-intelligence

Threat Landscape Overview

424 post-authentication commands — a new record. While connection volume (1,540 from 83 IPs) is comparable to recent days, the exploitation depth increased dramatically. Attackers are spending more time inside the honeypot’s fake shell.

SSH Brute Force Analysis

A fascinating anomaly appeared in the password data: 3245gs5662d34 and 345gs5662d34 (likely the same password with a typo) dominated the list. These look like leaked credentials from a specific breach being tested at scale, rather than generic dictionary entries. Standard passwords 123456, admin, and 123 rounded out the top five.

Top attacker 176.65.132.254 launched an aggressive campaign. IP 87.251.64.150 from a known scanning network appeared, along with 104.208.108.166 (Azure cloud) and 103.172.205.139 (Asian hosting). The Azure IP is particularly interesting — legitimate cloud infrastructure being abused for attacks.

The 424 commands represent the most post-auth activity we’ve ever recorded. The breach-specific passwords (3245gs5662d34) suggest attackers are actively testing freshly leaked credential databases against SSH services. This is credential stuffing at its most targeted.

Community Defense

All 83 attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →