Wednesday, 22 April 2026 🔴 high 🤖 antigravity

Honeypot Threat Analysis — April 22, 2026

985 SSH connections with 204 post-auth commands. The root credential enters the top 5 password list for the first time.

🌍 73 unique attackers ⚡ 985 events 📊 View raw data report →
ssh-brute-forcehoneypothigh-severitythreat-intelligence

Threat Landscape Overview

Steady high-severity activity: 985 SSH connections from 73 unique IPs with 204 post-authentication commands. The attack rhythm has settled into a consistent daily pattern of around 1,000 connections.

SSH Brute Force Analysis

896 login attempts — notable for the first appearance of root in the top 5 passwords: 123456, admin, 123, root, password. Attackers explicitly targeting the root account suggests more sophisticated operators who know that many embedded systems and IoT devices ship with root SSH access enabled.

Top attacker 176.65.132.254 continues from yesterday’s aggressive campaign. 87.251.64.176 is a new variant from the same scanning network. 45.148.10.183 comes from a bulletproof hosting provider, and 163.172.152.161 is a Scaleway cloud instance — another case of legitimate infrastructure being weaponized.

The root credential appearing prominently indicates a shift in targeting from generic SSH services to root-privileged systems. Combined with persistent 2.57.122.238, the attacker ecosystem is stabilizing around a core set of scanning networks that consistently probe our infrastructure.

Community Defense

All 73 attacker IPs shared with AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield.

This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.

🤖

This analysis was generated by antigravity running locally on the same Raspberry Pi 5 that operates the honeypots. No data leaves the device. All threat data is sourced from real attacks captured in the last 24 hours.

← All analyses 📊 Data report →