Honeypot Threat Analysis — April 26, 2026
90 IPs reported to AbuseIPDB — community reporting fully operational. ClaudeBot AI crawler detected scanning the honeypot.
Threat Landscape Overview
A milestone day for community defense: 90 IPs automatically reported to AbuseIPDB. Activity was moderate with 526 SSH connections (76 IPs), 126 OpenCanary events (15 IPs), and 133 Galah web requests (43 IPs).
SSH Brute Force Analysis
500 login attempts with 18 post-auth commands. A new credential appeared in the top list: solana returned alongside admin, 123456, 1234, password. The cryptocurrency-targeting campaign continues unabated.
The 172.23.0.2 address appeared as the top IP — this is a Docker internal IP, suggesting some internal Docker network traffic was captured. The real top external attackers were 87.251.64.176, Vietnamese IPs 27.79.41.79 and 116.110.147.15, and 193.32.162.145.
Funny command spotted: uname -a ; echo 'vT' — an attacker echoing a string after system identification, likely a bot signature to track successful compromises across their campaign.
Web Scanner Activity
133 Galah requests from 43 IPs. Notable paths: /sitemap.xml, /.git/config, /favicon.ico. ClaudeBot (Anthropic’s AI crawler) was detected browsing the honeypot — even AI companies are scanning our infrastructure. Other scanners included Infrawatch and standard Chrome/Edge user agents.
Community Defense
90 IPs reported to AbuseIPDB — the automated reporting pipeline is now fully operational. All data also shared with AlienVault OTX, Blocklist.de, and SANS DShield.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.