Honeypot Threat Analysis — May 5, 2026
New honeypot traps deployed — Canarytokens, API decoys, and HTTP tarpit go live. Critical-level attacks continue unabated.
Threat Landscape Overview
Critical severity for the sixth consecutive day: 1,986 SSH connections (88 IPs), 4,235 OpenCanary events (13 IPs), and 85 Galah web requests (35 IPs). Meanwhile, the honeypot lab underwent significant upgrades.
Infrastructure Upgrades
Today marked a major evolution of the honeypot capabilities:
- Canarytokens: Fake credential files (AWS keys, cryptocurrency wallets, SSH private keys) deployed to detect attackers who attempt to use exfiltrated data
- API Decoys: Fake
/v1/users,/v1/config, and/v1/exportendpoints mimicking real backend APIs to attract and fingerprint attackers - HTTP Tarpit: Galah proxy now identifies 21 common scanner patterns and responds with intentionally slow connections, wasting attacker resources
- 4-Platform Reporting: All trap interactions now report directly to AbuseIPDB, AlienVault OTX, Blocklist.de, and SANS DShield
SSH Brute Force Analysis
2,393 login attempts with 365 post-auth commands. The persistent actors continue: 45.156.87.254, 176.65.132.254, 87.251.64.176. With the new Canarytoken files deployed in the fake filesystem, future reports will track whether attackers attempt to use captured credentials.
Community Defense
7 IPs reported to AbuseIPDB. New reporting infrastructure ensures all future trap interactions are shared with all four threat intelligence platforms simultaneously.
This analysis was generated for the Raspberry Pi 5 honeypot lab in Barcelona, Spain. View the raw data report for complete metrics.