26.345
Credentials captured
53
Attacking IPs
3 days
Capture period

Methodology

All the data comes directly from the honeypot.log file generated by our SSH honeypot. Each connection event records the username and password presented by the attacking client. No data has been added or modified.

Privacy note: The published credentials are the ones attackers tried to use against our honeypot. They are not the passwords of real users. They are published as threat intelligence to help security teams harden their password policies.

Top usernames: the Solana ecosystem dominates

The most notable finding in this dataset is the shift away from the traditional attack profile. Generic accounts (root, admin) are still present, but most attempts target nomenclature specific to Solana nodes.

#UsernameAttempts% of totalType
1root4.44716,9%Generic
2sol3.53013,4%Solana
3solana2.99511,4%Solana
4ubuntu1.6546,3%Base OS
5solv1.5385,8%Solana (Solv Protocol)
6trader6332,4%DeFi / crypto
7user3561,4%Generic
8admin3241,2%Generic
9firedancer2871,1%Solana (validator client)
10validator2751,0%Solana (node role)

Terms related to the Solana ecosystem add up to more than 9,000 attempts — 35% of all captured credentials. This confirms that the campaign is specifically aimed at blockchain node infrastructure.

Top passwords: numeric combinations + crypto terms

The passwords follow a dual pattern: positions 1–6 are trivial numeric combinations (weak default passwords or unchanged initial configurations), while positions 7–10 are terms specific to the target ecosystem.

#PasswordAttemptsCategory
11234561.711Basic numeric
21231.036Basic numeric
312345678977Basic numeric
4solana927Crypto
5sol844Crypto
61234756Basic numeric
7node557Infrastructure
8firedancer502Crypto / Solana
9solv433Crypto
10ubuntu417Base OS
11trader346DeFi
121234567890303Basic numeric
13validator300Crypto / Solana
141284Basic numeric
15ethereum275Crypto

Implications for defenders

If you run blockchain-related infrastructure — staking nodes, trading servers, DeFi tools — attackers have your nomenclature in their dictionary. Some direct recommendations:

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

Data source
honeypot CipherSentry · 2026-06-11 to 2026-06-13 · 26,345 credentials
← All articles