Methodology
All the data comes directly from the honeypot.log file generated by our SSH honeypot. Each connection event records the username and password presented by the attacking client. No data has been added or modified.
Top usernames: the Solana ecosystem dominates
The most notable finding in this dataset is the shift away from the traditional attack profile. Generic accounts (root, admin) are still present, but most attempts target nomenclature specific to Solana nodes.
| # | Username | Attempts | % of total | Type |
|---|---|---|---|---|
| 1 | root | 4.447 | 16,9% | Generic |
| 2 | sol | 3.530 | 13,4% | Solana |
| 3 | solana | 2.995 | 11,4% | Solana |
| 4 | ubuntu | 1.654 | 6,3% | Base OS |
| 5 | solv | 1.538 | 5,8% | Solana (Solv Protocol) |
| 6 | trader | 633 | 2,4% | DeFi / crypto |
| 7 | user | 356 | 1,4% | Generic |
| 8 | admin | 324 | 1,2% | Generic |
| 9 | firedancer | 287 | 1,1% | Solana (validator client) |
| 10 | validator | 275 | 1,0% | Solana (node role) |
Terms related to the Solana ecosystem add up to more than 9,000 attempts — 35% of all captured credentials. This confirms that the campaign is specifically aimed at blockchain node infrastructure.
Top passwords: numeric combinations + crypto terms
The passwords follow a dual pattern: positions 1–6 are trivial numeric combinations (weak default passwords or unchanged initial configurations), while positions 7–10 are terms specific to the target ecosystem.
| # | Password | Attempts | Category |
|---|---|---|---|
| 1 | 123456 | 1.711 | Basic numeric |
| 2 | 123 | 1.036 | Basic numeric |
| 3 | 12345678 | 977 | Basic numeric |
| 4 | solana | 927 | Crypto |
| 5 | sol | 844 | Crypto |
| 6 | 1234 | 756 | Basic numeric |
| 7 | node | 557 | Infrastructure |
| 8 | firedancer | 502 | Crypto / Solana |
| 9 | solv | 433 | Crypto |
| 10 | ubuntu | 417 | Base OS |
| 11 | trader | 346 | DeFi |
| 12 | 1234567890 | 303 | Basic numeric |
| 13 | validator | 300 | Crypto / Solana |
| 14 | 1 | 284 | Basic numeric |
| 15 | ethereum | 275 | Crypto |
Implications for defenders
If you run blockchain-related infrastructure — staking nodes, trading servers, DeFi tools — attackers have your nomenclature in their dictionary. Some direct recommendations:
- Disable password authentication in SSH. Use keys only. If an attacker tries 26,000 passwords and your server doesn't accept them, the campaign is harmless.
- Change the SSH port. It's not real security, but it filters out 90% of the automated noise that only scans port 22.
- Monitor failed attempts. An internal honeypot on an administration subnet detects lateral movement before it reaches real systems.
- Don't use the name of the service you protect as a password.
firedancer,solana,validatorare in every 2026 dictionary.
Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.
honeypot CipherSentry · 2026-06-11 to 2026-06-13 · 26,345 credentials