Global figures for the period
Types of events logged
| Event type | Count | Description |
|---|---|---|
| connection | 30.211 | SSH authentication attempts |
| command | 22.647 | Commands executed in interactive sessions |
| credential_probe / probe | — | Probes without complete credentials |
SSH clients: mass automation
| SSH client | Connections | % of total |
|---|---|---|
| SSH-2.0-Go (escáner principal) | 27.942 | 99,5% |
| PuTTY | 44 | 0,16% |
| OpenSSH | 10 | 0,04% |
| libssh | 10 | 0,04% |
| Otros | 71 | 0,25% |
Most frequent commands
The command distribution reveals the main objective of the dominant campaign: GPU hardware reconnaissance.
| # | Command | Executions | % of total |
|---|---|---|---|
| 1 | lspci | 7.065 | 31,2% |
| 2 | uname | 6.954 | 30,7% |
| 3 | nvidia-smi | 4.480 | 19,8% |
| 4 | uptime | 2.356 | 10,4% |
| 5 | echo | 967 | 4,3% |
Sessions without commands: authentication only
5,465 sessions (19.4% of the total) executed no commands at all — they only authenticated and disconnected. These are credential-validation sessions: the scanner tries the username/password pair and, if it fails, moves on to the next. If it succeeds, it saves the valid credentials for a second exploitation phase.
Payloads and download attempts
https://14.46.[REDACTED].77/sh — 1 attempt + 1 download (0 bytes executed)
http://[REDACTED].sh/x — 3 attempts + 3 downloads (0 bytes executed)
All execution attempts were blocked — the payload never ran on the real host.
Sessions with privilege escalation attempts
104 sessions (0.4% of the total) ran the passwd command — attempts to change the root password to establish persistence without installing any binary.
Conclusion
Our honeypot captures a clear picture of the active threat on the internet: a well-organized automated campaign, aimed at blockchain infrastructure, operating with custom Go tooling and specialized dictionaries. The 151 recorded IPs are not independent — they are nodes of a single operation with a division of tasks.
What sets this analysis apart from generic "SSH attacks" statistics: granularity. We don't just know how many attacks there were — we know which credentials they tried, which commands they ran, what hardware they were looking for and how they tried to erase their tracks.
Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.
honeypot CipherSentry · period: 2026-06-11 — 2026-06-13