Critical Alert
IP 176.65.149.180 is a critical-risk address operated by Pfcloud UG in the Netherlands that has generated 231 abuse reports over approximately seven months of sustained malicious activity, representing one of the highest-threat signatures currently tracked in the database. This single IP has achieved a threat level of 10 out of 10 and a confidence score of 91 percent, indicating an exceptionally reliable assessment that the address is engaged in deliberate harmful operations against internet-facing systems.
Network telemetry collected from automated honeypot sensors confirms that this address has been actively attacking infrastructure since November 2025, with the most recent reports received in June 2026, demonstrating persistent and continuous engagement in hostile scanning and intrusion activity over an extended period. The 231 total reports represent a substantial volume, while the activity frequency rating of 8 out of 10 confirms that the hostile behavior is not intermittent but represents regular, repeated offensive operations. All 20 recent threat-category reports specifically classify the activity as general hacking, encompassing unauthorized access attempts, vulnerability exploitation, and intrusion activity. The Pfcloud UG network (ASN AS51396) located in the Netherlands has hosted this malicious infrastructure throughout the entire observation window.
The dominant hacking classification for IP 176.65.149.180 indicates that this address is being used for active intrusion operations against exposed services, which may include web servers, SSH, FTP, database interfaces, or other network-accessible applications. The sustained nature of the attacks, combined with the high report volume and frequency, suggests an automated or semi-automated campaign likely deploying credential stuffing, brute-force techniques, or exploitation of known vulnerabilities. For any organization running exposed services on the public internet, connection requests from this address pose a direct risk of unauthorized system access, data exfiltration, or compromise of critical infrastructure components.
Organizations operating publicly accessible services should immediately implement blocking or rate-limiting controls for this address at the network perimeter firewall or web application layer. Deploying defensive tools such as fail2ban or equivalent intrusion-prevention systems can automatically detect and respond to the connection-pattern behavior associated with this threat. System administrators should ensure all exposed services are running current security patches, enforce strong multi-factor authentication where feasible, and maintain active logging and monitoring to identify any successful connection attempts. Blocking this address at the edge while hardening authentication controls represents the most effective immediate mitigation strategy against the concrete risks this high-confidence threat actor poses.
SE 
IR 
HK 
UA