Severe Risk
IP 176.65.149.224 is a critical-risk address operated by Pfcloud UG under ASN AS51396 in the Netherlands that has generated 4,874 abuse reports from automated honeypot sensors since August 2025, with activity most recently recorded in June 2026. With a threat level of 10 out of 10 and an activity frequency rating of 8 out of 10, this IP represents one of the highest-risk infrastructure nodes currently active in public threat feeds. The volume and consistency of hostile probes emanating from this address over a nearly year-long period indicate sustained, automated attack operations rather than opportunistic scanning.
The detection data reveals 20 distinct automated honeypot sensors flagged this IP across recent reporting periods, generating a confidence score of 91 percent for the associated threat classification. The dominant threat category is general hacking activity, specifically including unauthorized access attempts and intrusion probes. Network telemetry captured by honeypot sensors detected SSH session initiation attempts on non-standard ports, a known technique employed by threat actors to bypass naive firewall rules that only block the default SSH port. The Pfcloud UG network operator has not implemented effective abuse mitigation despite repeated reporting, allowing this infrastructure to maintain its aggressive scanning cadence.
The concrete risk posed by IP 176.65.149.224 is that any internet-facing service accepting SSH connections, particularly those on non-standard ports, faces repeated automated credential-guessing and vulnerability-probing attempts. Such activity increases the risk of unauthorized access, lateral movement, data exfiltration or compromise of credential stores. The sustained nature of these reports confirms this is not isolated noise but an active, persistent threat actor utilizing this Netherlands-hosted infrastructure for systematic intrusion attempts.
Network defenders should block 176.65.149.224 at the firewall level and monitor for any successful authentication attempts originating from this address. Implement fail2ban or similar dynamic blocking tools to automatically ban IPs exhibiting brute-force patterns. Enforce key-based authentication for SSH, disable password authentication entirely, and ensure all SSH services run on standard ports unless protected by VPN or IP allowlisting. Regular review of authentication logs for repeated failed logins from this IP will help identify any successful compromise attempts before they escalate.
SE 
IR 
HK 
UA