Significant Threat
IP 185.224.128.137 is a high-risk address operated by Alsycon B.V. in the Netherlands that has been classified as an exploited host, indicating the server has been compromised and weaponised by threat actors to conduct malicious activity without the owner's knowledge. With a threat level of 8 out of 10 and 2,329 accumulated abuse reports, this address represents a significant risk to any exposed services it targets. The dominant threat classification — Exploited Host — signals that this is not a primary attacker infrastructure but rather a victim machine being remotely controlled, meaning the real perpetrator remains hidden behind the compromised system. All recent detections originated from automated honeypot sensors, confirming the address was actively probing or attacking public-facing resources during August 2025.
The detection data reveals a substantial reporting history with 2,329 total abuse reports attributed to this IP, though the recent activity window shows a more concentrated cluster of 20 confirmed exploit detections in the last reporting period. The activity frequency score of 0 out of 10 suggests the hostile behaviour occurs in sporadic bursts rather than as a constant flood, which is typical of botnet-driven or cron-triggered attack campaigns. The moderate confidence score of 59% reflects some uncertainty in the attribution chain, which is common when analysing compromised endpoints rather than origin infrastructure. The address routes through AS49870 operated by Alsycon B.V., a Dutch hosting provider, and the honeypot detections indicate the compromised server has been actively executing malware or exploit activity against scanning and attack targets during August 2025.
An exploited host classification means this IP belongs to an innocent third-party server — likely running outdated software, unpatched services or misconfigureddaemon — that has been co-opted into an attacker's arsenal. The system operates as a unwitting proxy, launching exploit attempts, scanning other networks or propagating malware while its legitimate owner remains unaware. For exposed services, this creates a dual threat: the immediate risk of the exploit payload itself and the challenge of distinguishing genuine attack traffic from a hijacked victim's reconnaissance. The Dutch routing and moderate attribution confidence suggest this could be part of a broader compromised-host network, possibly a regional botnet segment or a stepped attack chain using legitiimate Dutch hosting as a staging point.
SC 
RO 
PH 
UA 
VN