Maximum Danger
IP 64.62.156.222, registered to Hurricane Electric (AS6939) in the United States, presents a critical threat with a 10/10 threat level and 595 abuse reports from automated honeypot sensors between August 2025 and June 2026. This address demonstrates persistent malicious activity with an 8/10 frequency rating and an 86% confidence score, making it a high-risk source that security teams should immediately block or tightly restrict at network perimeters.
The detection data reveals 595 reports generated across 20 automated honeypot sensors, with the dominant threat category being general hacking activity (17 recent reports), complemented by IoT-targeted attacks (2 reports), port scanning (1 report), and exploited host activity (1 report). The network traffic patterns captured include connection attempts targeting IoT and industrial control systems, reconnaissance activity displaying characteristic Zmap user-agent signatures, and general malware or exploit propagation attempts. Hurricane Electric's AS6939 is a major US backbone provider whose IP space is frequently abused by threat actors precisely because of its reputation and geographic reach, which allows malicious traffic to originate from what appears to be a legitimate US-based source.
The concentration of hacking activity combined with IoT targeting and port scanning suggests this IP belongs to an automated attack infrastructure scanning for vulnerable connected devices, exposed industrial systems, and exploitable services. The presence of exploited host indicators means the address may already be leveraged for delivering payloads or maintaining persistent access to compromised endpoints. Port scanning activity, specifically techniques associated with mass-scanning toolchains like Zmap, indicates systematic reconnaissance aimed at identifying new targets before launching exploitation attempts. Organizations running exposed SSH, Telnet, or other remote management interfaces face elevated risk from this type of automated scanning infrastructure.
Network administrators should implement immediate blocking of ingress connections from 64.62.156.222 at firewall and border gateway devices, deploy fail2ban or equivalent connection-throttling mechanisms to mitigate brute-force attempts, and enforce multi-factor authentication on all externally accessible management interfaces. IoT and ICS environments should be isolated from general network segments with strict firewall rules, default credentials must be changed on all networked devices, and UPnP should be disabled to prevent internal propagation of external scans. Continuous monitoring of authentication logs and network flow data will help identify any successful compromise attempts originating from similar threat infrastructure.
GB 
RO 
AU