Extreme Threat
IP 80.94.92.67 is a critical-risk address associated with persistent hacking activity targeting SSH services, with 1569 abuse reports filed against this Romanian IP since January 2026.
Data gathered from 20 automated honeypot sensors shows that 80.94.92.67, registered in Romania and operated by Unmanaged Ltd under ASN AS47890, has been actively involved in malicious activity across a five-month window from January through May 2026. The volume of community and sensor reports indicates sustained, automated threat behavior rather than opportunistic or isolated probes. Detection systems captured connection attempts and specific Suricata alerts flagging SSH sessions on unusual ports, suggesting the address is engaged in systematic reconnaissance and intrusion attempts against exposed SSH endpoints. The combination of high report volume and the unmanaged nature of the network operator contributes to an elevated confidence score of 78% regarding the malicious intent of this IP.
The dominant threat category associated with 80.94.92.67 is general hacking activity, with particular emphasis on SSH-based intrusion vectors. This pattern of targeting SSH services on non-standard ports suggests the operator may be attempting to evade basic detection by bypassing common port-based firewall rules. The real-world risk includes credential brute-forcing, exploitation of unpatched SSH implementations, and use as a staging point for further network compromise. Organizations with internet-facing SSH services face direct exposure to automated attacks originating from this address.
Site operators should implement immediate defensive measures including blocking 80.94.92.67 at the firewall or network edge to eliminate all inbound communication. Deploying automated threat-response tools such as fail2ban can detect and neutralize repeated connection attempts in real time. SSH hardening through key-based authentication, disabling password authentication entirely, and restricting listen interfaces to internal networks significantly reduces attack surface. Continuous network monitoring and periodic review of access logs will help identify and block similar scanning patterns from other high-risk sources.
UA 
GB 
BG 
KZ 
FR 
PS 
VN