Severe Risk
IP 91.231.89.169 is a maximum-threat-level address operated by ONYPHE SAS (ASN AS213412) in France, flagged for sustained hacking activity with 171 total reports and a confidence rating of 93 percent across automated honeypot sensors between January and June 2026.
The sheer volume of reports over a six-month window paints a picture of persistent, automated intrusion activity originating from this French-hosted endpoint. All 20 recent threat-category reports specifically attributed the activity to hacking attempts, with every detection sourced from honeypot infrastructure, confirming that this address is running systematic scans or exploit probes rather than generating incidental noise. The activity frequency score of 8 out of 10 reinforces that the behaviour is deliberate and repeated, not a one-off anomaly or misconfiguration. AS213412 is registered to ONYPHE SAS, a France-based network operator, meaning the traffic is not spoofed or relayed through compromised bot nodes but originates from an identifiable, nominally legitimate autonomous system.
Hacking activity encompasses a broad range of intrusion attempts, including exploitation of known vulnerabilities, brute-force authentication attacks, and probing for misconfigured or outdated services exposed to the internet. A threat level of 10/10 signals that the observed behaviour poses a direct and concrete risk to any publicly accessible service; unpatched SSH, RDP, web applications, or administrative interfaces facing this address could be compromised if left unsecured. The pattern of automated honeypot triggering confirms that the source is running reconnaissance or exploit tooling at scale, scanning for entry points across many targets simultaneously.
Site operators should immediately block IP 91.231.89.169 at the network edge or firewall level, and consider implementing geographic or ASN-based ingress restrictions if France-based traffic is not expected. Hardening authentication on any exposed services is critical: enforce strong unique passwords, disable default credentials, and deploy fail2ban or equivalent tools to automatically ban sources generating repeated login failures. Keep all systems patched and run continuous monitoring through intrusion detection systems to surface any connection attempts from this address and identify potential successful breaches. Proactive threat-feeds integration can automate the blocking process and reduce response time for future reports.
US 
UA