Critical Threat
IP address 80.94.92.70 is a critical-risk address based in Romania that has generated 895 abuse reports linked to active hacking activity, including unauthorized SSH session establishment on non-standard ports.
Automated honeypot sensors recorded this IP across the AS47890 network (operated by Unmanaged Ltd) between January and March 2026, yielding a threat-level score of 10 out of 10 despite a relatively low ongoing activity frequency rating of 0 out of 10. The 895 total reports with a 74% confidence score reflect sustained automated detection over this three-month window, with all 20 most recent reports categorizing the activity explicitly as hacking. The associated network traffic pattern notably includes Suricata alerts flagging SSH sessions running on unusual ports, a configuration frequently associated with covert tunnel construction or protocol obfuscation to evade standard port-based filtering.
Hacking activity at this scale and classification indicates systematic intrusion-oriented behavior rather than opportunistic scanning. When an external host targets SSH services on non-standard ports, it typically signals attempts to establish persistent tunnels for data exfiltration, pivot into internal networks, or run command-and-control traffic through legitimate-appearing channels. The volume of reports over a compressed timeframe suggests automated tooling persistently probing or maintaining connections, which elevates risk for any exposed service listening on similar configurations within range of this address.
Site operators should block 80.94.92.70 at the network perimeter firewall and implement deny-by-default ACLs for Romanian address space where business operations do not require it. Enabling fail2ban or equivalent log-analysis tools to auto-ban repeated SSH connection attempts on all ports reduces exposure to credential-brute-force and tunnel-setup campaigns. All SSH services should enforce key-based authentication, disable password authentication entirely, and restrict listen addresses to localhost or internal interfaces unless remote access is explicitly required. Ongoing log monitoring for SSH traffic on non-standard ports will help detect any follow-on attempts to reach services through alternative channels.
BG 
UA 
SE 
HK 
FR 
GB