Severe Risk
IP 104.194.158.80 is a maximum-threat-level address associated with 927 reported incidents of hacking activity, representing a severe risk to any exposed network services. Hosted in Germany on the AS14956 autonomous system operated by ROUTERHOSTING, this IP has accumulated a substantial abuse history despite an activity frequency rated at zero out of ten, suggesting the reported behaviour may be historical rather than currently ongoing.
The detection profile for 104.194.158.80 consists entirely of automated honeypot sensor reports, with 20 distinct hacking-category incidents logged across both the first and last reported dates in December 2025. The 79% confidence score reflects a strong analytical certainty that the observed activity represents genuine malicious intent rather than misclassification. With a total of 927 aggregate reports attributed to this single address, the volume of hostile probes directed toward honeypot infrastructure is notable and indicates sustained scanning or exploitation attempts over the observed timeframe.
The dominant threat category of hacking encompasses a broad spectrum of intrusion activities, including vulnerability exploitation, credential attacks, and unauthorized access attempts against exposed services. For an organization whose assets are reachable from this IP, the concrete risk includes potential compromise of unpatched software, brute-force attacks against authentication mechanisms, and reconnaissance activity that could precede more targeted exploitation. Even though the current activity frequency appears low, the historical report volume demonstrates that this address has previously conducted significant hostile operations against internet-facing systems.
Site operators should treat IP 104.194.158.80 as hostile and implement defensive controls accordingly. Blocking or rate-limiting traffic from this address at the firewall or load-balancer level provides an immediate barrier against its probing activity. Authentication mechanisms protecting exposed services should be hardened through the use of fail2ban or similar tools to automatically block repeated login failures, alongside the enforcement of strong, unique credentials and multi-factor authentication where supported. Keeping all internet-facing software current with security patches eliminates the vulnerabilities such hacking activity typically attempts to exploit. Continuous monitoring of access logs for any connection attempts originating from this address will help identify whether the threat actor is testing new vectors or attempting to resume operations.
US 
CH