Cautionary Risk
IP 104.199.46.221 is a medium-high risk address operated through Google Cloud Platform infrastructure in Belgium that has been linked to 174 abuse reports over approximately three months, with hacking activity dominating the observed threat categories. The IP carries a threat level of 6 out of 10 and a confidence score of 96 percent, indicating that automated honeypot sensors and community reports have established a reliable pattern of malicious behavior associated with this address. Given its cloud hosting origin and the diversity of attack vectors observed, this IP represents a credible automated threat to exposed web services and network endpoints.
The detection data shows 20 distinct report sources, with 16 originating from automated honeypot sensors and 4 from community submissions. The reported activity spans from December 2025 through February 2026, with an activity frequency rated at 7 out of 10, confirming sustained rather than isolated malicious behavior. While the dominant category is general hacking activity at 13 reports, the IP has also been flagged for bad web bot behavior, exploitation activity, unauthorized WordPress cron execution, IoT targeting, and distributed denial-of-service attempts. Log analysis from affected systems reveals automated scanning patterns targeting web servers at the root URI, malware and exploit probe activity, and unauthorized attempts to trigger WordPress scheduled tasks.
The clustering of hacking activity alongside web bot behavior and exploitation attempts indicates that this address is likely being used to conduct automated reconnaissance and intrusion attempts against web infrastructure. The presence of WordPress cron abuse and IoT-targeted activity suggests the operator is running a multi-vector scanning campaign that probes for vulnerable content management system installations and internet-of-things devices. Because the IP originates from a major cloud provider, the traffic may appear legitimate to basic blocklist filters, making it more likely to reach targeted systems before being flagged. The volume of reports and diversity of attack patterns imply this is an active, professionally operated scanning infrastructure rather than a single opportunistic actor.
JP 
GB 
TW