Maximum Danger
IP 152.32.191.98 is a critical-risk address originating from Hong Kong that has been consistently linked to widespread hacking activity, accumulating 830 abuse reports across automated honeypot sensors over a six-month observation window from December 2025 through May 2026.
The address, registered to network operator ZEN-DPS under autonomous system AS62610, presents a maximum threat level of 10 out of 10, though the associated confidence score of 70 percent indicates that attribution and certainty about the full scope of malicious activity carry some uncertainty. The 830 total reports represent a substantial volume of community-sourced and sensor-detected abuse data, while the activity frequency rating of 3 out of 10 suggests that the hostile connections are not constant but occur in periodic bursts or campaigns. All 20 of the most recent threat-category reports classify the activity under the broad "Hacking" designation, and the honeypot infrastructure captured both raw attack connections and a Suricata detection event indicating protocol-only communication attempts from a single direction, a pattern commonly associated with reconnaissance scanning and service enumeration.
The dominant "Hacking" classification encompasses the full spectrum of intrusion activity, from vulnerability probing and exploit delivery attempts to credential-based access campaigns and unauthorized penetration testing against exposed services. The Suricata alert referencing one-directional application protocol detection aligns with this profile, describing a scenario where a remote host initiates contact without completing a proper protocol handshake, a hallmark of automated scanning tools that catalog available services before launching more targeted attacks. For a system operator whose services sit directly exposed to the internet, each such probe represents a potential entry point if a vulnerable version of software, an unpatched flaw, or a weak authentication mechanism happens to be present.
Organizations should treat this IP address as a confirmed hostile source and block it at the network edge, ideally using automated dynamic blocklists that respond to abuse report feeds. Beyond simple blocking, implementing fail2ban or equivalent log-analysis tools that detect repeated connection patterns and temporarily ban offending addresses can reduce the effectiveness of automated scanning campaigns. Enforcing strong, unique credentials across all externally accessible services, enabling multi-factor authentication wherever feasible, and maintaining rigorous patch management schedules will eliminate the most commonly exploited entry points that such probes seek to discover. Continuous monitoring of authentication logs for brute-force patterns and unexpected enumeration activity from unknown sources provides the earliest possible warning if this or adjacent hostile addresses successfully identify a weak spot.
FR 
PE 
CH 
GB 
PH