Elevated Risk
IP 209.38.70.156, a DigitalOcean-assigned address originating from the United States, presents a significant threat with a danger score of 8 out of 10 and an 87% confidence rating. This high-risk address has accumulated 6,568 abuse reports from the security community, with recent activity dominated by hacking attempts detected across 20 separate honeypot monitoring systems. The volume of reports and sustained activity frequency of 8 out of 10 indicate persistent malicious behavior rather than isolated incidents.
The detection timeline spans from September 2025 through June 2026, with the most recent submissions categorizing the activity as hacking-related intrusion attempts. Analysis of honeypot sensor data reveals this address regularly attempts unauthorized access to exposed services, with associated SMTP abuse and evidence of SMBv1 protocol exploitation attempts. The 21 most recent reports show 19 classified as hacking activity, one as email spam, and one indicating the host may itself be compromised and operating as an attack platform without the owner's knowledge. The consistent 20-sensor detection coverage suggests this is not opportunistic scanning but sustained, targeted reconnaissance and exploitation activity.
This IP poses concrete risks to any publicly accessible SSH, Telnet, or web services it encounters. The SMBv1 exploitation signatures detected indicate potential preparation for ransomware or lateral movement within networks, while the SMTP abuse suggests the address may be used for spam distribution or phishing campaigns. Combined with the possibility that this could be an exploited host itself, the IP represents a multifaceted threat vector capable of supporting various attack chains.
Organizations should block 209.38.70.156 at the network perimeter and implement rate-limiting on exposed services to mitigate credential brute-force attempts. Deploying intrusion detection systems and monitoring for SMBv1 traffic can help identify exploitation attempts. Using fail2ban or similar tools to automatically block repeated connection attempts from this address provides additional protection. If this IP contacts your infrastructure, consider alerting your security team to investigate the intent behind the connection attempts and document the activity for threat intelligence purposes.
NL 
GB 
IR 
UA 
BE