Critical Threat
IP address 66.132.172.170 is flagged as a maximum-threat (10/10) address by automated honeypot sensors, having accumulated 3,116 abuse reports across a concentrated three-month observation window from March through June 2026, with a confidence score of 94 percent indicating highly reliable threat attribution. This United States-based address, registered to ASN AS398324 under the operator Censys, Inc., presents an 8/10 activity frequency, reflecting sustained and aggressive engagement patterns against honeypot infrastructure worldwide. The dominant threat category logged across all recent reports is general hacking activity, encompassing unauthorized access attempts and intrusion-oriented connection patterns that triggered detection across multiple independent sensors. With 20 distinct automated honeypot sources reporting identical attack-category signatures, the volume and consistency of detections establish this IP as a persistent scanning and probing threat despite its registration to a named network operator.
From a threat-intelligence perspective, the sheer volume of reports in a compressed timeframe is the most significant indicator. A combined 3,116 reports from automated honeypot systems across a 90-day period translates to roughly 35 coordinated detections per day on average, a cadence that far exceeds incidental scanning and suggests either automated vulnerability scanning or systematic reconnaissance activity. The assignment of the "hacking" threat category by all 20 reporting sensors indicates consistent pattern-matching against known intrusion attempt signatures rather than ambiguous or borderline behavior. While the IP is associated with a registered US network operator, the detection data from honeypot infrastructure categorically records these interactions as unauthorized access attempts, meaning the reputational context of the operator does not alter the technical reality that this address actively probes external systems in ways that trigger standard intrusion-detection thresholds.
The real-world risk posed by an address generating this volume of hacking-category reports centers on credential guessing, vulnerability scanning, and foothold establishment against exposed services. Organizations running SSH, RDP, web interfaces, or API endpoints with weak or default credentials face the highest exposure, as automated tools commonly used in such scanning campaigns systematically test authentication vectors at scale. The high activity frequency (8/10) further suggests that defenders who expose management interfaces or unpatched services to the public internet are likely to encounter repeated connection attempts from this address or others operating on similar scanning schedules. Even when individual connection attempts fail, the repeated probing activity constitutes reconnaissance that informs more targeted follow-on operations.
RO 
FR 
SE 
TR