Maximum Danger
IP 91.224.92.156 is a critical-risk address assessed at threat level 10/10 that has been linked to sustained, high-volume hacking activity originating from infrastructure associated with UAB Host Baltic on the AS209605 autonomous system, with 592 independent abuse reports filed through automated honeypot sensors over approximately two months. The IP earned a confidence score of 94% based on consistent patterns of malicious connection attempts observed across multiple detection points, and its activity frequency rating of 8/10 indicates near-continuous offensive operations against exposed network endpoints during the December 2025 through January 2026 reporting window.
The geolocation data places this activity in Great Britain; however, the network operator UAB Host Baltic is a Lithuanian entity managing the associated ASN, a common configuration for threat actors who route traffic through jurisdictions chosen for operational convenience rather than legitimate hosting needs. All 592 reports were generated by automated honeypot sensors, meaning the traffic represents direct, instrumented observation of connection attempts rather than anecdotal community complaints, lending statistical weight to the assessment. The exclusively hacking-category classification (20 recent reports) confirms the IP is not involved in lower-severity abuse such as spam or port scanning but is solely engaged in active intrusion attempts targeting vulnerable services.
Hacking activity at this volume and threat level typically involves systematic attempts to exploit unpatched software, guess authentication credentials, or probe for known vulnerabilities across a wide range of exposed services. The persistent nature of the activity observed against honeypot sensors indicates automated tooling designed to cast a wide net across internet-facing infrastructure, and any publicly accessible service associated with this source IP's targeting pattern faces a non-trivial risk of compromise if left unmitigated. The 94% confidence score reflects a well-established behavioral fingerprint consistent with botnet or proxy infrastructure used for credential stuffing, vulnerability scanning, or initial access brokering.
Network defenders should treat this IP as definitively hostile and block all inbound connections at the network perimeter; tools such as fail2ban, pfBlockerNG, or standard iptables rules can automate this response. Rate-limiting authentication endpoints and enforcing strong, unique credentials substantially raises the cost of successful intrusion. Continuous monitoring of authentication logs for source IPs matching this address, combined with patch management cadence that eliminates known vulnerabilities, reduces the window of exploitability. Organizations running publicly accessible services should consider restricting access via IP allowlisting or VPN gateways where feasible to eliminate opportunistic automated attacks entirely.
LT 
RO 
FR 
SE 
TR