Independent Threat Intelligence

FDC Threat Intelligence

We investigate the infrastructure behind cybercrime and state-sponsored operations: bulletproof hosting supply chains, phishing campaigns, malware delivery networks. All findings are based on publicly available data and original research.

288

ASN Analyzed

Honeypot Regions

3,600+

Malware Samples

Published Reports

Active Projects

Bulletproof Hosting Ecosystem

Mapping the full supply chain of abuse-tolerant hosting: from IP allocation through BGP transit to ransomware C2, state-sponsored APTs, and disinformation. 21 operator profiles, 10 interactive network graphs, 7 jurisdictions.

active invite-only 288 ASN · 21 operators · since Jan 2026

PROSPERO AS200593 Investigation

Deep dive into a single BPH autonomous system: 262 IPs across 3 prefixes, Metasploit C2, dropper distribution, RDP farms, and connections to sanctioned infrastructure. Interactive graphs and full host analysis.

active public 262 IPs · 3 prefixes · since Mar 2026

Honeypot Network

Multi-region sensor network (DE, US, RU, PL) capturing SSH brute-force, Docker API exploitation, SMB attacks, fake Ollama/Kubelet services. Automated malware collection via S3, sandbox analysis, and Loki-based monitoring.

active 4 regions · automated S3 collection · 3,600+ samples

Incident Response & Reporting

TLP:CLEAR reports on phishing campaigns targeting civil society, human rights organizations, and diaspora communities. Bilingual (EN/RU) PDF reports with IOCs and MITRE ATT&CK mapping.

reports tlp:clear

Capabilities

Infrastructure Analysis

RIPE DB, BGP routing, corporate registries, Shodan, Censys, passive DNS

Malware Analysis

Isolated sandbox, ClamAV, YARA rules, MalwareBazaar, automated S3 pipeline

Phishing Detection

Header analysis, URL extraction, domain intelligence, certificate monitoring

Honeypot Operations

Cowrie, Dionaea, PyRDP, Docker/Kubelet/Ollama traps, multi-region deployment

Threat Reporting

Bilingual reports (EN/RU), MITRE ATT&CK, IOC tables, TLP classification

Monitoring

Grafana + Loki + VictoriaMetrics, real-time alerts, Censys/crt.sh tracking

Honeypot Telemetry — April 2026

Aggregate activity across the multi-region honeypot network. Figures are anonymised totals from the monthly TLP:CLEAR report — no individual sensor identifiers, addresses, or locations are disclosed.

578,657

SSH login attempts

654

Malware samples

236K+

SIP / VoIP scans

54,032

AI-API abuse requests

Attack volume by category

SSH brute-force

578,657

SIP / VoIP scanning

236,000

Ollama API abuse

54,032

Solana-validator SSH

37,000+

Top source networks (attack-correlated hits)

DigitalOcean

1,835

OVH

436

Amazon AWS

430

Notable: 884 WannaCry-matching PE32 binaries, a Panchan Go SSH worm using Discord as secondary C2, and 3,383 TLS sessions to api[.]telegram[.]org (Telegram Bot API as malware C2). Full analysis — April 2026 Monthly Report.