We Found 5 Threat Actors Hiding in Our Hall of Shame (And Show You How to Find Yours)
- Patrick Duggan
- Nov 2, 2025
- 7 min read
# We Found 5 Threat Actors Hiding in Our Hall of Shame (And Show You How to Find Yours)
**TL;DR:** We analyzed 305 blocked IPs from our Hall of Shame and identified 5 high-confidence threat actors (not just random scanners). One operator controls 14 IPs with 100% abuse scores and 21,672 reports. Here's how we found them, and how you can do the same with your logs.
The Problem with Traditional Threat Intel
**Most threat intel feeds give you this:**
- IP: 93.123.109.214
- Country: Netherlands
- ISP: TECHOFF_SRV_LIMITED
- Abuse Score: 100%
- **That's it.**
**What they DON'T tell you:**
- Is this one attacker or many?
- Are there 13 other IPs from the same operator?
- What's the pattern that connects them?
- How do you find the REST of their infrastructure?
We had 305 blocked IPs in our Hall of Shame. Looked like random noise. Until we looked for **patterns instead of IPs**.
What We Found: 5 Threat Actors
Threat Actor #1: TECHOFF Operator (CRITICAL)
**Profile:**
- **14 IPs** controlled by one operator
- **100% abuse score** (perfect malicious score across all IPs)
- **21,672 total reports** (professional volume)
- **97 VirusTotal detections**
- **Geographic spread:** Netherlands (13 IPs), Romania (1 IP)
- **MITRE ATT&CK:** T1071 (Application Layer Protocol)
**Top IPs:**
- 93.123.109.214 (10,462 reports)
- 195.178.110.201 (3,404 reports)
- 93.123.109.7 (2,986 reports)
**How we identified them:**
1. Same ISP (TECHOFF_SRV_LIMITED) across multiple IPs
2. **100% abuse score on ALL IPs** (extremely rare - only 14 IPs in our dataset)
3. High report volume (average 1,548 reports per IP)
4. Zero legitimate traffic (bulletproof hosting infrastructure)
**Assessment:** Professional bulletproof hosting provider. Zero legitimate customers. Infrastructure-as-a-service for criminals. This is NOT random scanning - this is **commercial crime infrastructure**.
**Recommended Action:** Block the entire TECHOFF ASN. Not just these 14 IPs - they likely control hundreds more.
Threat Actor #2: LeakIX Scanner Network (HIGH)
**Profile:**
- **17 IPs** in coordinated scanning operation
- **Geographic diversity:** Germany (7), Netherlands (4), Singapore (3), US (1), India (1), Canada (1)
- **72.6% average abuse score**
- **6,068 total reports**
- **79 VirusTotal detections**
- **Distinctive pattern:** All IPs resolve to "scan.leakix.org" in reverse DNS
**ISP Distribution:**
- DigitalOcean (primary infrastructure)
- Hetzner Online GmbH (backup infrastructure)
- Linode (tertiary infrastructure)
**Top IPs:**
- 164.90.228.79 (959 reports)
- 164.90.208.56 (945 reports)
- 138.68.86.32 (922 reports)
**How we identified them:**
1. **Reverse DNS pattern:** All resolve to "scan.leakix.org"
2. Geographic diversity across 6 countries (evasion tactic)
3. Consistent ISP preference (DigitalOcean, Hetzner, Linode - cheap VPS providers)
4. Similar abuse scores (65-85% range)
**Assessment:** This is LeakIX, a public "security research" project that scans the entire internet for vulnerabilities. Depending on your threat model, this could be legitimate research OR reconnaissance for threat actors.
**Our stance:** If you're scanning our infrastructure without permission, you're an asshole. Blocked.
**Recommended Action:** Block all IPs with "scan.leakix.org" in reverse DNS. Monitor DigitalOcean droplets for similar scanning patterns.
Threat Actor #3: French BulletProof (FBW NETWORKS) (HIGH)
**Profile:**
- **4 IPs** in concentrated French operation
- **100% abuse score** on all IPs
- **4,735 total reports**
- **28 VirusTotal detections**
- **All IPs in 185.177.72.0/24 subnet** (same /24!)
**IPs:**
- 185.177.72.23 (1,622 reports)
- 185.177.72.30 (1,610 reports)
- 185.177.72.8 (769 reports)
- 185.177.72.25 (734 reports)
**How we identified them:**
1. Same /24 subnet (185.177.72.0/24)
2. 100% abuse scores (no false positives)
3. All from FBW NETWORKS SAS (French hosting provider)
4. High VT detection correlation (28 total)
**Assessment:** Small but highly malicious French bulletproof hosting operation. The /24 subnet clustering suggests the operator **owns or rents the entire block**. This is professional infrastructure, not amateur hour.
**Recommended Action:** Block the entire 185.177.72.0/24 subnet. Consider blocking FBW NETWORKS SAS ASN.
Threat Actor #4: AWS Abuser (MEDIUM-HIGH)
**Profile:**
- **14+ IPs** across AWS infrastructure
- **Primary regions:** US (11 IPs), Singapore (1), Japan (1), Canada (1)
- **57-59% average abuse score** (lower than others - more sophisticated)
- **829 total reports** (moderate volume)
- **Only 3 total VT detections** (extremely low - custom tooling or compromised accounts)
- **MITRE ATT&CK:** T1071, T1102 (Application Layer Protocol, Web Service abuse)
**How we identified them:**
1. Same ISP pattern (Amazon.com, AMAZON-02, Amazon Data Services)
2. **Low VirusTotal detections despite abuse** (sophisticated evasion)
3. Similar abuse score range (57-59%) across multiple IPs
4. MITRE T1102 (Web Service) suggests AWS service abuse
**Assessment:** This actor is MORE sophisticated than the others. Low VT detection + AWS infrastructure + moderate abuse scores = **either custom tooling OR compromised AWS accounts**. The geographic spread (US, SG, JP, CA) suggests they're using AWS regions strategically.
**Recommended Action:** Enhanced monitoring of AWS IPs. Consider IP reputation scoring beyond simple abuse scores. Report to AWS abuse team (good luck with that).
Threat Actor #5: 1337 Services Operator (HIGH)
**Profile:**
- **3 IPs** in small but deadly operation
- **100% abuse score** on all IPs
- **952 total reports**
- **9 VirusTotal detections**
- **Cross-border:** Netherlands (2 IPs), Poland (1 IP)
**IPs:**
- 45.148.10.246 (410 reports)
- 45.148.10.159 (297 reports)
- 45.138.16.117 (245 reports)
**How we identified them:**
1. Same ISP (1337 Services GmbH)
2. 100% abuse scores
3. **Cross-border infrastructure** (NL + PL coordination)
4. ISP name is intentionally edgy ("1337" = "leet" = hacker culture reference)
**Assessment:** Small operation with international coordination. The ISP name "1337 Services" suggests they know EXACTLY what their customers are doing. This is intentional bulletproof hosting.
**Recommended Action:** Block 1337 Services GmbH ASN. They're not hiding what they are.
How We Found Them: The Pattern Detection Methodology
**Step 1: Cluster by ISP**
- Query all blocked IPs
- Group by ISP/hosting provider
- **Pattern:** Same ISP with 3+ IPs = potential actor-controlled infrastructure
**Step 2: Abuse Score Correlation**
- Calculate average abuse score per ISP cluster
- **Pattern:** 75%+ average abuse across 3+ IPs = high confidence actor
**Step 3: Geographic Analysis**
- Map IPs to countries/regions
- **Pattern:** Cross-border coordination = sophisticated operation
**Step 4: VirusTotal Clustering**
- Sum VT detections per ISP cluster
- **Pattern:** 2+ IPs with 5+ VT detections each = malware infrastructure
**Step 5: MITRE ATT&CK Correlation**
- Map detected techniques to IPs
- **Pattern:** Same technique across multiple IPs = same actor tooling
**Step 6: Subnet Analysis**
- Check for /24 or /16 clustering
- **Pattern:** Multiple IPs in same subnet = operator controls the block
**Step 7: Temporal Analysis** (not used this time)
- Check attack timestamps for clustering
- **Pattern:** Coordinated attacks within hours = orchestrated campaign
The Math on Threat Actors vs Random Scanners
**Dataset Stats:**
- **Total blocked IPs:** 305
- **Unique ISPs:** 55
- **Threat actor-controlled IPs:** 52 (17.0%)
- **Random scanners/noise:** 253 (83.0%)
**Key Insight:** Only **17% of our blocked IPs** belong to actual threat actors. The other **83% is noise** (random scanners, misconfigurations, bots).
**Why this matters:**
- If you're blocking IPs one-by-one, you're missing 83% of the infrastructure
- If you block by ISP/ASN, you catch the OTHER 14 IPs the actor controls
- **Pattern detection is 6× more effective than IP-by-IP blocking**
How to Find Threat Actors in YOUR Logs
**You need:**
1. Firewall/WAF logs (CloudFlare, Palo Alto, whatever)
2. Threat intel enrichment (AbuseIPDB, VirusTotal, etc.)
3. A way to query logs by ISP/ASN (WHOIS data)
4. Basic clustering logic (SQL/Python/whatever)
**The query (pseudocode):**
**What to look for:**
- **3+ IPs from same ISP with 75%+ abuse = HIGH confidence actor**
- **100% abuse across multiple IPs = CRITICAL confidence (commercial infrastructure)**
- **Same /24 subnet = Actor controls the block**
- **Cross-border coordination = Sophisticated operation**
- **Low VT detection despite abuse = Custom tooling or compromised accounts**
Real-World Impact: What Happens When You Find Them
**Before pattern detection:**
- Block 1 IP from TECHOFF_SRV_LIMITED
- Attacker switches to another of their 13 IPs
- Repeat 13 more times (cat and mouse game)
**After pattern detection:**
- Identify TECHOFF operator controls 14 IPs
- Block entire TECHOFF ASN
- **All 14 IPs (and future IPs) blocked simultaneously**
- Attacker has to find new infrastructure (expensive and time-consuming)
**ROI:**
- **Manual blocking:** 14 incidents, 14 blocks, attacker survives
- **Pattern blocking:** 1 incident, 1 ASN block, attacker infrastructure destroyed
- **Efficiency gain:** 14× improvement
Why We're Publishing This
**Traditional threat intel companies:** "Here are 14 IOCs. That'll be $25,000/year."
**DugganUSA:** "Here are 5 threat actors, 52 IPs, attribution methodology, and pattern detection techniques. Free. Forever."
**Why?**
1. **Threat actors don't care if you know their ISPs** - they're already bulletproof hosting
2. **Hoarding attribution methods helps attackers** - defenders need this more than we need secrecy
3. **Publishing patterns PROVES our defenses work** - if we can find 5 actors in 305 IPs, our automation is elite
**The competitive moat:**
- Competitors charge $25K-65K/year for IOCs we publish for free
- We publish actor-level attribution, not just IPs
- We show the methodology, not just the results
- **You can replicate this with your own logs - we WANT you to**
Next Steps
**For security teams:**
1. Run this analysis on your firewall logs
2. Find YOUR threat actors (you have them, trust me)
3. Block by ISP/ASN, not by IP
4. Share your findings publicly (help the planet)
**For threat actors:**
1. TECHOFF operator: We see all 14 of your IPs
2. LeakIX: We see your 17 scanning nodes
3. FBW NETWORKS: We see your /24
4. AWS abuser: We see your regions
5. 1337 Services: We see your edgy ISP name
6. **You're not as hidden as you think**
**For the planet:**
- Subscribe to our Hall of Shame feed (free)
- Use our methodology in your SOC
- Stop paying $25K-65K/year for IOCs
- **Build pattern detection into your automation**
The Whitepaper
Want the full technical analysis? We published a whitepaper:
**"Threat Actor Attribution at Scale: Pattern Detection in 305 Blocked IPs"**
Available at: security.dugganusa.com/whitepapers
Includes:
- Complete methodology with SQL queries
- Statistical analysis of all 305 IPs
- Case studies for each threat actor
- Subnet clustering algorithms
- MITRE ATT&CK correlation techniques
- ASN-level blocking recommendations
**Cost:** $0 (because hoarding threat intel is bullshit)
The Punchline
**We found 5 threat actors hiding in 305 blocked IPs.**
**You have threat actors hiding in YOUR logs right now.**
**Stop blocking IPs one-by-one. Start finding patterns.**
**And when you find them, publish the results. The planet needs it more than your competitor needs the secrecy.**
*This analysis is based on 305 blocked IPs in our Hall of Shame, enriched with AbuseIPDB and VirusTotal data. Every claim is backed by evidence in our BlockedAssholes Azure Table. Come at us with facts, not feelings.*
**P.S.** - TECHOFF operator, if you're reading this: We see you. All 14 IPs. The 21,672 reports. The 100% abuse scores. You're not clever. You're just loud.
**P.P.S.** - To security teams: This methodology took us 10 minutes to run. If you're paying $25K/year for threat intel and NOT doing this analysis, you're getting robbed.
**P.P.P.S.** - Full dataset and analysis code available at security.dugganusa.com/whitepapers. Use it. Improve it. Share your findings. Help the planet.
Comments