Blog Β· 2026-05-28
Three weeks of one Dutch ASN sending 3,861 hits at Anthropic-proxy paths. Port 11434 (Ollama) holding 50-80 distinct source IPs per week since March. A single 45-minute sweep from one IP that lists credential paths for Claude, Codex, Gemini, DeepSeek, DashScope, AWS, Azure, Docker, and shell history.
What stood out #
Between May 5 and May 27 a single Dutch ASN (Pfcloud UG, AS51396) sent 3,861 requests at two URL paths on our sensors:
/anthropic/v1/models 2,013 hits
/proxy/anthropic/v1/models 1,848 hits
Both of those paths are the shape that a reverse proxy in front of api.anthropic.com
would expose. The scanner does not bother sending a Bearer token because it only cares whether the host responds at all, which is the cheap way to enumerate misconfigured proxies that hold a real Anthropic key and forward anything you send through them. Three source IPs participated, all sitting in the same /20 of Pfcloud's NL allocation, one of them (176.65.148.177
) carrying the rDNS anondrop.net
. Every single request used the user-agent Mozilla/5.0 (compatible; scanner/1.0)
. You can pull the cluster up at /asn/51396 and watch it continue.
Ollama at scale #
Port 11434 is the loudest AI-flavoured target we see, mostly because the default Ollama install binds to 0.0.0.0 with no auth, and the wordlists have caught up. Over the last 30 days:
| Probe path | Hits | Distinct IPs |
|---|---|---|
/api/tags |
||
| 129 | 31 | |
/api/generate |
||
| 13 | 3 | |
/api/ps |
||
| 7 | 3 | |
/api/pull |
||
| 1 | 1 | |
/ (banner check on 11434) |
||
| 248 | 120 | |
| no path, raw TCP probe on 11434 | 549 | 95 |
/api/tags
is the discovery probe and returns the list of models loaded into the server with no authentication required. The one we keep an eye on is /api/pull
, which on an open Ollama instance lets any caller ask the server to download an arbitrary model from any registry the server can reach, including a custom GGUF the attacker controls. Only one probe of that path landed in our window, but it is sitting in the wordlist now and the volume on the other endpoints suggests it will get exercised soon.
Weekly distinct source IPs hitting port 11434 over the last 14 weeks:
2026-02-22 5 IPs β
2026-03-01 72 βββββββββββββββββββββ
2026-03-08 85 βββββββββββββββββββββββββ
2026-03-15 57 ββββββββββββββββ
2026-03-22 69 ββββββββββββββββββββ
2026-03-29 57 ββββββββββββββββ
2026-04-05 54 βββββββββββββββ
2026-04-12 69 ββββββββββββββββββββ
2026-04-19 44 βββββββββββββ
2026-04-26 52 βββββββββββββββ
2026-05-03 60 βββββββββββββββββ
2026-05-10 67 βββββββββββββββββββ
2026-05-17 35 ββββββββββ
2026-05-24 27 ββββββββ
Port 11434 went from a handful of probers a week in late February to a steady 50-80 distinct sources per week starting the first week of March 2026, and it has held in that band since. The recent dip in the last two weeks is at least partially an artefact of our snapshot ending mid-week. Either way, the port is now embedded in whatever rotation the broad-spectrum internet scanners are running.
A focused AI-credential sweep #
The most interesting single actor in our 90-day window is 183.81.169.236
, hosted on Amarutu Technology Ltd (NL). On May 18, between 09:27 and 10:12 UTC, that IP ran a 45-minute coordinated sweep across our sensors using one wordlist that hit every interesting credential-storage convention used by modern AI tooling. The AI-relevant subset of what they tried:
/.claude/settings.json
/.claude/.credentials.json
/.claude/credentials.json
/.claude/config.json
/.claude/settings.local.json
/.claude/history.jsonl
/.claude/claude.md
/.claude.json
/root/.claude/.credentials.json
/root/.claude/claude.md
/root/.claude.json
/.anthropic/api_key
/.anthropic/config.json
/.config/anthropic/config.json
/claude_desktop_config.json
/.codex/auth.json
/.gemini/settings.json
/.deepseek/config.json
/.dashscope/api_key
/.openclaw/openclaw.json
/root/.nerve/.env
/root/.nerve/config.yaml
/root/.openclaw/.env
The coverage there spans Anthropic's first-party tooling (Claude Code, Claude Desktop, the Anthropic SDK conventions), OpenAI's Codex CLI (.codex/auth.json
), Google's Gemini CLI (.gemini/settings.json
), DeepSeek (.deepseek/config.json
), Alibaba's DashScope (.dashscope/api_key
), and at least two AI agent frameworks I had to look up (nerve
and openclaw
).
The same IP, in the same sweep, also went after the rest of the modern development environment:
/root/.aws/credentials
/root/.aws/config
/root/.aws/credentials.backup
/root/.aws/sso/cache/
/.aws/credentials
/.azure/credentials
/.docker/config.json
/docker-compose.yaml
/root/.ssh/id_rsa
/.ssh/known_hosts
/root/.bash_history
/root/.zsh_history
/root/.wallet-env
/credentials.json
/.credentials.json
/.env.development
/actuator/configprops
/instance/app.sqlite
What this tells you is the practical shape of opportunistic credential hunting in 2026. AI-provider API keys now sit in the wordlist alongside AWS, Azure, Docker, SSH, and shell history, treated as equally valuable targets. The shell-history paths are in there because developers routinely paste API keys into one-liner test commands, and those commands persist in ~/.bash_history
long after the developer has forgotten about them. The list also tracks the tools developers actually use, which is why Claude Code (released 2024) is already in the rotation by the spring of 2026, alongside the Gemini CLI and OpenAI's Codex CLI. The sample report for that IP, including the full path list and timing, is at /lookup/183.81.169.236.
OpenAI-compatible API reconnaissance #
The OpenAI API shape (/v1/chat/completions
, /v1/embeddings
, /v1/models
) has become the default contract for almost every self-hosted LLM stack, including vLLM, LM Studio, LocalAI, LiteLLM, and a long tail of Anthropic-compat shims that re-export the same endpoints under different routes. Scanners have started checking for it directly:
| Path | Hits | Distinct IPs | Distinct ASNs |
|---|---|---|---|
/v1/models |
|||
| 306 | 46 | 12 | |
/v1/embeddings |
|||
| 168 | 9 | 1 | |
/v1/completions |
|||
| 166 | 9 | 1 | |
/v1/chat/completions |
|||
| 13 | 3 | 1 |
/v1/models
is the discovery probe most self-hosted setups leave unauthenticated, and the response is the loaded model list as plain JSON. The near-identical 166-168 hit counts on /v1/embeddings
and /v1/completions
coming from the same handful of source IPs is the fingerprint of one or two actors iterating through the canonical OpenAI endpoint list against hosts they have already discovered some other way. The live slice is at /lookup?q=path:/v1/.
Port volume in context #
30-day hit counts for AI-related ports alongside the legacy attack ports:
SMB port 445 146,775 βββββββββββββββββββββββββββββββββββββ
RDP port 3389 128,046 ββββββββββββββββββββββββββββββββ
SSH port 22 58,590 ββββββββββββββ
Telnet port 23 5,879 ββ
LiteLLM port 5001 4,906 ββ
LM Stud port 1234 2,889 β
Ollama port 11434 1,242 β
Gradio port 7860 625 β
Stream port 8501 415 β
The AI-related ports are running about two orders of magnitude behind the established attack surface, so calling Ollama-on-11434 a top attack vector would be overclaiming. The trajectory matters more than the absolute numbers though, because six months ago none of those AI ports showed any meaningful weekly volume at all, and now Ollama, LM Studio, and LiteLLM are all sitting at hundreds-to-thousands of hits per month from dozens-to-hundreds of distinct sources.
What we are not calling adversarial #
A few sources show up in the data that we deliberately do not classify as attackers. Censys, Inc.
appears in the org list for port 11434 probes because their commercial reconnaissance scans the same surface, and they get tagged as research in our classifier rather than counted in the adversarial column. The same goes for the ClaudeBot and GPTBot user-agent strings that appear in some URL probes, which are search-and-training crawlers rather than attackers, even though they touch endpoints that overlap with our AI-flavoured targets.
The user-agent ollama-scanner/1.0
is a harder call. Three IPs ran small sweeps totalling 26 requests across the 30-day window, with two of them sitting on Proton AG VPN exits in Switzerland and one on Hetzner Finland. Each IP issued between 4 and 12 hits and then stopped, which reads more like a researcher or a one-off curiosity script than a botnet operation, so we log it in its own category and decline to classify either way until we get more data.
What is not in the data #
We did not find URL probes containing literal OPENAI_API_KEY
, ANTHROPIC_API_KEY
, or similar substring matches as path segments. Two requests for /hf_token.env
showed up, and that was the entire population for that variant. The pattern across the dataset is that attackers go after the file paths where credentials are stored on disk (.env
, .claude/
, .codex/
, .aws/
, shell history) and let the keys fall out of the resulting files, which is more reliable than fuzzing the keys into URLs directly. We also do not capture full HTTP POST bodies, which means anything that would only show up in a POST payload (prompt injection attempts, jailbreak prompts embedded in request bodies, ML model abuse) would not surface in this dataset and would need a different sensor design to catch.
Run the queries yourself #
Everything above came out of a small handful of SQL queries against the public honeypot dataset. The same data is available to anyone who wants to dig further:
-
Boolean search: returns the live list of Ollama probers minus known research scanners.
/lookup?q=port:11434 AND NOT tag:scanner -
Save the query as an IOC feed: open /feeds, paste the query, mint a token-gated URL your firewall or SIEM can pull on a cron. - Connect HoneyLabs into Claude, Cursor, or any other MCP client via the MCP endpointand ask plain-English questions over the data.