Field reports

Deceptive Engagements

Captured attacker engagements against the deception fleet. Full forensic transcripts: every count sourced, every request and response confirmed against the sensor that served them. Honeypot personas redacted to preserve operational value.

TLP:CLEARobserved 2026-05-07subject 83.21.55.65
Cross-Service Credential Replay: Operator Targets Hypervisor Using Harvested LLM Endpoint Secrets
A single IP harvested strings from an LLM emulator's responses (`.env`, model list, MCP manifest) and replayed them as Proxmox credentials, chat-completions parameters, and MCP tool-call names against the same host — a token-reuse feedback loop, not blind brute-force. 22 of 24 credential pairs are byte-for-byte traceable to served response bodies.
AS5617, Orange Polska Spółka Akcyjna · Gdańsk, Poland · Residential broadband. ISP space is consistent with end-customer use; can also host or proxy traffic from elsewhere.

Cross-Service Credential Replay: Operator Targets Hypervisor Using Harvested LLM Endpoint Secrets