depth 3,800m // sensor active

Something is
always out there.

A honeypot sitting quietly in the dark. No announcements. No inbound links. The scanners find it anyway — drawn to any open port like creatures to a light at the bottom of the sea. This is what they do when they think no one is watching.

view live feed how it works ↓

865

sessions

day one

55

unique IPs

external

805

login attempts

credential spray

176

commands run

in captured shell

threat feed

What they do
when they get in.

Cowrie grants every attacker a convincing shell. What follows is a reliable playbook: enumerate the host, check for miners, drop a payload, disappear. Sometimes they're hunting Solana nodes. Sometimes Telegram sessions. Always automated.

honeypot-pi // cowrie ● live

15:22:44

116.99.x.x

COMMAND

ls -la ~/.local/share/TelegramDesktop/tdata ...

15:12:09

27.79.x.x

AUTH FAIL

operator / operator

15:04:37

165.154.x.x

COMMAND

chmod +x ./.3264.../xinetd; nohup ... &

15:04:35

165.154.x.x

COMMAND

ps | grep '[Mm]iner'

15:04:34

165.154.x.x

COMMAND

cat /proc/cpuinfo

15:04:33

165.154.x.x

COMMAND

uname -s -v -n -r -m

15:04:31

165.154.x.x

AUTH OK

root / 123456

Full event stream available in the live feed →

architecture

A trap in the dark.

A Raspberry Pi 4 running Cowrie, exposed on a non-standard port with no credentials worth stealing. Events stream from the Pi to bathysphere.tech, updating the feed in near real-time.

01

Raspberry Pi 4 // Cowrie SSH honeypot

A low-interaction SSH/Telnet honeypot that presents a convincing shell. Logs every keystroke, credential attempt, and uploaded file in structured JSON. Running on port 2222, visible to the open internet.

02

Log pusher // tail → Worker

A lightweight script on the Pi tails cowrie.json and POSTs new events to a Cloudflare Worker endpoint every 30 seconds. Events are validated, enriched, and written to KV storage.

03

Cloudflare Workers + KV

An ingest Worker authenticates and stores events. A read Worker serves the latest N events as JSON. No origin server — everything runs at the edge. KV retention keeps a rolling window of the last 10,000 events.

04

Cloudflare Pages // this site

The feed dashboard polls the read Worker every 30 seconds and appends new rows. No WebSockets needed — simple polling is plenty for this data rate. Deployed via wrangler pages deploy on git push.

sensors

What's listening.

The honeynet is expanding. Each node exposes a different attack surface. All events flow into the same feed.

SSH / Telnet

Cowrie on a Raspberry Pi 4. Port 2222. The original sensor — collecting since day one.

HTTP // port 80

Apache-based web honeypot. Coming online soon. Watching for scanner fingerprints and payload delivery attempts.

Expanding

SMB, FTP, DNS, and database surfaces planned across a stack of Pi nodes. All feeding this feed.

ready

See what's out there.

The feed is live. Events are real. All IPs are anonymized. No accounts, no tracking — just the data.

open live feed source on github →