Live data from ThreatListPro's global sensor network monitoring VPN brute force, SSH, and web attacks.
Geographic distribution of malicious IPs observed attacking VPN portals across our honeypot network in the past 90 days. Rankings are based on unique source IPs, not total attack volume.
| # | Country | Unique Attacker IPs | Share | Relative Volume |
|---|---|---|---|---|
| 01 | Russia | 387,420 | 18.0% | |
| 02 | China | 342,115 | 15.9% | |
| 03 | Brazil | 198,640 | 9.2% | |
| 04 | India | 176,290 | 8.2% | |
| 05 | Indonesia | 148,730 | 6.9% | |
| 06 | Vietnam | 125,480 | 5.8% | |
| 07 | Ukraine | 108,610 | 5.1% | |
| 08 | Netherlands | 94,350 | 4.4% | |
| 09 | United States | 87,920 | 4.1% | |
| 10 | Germany | 72,180 | 3.4% |
Note: The Netherlands and United States rank highly due to VPS and cloud hosting infrastructure used by attackers, not because the attacks originate from those countries domestically.
Breakdown of attack activity observed across our honeypot network by category. VPN brute force remains the dominant attack type, reflecting the primary use case for ThreatListPro customers.
ThreatListPro does not aggregate open-source lists or resell third-party data. Our blocklist is built from primary research using a four-stage pipeline:
Distributed sensors mimic GlobalProtect, SSL-VPN, and AnyConnect portals across 12 countries, attracting real attacks.
Every connection is logged with source IP, timestamps, attempted credentials, user agents, and TLS fingerprints.
IPs are scored by volume, persistence, number of honeypots targeted, and credential diversity. Only high-confidence threats pass.
Scored IPs are published as a clean, EDL-ready blocklist. Stale IPs (inactive 30+ days) are automatically removed.
This pipeline ensures every IP on the blocklist has been directly observed attacking VPN infrastructure within the past 30 days. No aggregation of stale data, no recycled indicators, no false positives from shared hosting or CDN infrastructure.
Key shifts in the VPN threat landscape observed by our honeypot network over the past 12 months.
Attacks against VPN portals have surged over 300% since early 2025. The IEEPA tariff disruptions drove a wave of credential-seeking campaigns targeting government contractors and logistics companies with VPN access to federal systems.
Palo Alto Networks GlobalProtect remains the most targeted VPN portal, accounting for 52% of all VPN brute force activity. Its widespread deployment in enterprise and government makes it the default target for automated scanners.
Attackers increasingly rotate source IPs mid-campaign using residential proxy networks, making IP-based rate limiting less effective. A single campaign now uses 50 to 200 unique IPs compared to 10 to 30 a year ago. Blocklists that track the full botnet infrastructure are critical.
RDP brute force activity has declined as a share of total attacks, likely because more organizations have moved RDP behind VPNs or adopted cloud-based remote access. The attack volume has shifted to VPN portals themselves.
We operate a distributed honeypot network that mimics popular VPN portals. These honeypots attract real brute force attacks. Every attacking IP is logged, analyzed, and scored based on attack volume, persistence, and the number of honeypots targeted. High-confidence threats are added to the blocklist. IPs inactive for 30+ days are removed, keeping the list current and compact.
The statistics on this page are updated regularly based on data from our honeypot network. The curated blocklist that subscribers receive is updated weekly. Country rankings and trend data are recalculated monthly.
We primarily track VPN brute force attacks (credential stuffing, password spraying) against GlobalProtect, Fortinet SSL-VPN, and Cisco AnyConnect portals. Our honeypots also capture SSH brute force, web scanning, and RDP attacks, giving us a comprehensive view of threats targeting authentication endpoints.
Join hundreds of organizations using ThreatListPro to block VPN attackers at the firewall. Setup takes 5 minutes, costs $9.99/month, and works on every major firewall.
See Pricing