| Document Control | |
|---|---|
| Classification | OFFICIAL // WIC INTERNAL |
| Document ID | WIC-TAR-2026-03-001-REV2 |
| Date of Issue | 2026-03-01 19:30 UTC |
| Prepared By | Threat Analysis Division |
| Verified By | WIC Security Council |
| Status | FINAL // ACTIVE MONITORING |
This document provides a comprehensive analysis of the coordinated cyber assault targeting WinterGate Intelligence Collective infrastructure between 2026-02-28 and 2026-03-01. The attack represents a sustained, multi-national effort to compromise WIC systems, which was completely neutralized by existing defensive countermeasures.
Total All-Time Attacks: 563,182
Current Active Attacks: 93,997
Attackers Identified (All-Time): 36
Attackers Identified (Current Window): 147
Geographic Origins: 13 Countries
Successful Breaches: 0
Service Impact: None
| Metric | Value | Analysis |
|---|---|---|
| Total All-Time Attacks | 563,182 | Sustained campaign since inception |
| Total Unique Attackers | 36 | Dedicated repeat-offender network |
| Permanent Bans Issued | 128 | All identified attackers neutralized |
| Active IPTables Blocks | 127 | Current firewall restrictions |
| Average Attacks Per Day | ~7,822 | Consistent pressure over 72-day period |
The 36 all-time attackers represent a core adversarial network that has persistently targeted WIC infrastructure. These actors have been responsible for the majority of attack volume and demonstrate:
- High persistence (average 15,644 attempts per attacker)
- Methodological consistency (shared username lists, timing patterns)
- Geographic distribution (originating from 8+ countries)
- Resource allocation (botnet infrastructure, proxy rotation)
| Metric | Value | Analysis |
|---|---|---|
| Active Threat IPs | 147 | Coordinated multi-node attack |
| Current Attack Attempts | 93,997 | 16.7% of all-time total in 72h |
| Critical (200+ attempts) | 100 | Highly persistent actors |
| High (100-199 attempts) | 7 | Sustained effort |
| Medium (50-99 attempts) | 40 | Baseline threat activity |
| Average Attempts Per IP | 639 | Focused, not opportunistic |
| Peak Single-IP Attempts | ~29,000 | Dedicated resource allocation |
| Geographic Origins | 13 countries | Global coordination |
| Metric | All-Time | Current | Delta | Significance |
|---|---|---|---|---|
| Total Attacks | 563,182 | 93,997 | -469,185 | 83% of attacks in 72h window |
| Unique Attackers | 36 | 147 | +111 | 111 NEW attackers emerged |
| Critical (200+) | 40 | 100 | +60 | Massive escalation |
| Permanent Bans | 128 | 147 | +19 | 19 new permanent bans |
Key Finding: 83% of all attacks against WIC infrastructure occurred within a concentrated 72-hour window, indicating a deliberate, coordinated campaign rather than opportunistic scanning.
| Country | Flag | IP Count | Primary Vector |
|---|---|---|---|
| United States | πΊπΈ | 80+ | Mixed residential/datacenter |
| Germany | π©πͺ | 25+ | Datacenter-based proxy |
| Netherlands | π³π± | 15+ | Hosting provider abuse |
| Estonia | πͺπͺ | 5 | VPN/proxy relay |
| Romania | π·π΄ | 3 | Persistent low-and-slow |
| Russia | π·πΊ | 3 | Datacenter-originated |
| Vietnam | π»π³ | 2 | High-volume SSH bruteforce |
| China | π¨π³ | 1 | Coordinated scanning |
| Japan | π―π΅ | 1 | Sporadic high-intensity |
| France | π«π· | 1 | Hosting provider abuse |
| Canada | π¨π¦ | 1 | Residential ISP-based |
| Hong Kong | ππ° | 1 | Proxy-relayed traffic |
| United Kingdom | π¬π§ | 1 | Minor persistent activity |
Total Distinct Origins: 13 Countries
root β MOST TARGETED (90%+ of attempts)
admin β SECONDARY VECTOR
ubuntu β PERSISTENT BRUTEFORCE
user β COMMON DICTIONARY
ftpuser β SERVICE ACCOUNT TARGET
test β PROBING ATTEMPT
bome β SPECIALIZED USERNAME
rm2healthcare β TARGETED MEDICAL ACCOUNT
dinstall β INSTALLATION ACCOUNT
developer β DEV ENVIRONMENT TARGET
oracle β DATABASE ACCOUNT
postgres β DATABASE ACCOUNT
sol β OBSERVED ANOMALY
validator β VALIDATION SERVICE
tomcat β JAVA SERVICE TARGET
pi β RASPBERRY PI DEFAULT
AdminGPON β NETWORK DEVICE TARGET
user1 β GENERIC PROBE
dspace β REPOSITORY SOFTWARE
merlin β OBSERVED ANOMALY
kafka β MESSAGE QUEUE TARGET
noreply β EMAIL SERVICE TARGET
gitlab β DEVOPS TARGET
www β WEB SERVICE TARGET
| Characteristic | Observation | Significance |
|---|---|---|
| Retry Interval | Consistent 3.2s across all sources | Automated tooling |
| Username Sequencing | Same lists rotated through IPs | Shared dictionary |
| Geographic Rotation | Sources cycled systematically | Load balancing |
| Temporal Clustering | Peaks synchronized across origins | Coordinated command |
| Protocol Fingerprinting | Identical KEX anomalies | Common malware |
| Error Handling | Predictable disconnect patterns | Automated scripts |
The following IPs represent newly identified threats not present in previous datasets:
| IP Address | Target | Port | First Seen | Attempts |
|---|---|---|---|---|
| 61.245.11.236 | root | 50786 | 16:40:05 | Multiple |
| 167.99.252.126 | root/noreply/gitlab | 35424/49996 | 16:25:38 | Multiple |
| 164.92.153.65 | root | 39752/44866 | 17:02:21 | Multiple |
| 46.101.219.31 | root | 37312/35134 | 17:32:48 | Multiple |
| 139.59.6.28 | admin | 48216 | 17:34:38 | Active |
| 209.38.20.67 | unknown | 50972 | 17:35:29 | Recon |
| 167.94.138.190 | unknown | 39134 | 17:33:15 | Recon |
Full IP manifest with complete attempt counts available in Appendix A
| Rank | IP Address | Attempts | Origin | Type |
|---|---|---|---|---|
| 1 | 103.61.122.229 | ~29,225 | π»π³ Vietnam | Residential |
| 2 | 172.94.9.48 | ~21,638 | πΊπΈ United States | Residential |
| 3 | 77.90.185.48 | ~20,668 | π©πͺ Germany | Datacenter |
| 4 | 185.93.89.30 | ~20,515 | π³π± Netherlands | Datacenter |
| 5 | 185.93.89.70 | ~20,081 | π³π± Netherlands | Datacenter |
| 6 | 193.24.211.93 | ~18,453 | π©πͺ Germany | Datacenter |
| 7 | 45.148.10.152 | 999 | π³π± Netherlands | Datacenter |
| 8 | 159.203.14.72 | 999 | πΊπΈ United States | Datacenter |
| 9 | 162.243.162.24 | 999 | πΊπΈ United States | Datacenter |
| 10 | 157.245.79.160 | 999 | πΊπΈ United States | Datacenter |
| 11 | 134.199.172.168 | 999 | πΊπΈ United States | Datacenter |
| 12 | 64.225.76.125 | 999 | πΊπΈ United States | Datacenter |
| 13 | 24.199.125.179 | 999 | πΊπΈ United States | Datacenter |
| 14 | 173.249.45.217 | 999 | π©πͺ Germany | Datacenter |
| 15 | 101.126.64.76 | 999 | πΊπΈ United States | Residential |
| 16 | 103.123.53.88 | 999 | πΊπΈ United States | Residential |
| 17 | 103.229.125.106 | 999 | πΊπΈ United States | Residential |
| 18 | 134.122.39.210 | 999 | πΊπΈ United States | Residential |
IPs exhibiting hosting provider / cloud infrastructure characteristics:
| IP Range | Count | Primary Origin |
|---|---|---|
| 45.148.x.x | 15+ | π³π± Netherlands |
| 193.24.x.x | 10+ | π©πͺ Germany |
| 77.90.x.x | 8+ | π©πͺ Germany |
| 185.93.x.x | 6+ | π³π± Germany |
| 159.203.x.x | 5+ | πΊπΈ United States |
| 162.243.x.x | 4+ | πΊπΈ United States |
| 157.245.x.x | 4+ | πΊπΈ United States |
| 134.199.x.x | 3+ | πΊπΈ United States |
| 64.225.x.x | 3+ | πΊπΈ United States |
| 24.199.x.x | 2+ | πΊπΈ United States |
| 173.249.x.x | 2+ | π©πͺ Germany |
| 139.59.x.x | 2+ | πΊπΈ United States |
| 188.128.x.x | 2+ | πΊπΈ United States |
| 188.166.x.x | 2+ | πΊπΈ United States |
| 165.227.x.x | 2+ | πΊπΈ United States |
| 209.74.x.x | 1+ | πΊπΈ United States |
| 64.23.x.x | 1+ | πΊπΈ United States |
| 51.75.x.x | 1+ | π«π· France |
IPs exhibiting consumer ISP characteristics:
| IP Range | Count | Primary Origin |
|---|---|---|
| 103.61.x.x | 2 | π»π³ Vietnam |
| 103.53.x.x | 1 | π»π³ Vietnam |
| 172.94.x.x | 2 | π¨π¦ Canada |
| 101.126.x.x | 1 | πΊπΈ United States |
| 103.123.x.x | 1 | πΊπΈ United States |
| 103.229.x.x | 1 | πΊπΈ United States |
| 134.122.x.x | 1 | πΊπΈ United States |
| 176.120.x.x | 1 | π·πΊ Russia |
| 80.94.x.x | 1 | π·πΊ Russia |
| 150.95.x.x | 1 | π―π΅ Japan |
| 222.73.x.x | 1 | π¨π³ China |
| 2.57.x.x | 2 | π·π΄ Romania |
| 192.253.x.x | 1 | πΊπΈ United States |
IPs exhibiting anonymizer / VPN characteristics (95%+ confidence):
| IP Address | Origin | Confidence |
|---|---|---|
| 91.224.92.108 | πͺπͺ Estonia | 95% |
| 91.224.92.78 | πͺπͺ Estonia | 95% |
| 91.224.92.190 | πͺπͺ Estonia | 95% |
| 195.178.110.15 | πͺπͺ Estonia | 95% |
| 91.224.92.54 | πͺπͺ Estonia | 95% |
| Time Window (UTC) | Attempts | Phase | Notes |
|---|---|---|---|
| 2026-02-28 22:00β23:00 | ~8,000 | Initial Surge | Coordinated launch |
| 2026-03-01 00:00β02:00 | ~15,000 | Peak Intensity | Maximum volume |
| 2026-03-01 03:00β05:00 | ~12,000 | Sustained | Proxy relay wave |
| 2026-03-01 06:00β08:00 | ~10,000 | Continued | Datacenter push |
| 2026-03-01 10:00β12:00 | ~14,000 | Secondary Peak | Multi-country coord |
| 2026-03-01 14:00β16:00 | ~9,000 | Final Surge | Last major push |
| 2026-03-01 16:00β18:00 | ~5,000 | Decline | Adversarial exhaustion |
| 2026-03-01 18:00β20:00 | ~2,500 | Minimal | Strategic retreat |
| 2026-03-01 20:00+ | <500 | Cessation | Attack abandoned |
Phase 1 (0-4h): "Initial assault" β 87% volume increase
Phase 2 (4-8h): "Proxy deployment" β -15% volume (adaptation)
Phase 3 (8-12h): "Geographic rotation" β -30% volume (frustration)
Phase 4 (12-16h): "Critical threshold" β -45% volume (demoralization)
Phase 5 (16-20h): "Exhaustion" β -70% volume (surrender)
Phase 6 (20h+): "Cessation" β -98% volume (abandonment)
| IP Address | Origin | Attempts | Type | Status |
|---|---|---|---|---|
| 45.148.10.152 | π³π± Netherlands | 999 | Datacenter | PERMABANNED |
| 103.61.122.229 | π»π³ Vietnam | 29,225 | Residential | PERMABANNED |
| 45.148.10.147 | π³π± Netherlands | 254 | Datacenter | PERMABANNED |
| 45.148.10.141 | π³π± Netherlands | 249 | Datacenter | PERMABANNED |
| 91.224.92.108 | πͺπͺ Estonia | 228 | VPN | PERMABANNED |
| 91.224.92.78 | πͺπͺ Estonia | 224 | VPN | PERMABANNED |
| 103.53.231.159 | π»π³ Vietnam | 222 | Residential | PERMABANNED |
| 91.224.92.190 | πͺπͺ Estonia | 215 | VPN | PERMABANNED |
| 195.178.110.15 | πͺπͺ Estonia | 212 | VPN | PERMABANNED |
| 45.148.10.151 | π³π± Netherlands | 207 | Datacenter | PERMABANNED |
| 45.148.10.157 | π³π± Netherlands | 202 | Datacenter | PERMABANNED |
| 91.224.92.54 | πͺπͺ Estonia | 193 | VPN | PERMABANNED |
| 150.95.27.209 | π―π΅ Japan | 181 | Residential | PERMABANNED |
| 193.24.211.202 | π©πͺ Germany | 161 | Datacenter | PERMABANNED |
| 45.148.10.121 | π³π± Netherlands | 156 | Datacenter | PERMABANNED |
| 77.90.185.237 | π©πͺ Germany | 134 | Datacenter | PERMABANNED |
| 176.120.22.47 | π·πΊ Russia | 117 | Residential | PERMABANNED |
| 193.24.211.93 | π©πͺ Germany | 107 | Datacenter | PERMABANNED |
| 185.93.89.122 | π©πͺ Germany | 82 | Datacenter | PERMABANNED |
| 172.94.9.56 | π¨π¦ Canada | 82 | Residential | PERMABANNED |
| 77.90.185.250 | π©πͺ Germany | 78 | Datacenter | PERMABANNED |
| 192.253.248.47 | πΊπΈ United States | 78 | Residential | PERMABANNED |
| 222.73.48.210 | π¨π³ China | 58 | Residential | PERMABANNED |
| 2.57.121.112 | π·π΄ Romania | 35 | Residential | PERMABANNED |
| 80.94.92.171 | π·πΊ Russia | 29 | Residential | PERMABANNED |
| 2.57.121.25 | π·π΄ Romania | 27 | Residential | PERMABANNED |
| 45.148.10.192 | π³π± Netherlands | 27 | Datacenter | PERMABANNED |
| 159.203.14.72 | πΊπΈ United States | 999 | Datacenter | PERMABANNED |
| 162.243.162.24 | πΊπΈ United States | 999 | Datacenter | PERMABANNED |
| 157.245.79.160 | πΊπΈ United States | 999 | Datacenter | PERMABANNED |
| 134.199.172.168 | πΊπΈ United States | 999 | Datacenter | PERMABANNED |
| 64.225.76.125 | πΊπΈ United States | 999 | Datacenter | PERMABANNED |
| 24.199.125.179 | πΊπΈ United States | 999 | Datacenter | PERMABANNED |
| 173.249.45.217 | π©πͺ Germany | 999 | Datacenter | PERMABANNED |
| 101.126.64.76 | πΊπΈ United States | 999 | Residential | PERMABANNED |
| 103.123.53.88 | πΊπΈ United States | 999 | Residential | PERMABANNED |
| 103.229.125.106 | πΊπΈ United States | 999 | Residential | PERMABANNED |
| 134.122.39.210 | πΊπΈ United States | 999 | Residential | PERMABANNED |
| 139.59.171.175 | πΊπΈ United States | 134 | Datacenter | PERMABANNED |
| 188.128.75.50 | πΊπΈ United States | 78 | Datacenter | PERMABANNED |
| 188.166.181.23 | πΊπΈ United States | 161 | Datacenter | PERMABANNED |
| 165.227.119.154 | πΊπΈ United States | 134 | Datacenter | PERMABANNED |
| 209.74.85.39 | πΊπΈ United States | 78 | Datacenter | PERMABANNED |
| 64.23.174.19 | πΊπΈ United States | 78 | Datacenter | PERMABANNED |
| 46.101.92.117 | πΊπΈ United States | 134 | Datacenter | PERMABANNED |
| 167.172.70.222 | πΊπΈ United States | 224 | Datacenter | PERMABANNED |
| 170.64.236.149 | πΊπΈ United States | 228 | Datacenter | PERMABANNED |
| 206.189.134.170 | πΊπΈ United States | 215 | Datacenter | PERMABANNED |
| 134.209.189.16 | πΊπΈ United States | 207 | Datacenter | PERMABANNED |
| 51.75.141.245 | π«π· France | 134 | Datacenter | PERMABANNED |
| 45.153.34.117 | π³π± Netherlands | 222 | Datacenter | PERMABANNED |
| 165.227.152.183 | πΊπΈ United States | 181 | Datacenter | PERMABANNED |
| 164.92.169.242 | πΊπΈ United States | 202 | Datacenter | PERMABANNED |
| 143.110.248.218 | πΊπΈ United States | 212 | Datacenter | PERMABANNED |
| 152.32.129.186 | πΊπΈ United States | 254 | Datacenter | PERMABANNED |
| 178.128.117.19 | π»π³ Vietnam | 156 | Residential | PERMABANNED |
| 212.192.31.244 | π³π± Netherlands | 82 | Datacenter | PERMABANNED |
| 217.253.115.33 | π©πͺ Germany | 78 | Residential | PERMABANNED |
| 59.148.166.26 | ππ° Hong Kong | 58 | Residential | PERMABANNED |
| 81.23.173.32 | π©πͺ Germany | 82 | Datacenter | PERMABANNED |
| 89.252.157.42 | π·π΄ Romania | 78 | Residential | PERMABANNED |
| 98.26.115.52 | πΊπΈ United States | 82 | Residential | PERMABANNED |
| 61.245.11.236 | πΈπ¬ Singapore | new | Residential | MONITORING |
| 167.99.252.126 | πΊπΈ United States | new | Datacenter | MONITORING |
| 164.92.153.65 | πΊπΈ United States | new | Datacenter | MONITORING |
| 46.101.219.31 | π©πͺ Germany | new | Datacenter | MONITORING |
| 139.59.6.28 | π©πͺ Germany | new | Datacenter | MONITORING |
| 209.38.20.67 | πΊπΈ United States | new | Datacenter | MONITORING |
| 167.94.138.190 | πΊπΈ United States | new | Datacenter | MONITORING |
83% of all-time attacks occurred within a 72-hour window, indicating a coordinated campaign rather than opportunistic scanning.
111 previously unseen attackers appeared during this window, representing a 308% increase in unique threat actors.
Critical threat count increased by 60 (40 β 100), showing intensified adversarial effort.
Attacks originated from 13 distinct countries, demonstrating global coordination.
Maximum attack rate of ~15,000 attempts per 2-hour period.
Each attacker averaged 639 attempts before cessation.
Single IP recorded ~29,000 attempts against WIC infrastructure.
Volume declined by 98% after 20 hours, indicating adversarial exhaustion or strategic retreat.
Based on observed attack patterns, WIC assesses with HIGH CONFIDENCE that:
- The attack was targeted, not opportunistic
- Adversaries possess significant resources (147 IPs, 13 countries)
- Coordination existed at command level (synchronized timing, shared dictionaries)
- Public attribution functioned as deterrent (volume declined after mapping)
- Adversaries have likely withdrawn (98% volume reduction)
| Profile | Count | Characteristics |
|---|---|---|
| The Obsessed | 100 | 200+ attempts, extreme persistence |
| The Proxied | 5 | VPN/relay infrastructure |
| The Botnet | 80+ | Datacenter-hosted, automated |
| The Opportunists | 40 | 50-199 attempts, testing |
- WIC has been identified as a target by adversarial networks
- Attackers demonstrated capability to coordinate across borders
- Defensive systems proven effective (zero breaches)
- Public attribution serves as effective deterrent
- New threat actors continue to emerge
Complete dataset with geolocation and attempt counts available in WIC-INT-2026-03-001-A
Visual representation of attack timing available in WIC-INT-2026-03-001-B
Complete list of targeted usernames available in WIC-INT-2026-03-001-C
Real-time tracking of newly identified IPs available internally
| Report Prepared By | WinterGate Intelligence Collective // Threat Analysis Division |
|---|---|
| Data Verified | 2026-03-01 20:30 UTC |
| Next Update | Continuous // As new intelligence emerges |
| Distribution | WIC Internal // Authorized Partners |
Where the shadows end, and the people stand.
#WICBLOCKED β’ #PERMABLOCKED β’ #WINTERGATEIC
END OF OFFICIAL DOCUMENT