Systems Security & Threat Intel

Vinayak Tyagi

"I build systems that catch attackers."

CS student at Manipal University Jaipur. Running a live SSH honeypot capturing real attacker sessions around the clock.

View MIRAGE GitHub →
LIVE SENSOR — Frankfurt
TOTAL SESSIONS: 44,118+
UNIQUE IPS: 97
TOP TARGET: root
SESSIONS TODAY: ~1,800
01 // FEATURED PROJECT

MIRAGE: Autonomous SSH Honeypot

architecture_flow.ascii 
INTERNET
    │
TCP :22 ── SSH Handshake ── Fake Shell (Go)
                                 │
                           PostgreSQL 16
                                 │
                 ┌───────────────┴───────────────┐
            REST API                        ML Worker
         (Chi Router)                   (PyTorch Bridge)
                 │                            │
         Cloudflare Tunnel            session_embeddings
                 │
         api.vtyagi.dev

Coordinated Botnet Activity

Identified 13 discrete source IPs distributed across 3 distinct Dutch ASNs, executing mathematically structured session attempts with highly uniform traffic distributions (exactly 1,522 and 761 counts).

Validator Targeting

Observed targeted credential stuffing campaigns focusing specifically on blockchain validator architectures, with sol, solana, validator, and eth-docker showing up as high-frequency usernames.

Client Fingerprinting

99.97% of connections advertised the client banner SSH-2.0-Go, suggesting a singular highly distributed command-and-control framework is managing the automated scans.

Credential Stuffing Profile

Zero interactive SSH sessions recorded across 44,101 successful handshakes, confirming that the ingress scanner profile is currently limited to high-speed credential validation with zero human exploration.

GitHub Project →
Go PostgreSQL 16 PyTorch Docker Cloudflare Tunnel STIX 2.1
LIVE FEED — HONEYPOT INGRESS SESSIONS
TIMESTAMP SRC IP ASN / COUNTRY TARGET USERNAME PASSWORD TRIED CLIENT BANNER
Session patterns derived from real capture data. IPs anonymised.
RESEARCH PREPRINT — MIRAGE THREAT EMBEDDINGS
Title: Unsupervised Botnet Profiling in Go-Based Interactive SSH Honeypots
Authors: Vinayak Tyagi (Manipal University Jaipur)
Date: June 2026 | Subject: Cryptographic Node Intrusion Detection
ABSTRACT

Interactive Secure Shell (SSH) honeypots provide high-fidelity indicators of compromise but suffer from analysis bottlenecks when processing large-scale intrusion attempts. We present MIRAGE, a lightweight SSH honeypot engine written in Go designed to absorb massive automated credential attacks while generating structured behavioral logs. By mapping chronological password entries and timing patterns into high-dimensional vector spaces using a PyTorch bridge, we cluster scans without requiring manual signature compilation.

KEY DESIGN HIGHLIGHTS

1. Go Engine Implementation: By utilizing the native golang.org/x/crypto/ssh stack, MIRAGE handles high concurrency loads with minimal memory footprints, serving fake pseudo-terminal shells to attackers without exposing Host OS kernels.
2. Distributed Sensors: Single sensor deployed on a Frankfurt VPS transmits structured STIX 2.1 JSON payloads to PostgreSQL via Cloudflare tunnel, preserving absolute threat isolation.

EXPERIMENTAL FINDINGS

Evaluating 44,101 raw connection profiles over a 11-day capture cycle, we isolate a dominant botnet infrastructure running Go scanner code and attempting known blockchain validator root configurations. The mathematical symmetry of attempts suggests centralized orchestration across geographically distributed hosting platforms.

02 // EXPERIENCE

Timeline

2026 — PRESENT

Independent Security Research — MIRAGE

Designed and deployed the MIRAGE honey-sensor on a Frankfurt region. Processing threat intel from 44,101 credentials sessions targeting cloud providers and blockchain infrastructure.

2025 — PRESENT

DevOps Intern — SDC MUJ

Managing and scaling production server infrastructure for the Student Development Cell (SDC) at Manipal University Jaipur, directly supporting 2,160 active student users. Handling Dockerized environments, CI/CD runtimes, and reverse-proxy route configurations.

03 // SKILLS

Technical Competence

Languages

Go Python SQL Bash

Infrastructure

Docker PostgreSQL Linux Cloudflare GitHub Actions

Security & Intel

SSH Honeypots STIX 2.1 MITRE ATT&CK Threat Intelligence
04 // WRITING

Threat Intelligence

THREAT INTEL · JUNE 2026

Crypto Infrastructure Under Fire: SSH Credential Campaigns Targeting Blockchain Validators

Analysis of 44,101 SSH intrusion attempts reveals organised credential campaigns specifically targeting Solana validator and Ethereum node infrastructure...

Read Report →
THREAT INTEL · JUNE 2026

The 9,484 Session Hour: Anatomy of a Coordinated SSH Scanning Event

At 14:00 UTC, a single IP fired 7,562 sessions in 27 minutes. What the timing, duration variance, and credential patterns reveal about coordinated botnet infrastructure...

Read Report →
ANALYSIS · COMING SOON

The Botnet That Counts: Mathematical Session Distribution as a C2 Detection Primitive

13 IPs across 3 Dutch ASNs. Sessions distributed at exactly 1,522 and 761 — a 2:1 ratio suggesting centralized orchestration. How session-count symmetry exposes botnet coordination.

Coming Soon
05 // CONTACT

Get In Touch

Email: vinayaktyagi.ed@gmail.com
GitHub: github.com/vinayaktyagi10
LinkedIn: linkedin.com/in/vinayaktyagi10