TL;DR: We deployed a fake but realistic-looking API surface with plausible-sounding endpoints, seeded fake credentials in crawlable HTML, and watched what happened. Over 1,400,000 (on our instance) unique non-human sessions hit it. Here's everything we learned.
Stats at a glance:
1.4M bot sessions trapped
18% of the attacks were command injections
539 distinct attacker profiles identified
How the honeypot works:
Krawl's deception layer creates a shadow version of your infrastructure: fake /admin, /.env, /cedentials.txt, and even a plausible /api/v1/users and /api/v1/secretsthat returns fabricated but structurally correct data. Any real user would know it's a dead end or a bait. But scrapers and exploit kits? Nah.
The key feature is the behavioral fingerprinting. Instead of blocking bots at the edge (which just teaches them to evade), you let them in, observe their full request sequence, and build a dossier.
The most interesting findings:
AI scraper bots were the #1 category by volume. Most were poorly rate-limited and didn't respect robots.txt at all, expecially Meta and OpenAI bots (sus).
Credential stuffers were not to much and they used mostly basic credentials.
Several bots attempted lateral movement simulation, they probed internal-looking paths and subdomains that we'd leaked in fake HTML pages. Also notable: a significant portion of bots probed classic Unix paths like /etc/passwd and /etc/shadow, confirming that LFI playbooks are still very much alive and automated.
We're planning to open-source the attackers knowledge base we are building from this, happy to answer questions about the setup.
Hi guys we just wrapped up a 90-day experiment with Krawl's deception honeypot on a Kubernetes deploy and the numbers are wild.
GitHub: https://github.com/BlessedRebuS/Krawl
TL;DR: We deployed a fake but realistic-looking API surface with plausible-sounding endpoints, seeded fake credentials in crawlable HTML, and watched what happened. Over 1,400,000 (on our instance) unique non-human sessions hit it. Here's everything we learned.
Stats at a glance:
How the honeypot works:Krawl's deception layer creates a shadow version of your infrastructure: fake /admin, /.env, /cedentials.txt, and even a plausible /api/v1/users and /api/v1/secretsthat returns fabricated but structurally correct data. Any real user would know it's a dead end or a bait. But scrapers and exploit kits? Nah.
The key feature is the behavioral fingerprinting. Instead of blocking bots at the edge (which just teaches them to evade), you let them in, observe their full request sequence, and build a dossier.
The most interesting findings:
AI scraper bots were the #1 category by volume. Most were poorly rate-limited and didn't respect robots.txt at all, expecially Meta and OpenAI bots (sus).
Credential stuffers were not to much and they used mostly basic credentials.
Several bots attempted lateral movement simulation, they probed internal-looking paths and subdomains that we'd leaked in fake HTML pages. Also notable: a significant portion of bots probed classic Unix paths like /etc/passwd and /etc/shadow, confirming that LFI playbooks are still very much alive and automated.
We're planning to open-source the attackers knowledge base we are building from this, happy to answer questions about the setup.
Live demo dashboard: https://demo.krawlme.com/das_dashboard
Leave a star if you like the project!