23.129.64.152
IP Intelligence Briefing: 23.129.64.152/32
Date: 2026-06-12
---
**1. Core Profile**
- Risk Score: 70 (High Risk)
- Provider: Emerald Onion (Tor Exit Node)
- Geolocation: Seattle, WA, US (geoPlausible: False)
- Threat Indicators:
- Tor exit node observed
- Listed in 1 blacklist
- No known attacker/spam source
---
**2. Network & Subnet Analysis**
- Subnet: 23.129.64.0/24
- Abuse Density: 46.39% (Mixed classification)
- Neighbor Risk:
- 9 high-risk neighbors (70+ score)
- 87 medium-risk neighbors
- 0 low-risk neighbors
- Subnet Stability:
- 96 active siblings (97 total)
- 45 threat siblings
---
**3. Threat Observations**
- Tor Exit Node: Confirmed via IPDebrief and historical data.
- Blacklist Presence: 1 blacklist listing (likely Tor-related).
- RTT Anomaly: Geo-validation shows RTT of 82ms, inconsistent with 7,626km distance (minimum possible RTT: 152.5ms).
---
**4. Relationships & Context**
- Linked Entities:
- "EMERALD-ONION-TOR1" network (repeated relationships).
- Services:
- Open ports: HTTP (80), HTTPS (443)
- TLS cert: Issued to `www.3x75bz5ywwsnkkqik.com` (likely spoofed).
---
**5. Recommendations**
- Monitoring: Track traffic from this Tor exit node, as it may be used for covert communication or data exfiltration.
- Subnet Review: Investigate neighboring IPs (e.g., 23.129.64.99, 23.129.64.130) due to high abuse density.
- Firewall Rules: Consider blocking Tor exit nodes if not required, using IPDebriefβs action templates for iptables/nftables.
- Geolocation Verification: Validate source IPs for spoofing, given geoPlausible flag as False.
---
Conclusion: This IP is part of a Tor exit node network with high abuse density in its subnet. While not directly malicious, its association with Tor and neighboring risks warrants close monitoring.
Source: IPDebrief Threat Intelligence Platform
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Emerald Onion |
| ASN | AS396507 |
| Network Name | β |
| CIDR Block | 23.129.64.0/24 |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 β Basic operator with some routing infrastructure |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | 2026-03-28T00:00:00+00:00 |
| Valid Until | 2027-03-23T00:00:00+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 360 days |
| Serial Number | 008FE98AD4827DA60F |
| Thumbprint | 4787A1F47070C96EEF6FD0504728F0FA2BD55483 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 58% | 2 | 15 |
| routing | 24% | 2 | 3 |
| services | 30% | 2 | 3 |
| ownership | 37% | 3 | 9 |
| reputation | 28% | 1 | 3 |
| geolocation | 34% | 2 | 3 |
| Overall | 35% | 12 | 36 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:49 UTC |
| Last Seen | 2026-06-26 21:06:52 UTC |
| Profile Built | 2026-06-27 16:04:59 UTC |
| Data Freshness | Live |
| Signal Types | 26 |
| Total Observations | 70 |
Full dossier details are available via our API.