IP Intelligence Briefing: 23.129.64.161
Date: 2026-06-10
---
**1. Risk Profile**
- Risk Score: 70/100 (High Risk)
- Threat Indicators:
- Tor exit node activity detected.
- Listed on 4/8 threat intelligence platforms (high severity).
- BGP route stability flagged as "Basic" (operator score 0.26).
- Network Role: Tor exit node (provider: Emerald Onion).
---
**2. Geolocation & Ownership**
- Location: Seattle, WA, US (geo-plausibility: false).
- ASN: 396507 (Emerald Onion).
- Subnet: 23.129.64.0/24 (abuse density: 17.53%).
- Neighboring IPs: 97 total, with 17 high-risk siblings (70/100 score).
---
**3. Threat Observations**
- Historical Activity:
- High-severity listings observed 4x in the last 24 hours.
- DNSBL listings (4/8) and route stability anomalies.
- Services:
- Open ports: HTTP (80), HTTPS (443).
- TLS certificate: Self-signed, issued to `www.xp7cfqqjpagczpubc.com`.
---
**4. Relationships & Network**
- Linked Entities:
- Tor exit node network ("EMERALD-ONION-TOR1").
- BGP peer: AS6939 (likely a major ISP).
- Control Plane:
- RPKI invalid: No validation for prefix `23.129.64.0/24`.
- Route changes: 0 in the last 30 days (stable).
---
**5. Recommended Actions**
- Block IP:
- iptables: `iptables -A INPUT -s 23.129.64.161 -j DROP`
- Cloudflare WAF: Block IP with description "IPDebrief risk 70".
- Monitoring:
- Increase logging for anonymous traffic (Tor exit node).
- Review neighboring IPs (e.g., 23.129.64.99, 23.129.64.130).
---
**6. Summary**
This IP is a Tor exit node associated with high-risk activity, including multiple threat intelligence listings and BGP anomalies. While geolocation suggests Seattle, the low geo-plausibility score raises concerns about spoofing. Immediate action is advised to block the IP and monitor related subnets for potential lateral movement.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Emerald Onion |
| ASN | AS396507 |
| Network Name | β |
| CIDR Block | 23.129.64.0/24 |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 β Basic operator with some routing infrastructure |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | 2026-02-06T00:00:00+00:00 |
| Valid Until | 2027-01-28T23:59:59+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 356 days |
| Serial Number | 009981E656CA4DE288 |
| Thumbprint | 1D0F4B7C24AF5E1E52BFCC11DF0CD09CB45BF0B6 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 56% | 2 | 11 |
| routing | 24% | 2 | 3 |
| services | 32% | 2 | 3 |
| ownership | 42% | 3 | 10 |
| reputation | 28% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 35% | 12 | 33 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:50 UTC |
| Last Seen | 2026-06-26 21:06:52 UTC |
| Profile Built | 2026-06-27 16:00:30 UTC |
| Data Freshness | Live |
| Signal Types | 26 |
| Total Observations | 67 |
Full dossier details are available via our API.