23.129.64.164
IP Intelligence Briefing: 23.129.64.164
Date: June 12, 2026
---
**1. Risk Profile**
- Risk Score: 70 (High Risk)
- Network Role: Tor Exit Node (Emerald Onion)
- Geolocation: Seattle, WA, US (geoPlausible: False)
- Subnet Abuse Density: 43.3% (23.129.64.0/24)
---
**2. Ownership & Infrastructure**
- ASN: 396507 (Emerald Onion)
- Network Classification: Mixed (abuse density: 0.433)
- Services:
- Open ports: HTTP (80), HTTPS (443)
- TLS Certificate:
- Issuer: `CN=www.fddsfs3fhs3y.com`
- Subject: `CN=www.4fq5kza7a5q.net`
- Self-signed: False
- Control Plane:
- BGP AS Path: `6939 396507`
- DNSSEC Valid: True
- Route Stability: Stable (no recent changes)
---
**3. Threat Indicators**
- DNSBL Listings: 4/8 (moderate risk)
- Historical Observations (Last 30 Days):
- 45 total signals (40+ threat-related)
- High-severity listings: 12 (e.g., malicious domains, spoofed certs)
- BGP anomalies: 3 (AS path inconsistencies)
- Relationships:
- Linked to 66+ IPs in the same subnet (42 flagged as threats)
- Associated with Tor network "EMERALD-ONION-TOR1"
---
**4. Actionable Insights**
- Threat Vector: Likely used for anonymity-based attacks (Tor exit node). Monitor for C2 traffic or data exfiltration.
- Subnet Risk: High abuse density suggests potential for botnet activity or malware distribution.
- Certificate Anomalies: Suspicious TLS certificate issuer/subject pairs; verify legitimacy.
- Recommendations:
- Block IP in firewall rules (iptables/nftables).
- Monitor DNS queries for spoofed domains.
- Investigate TLS handshake anomalies.
---
Next Steps:
- Correlate with known Tor exit node campaigns.
- Validate certificate authority chains.
- Block subnet (23.129.64.0/24) if further abuse is detected.
Source: IPDebrief Threat Intelligence Platform
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Emerald Onion |
| ASN | AS396507 |
| Network Name | β |
| CIDR Block | 23.129.64.0/24 |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 β Basic operator with some routing infrastructure |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | 2026-04-02T00:00:00+00:00 |
| Valid Until | 2026-09-23T23:59:59+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 174 days |
| Serial Number | 7E80CC7D08345E08 |
| Thumbprint | 1F7CCB7CE6553E744B0A67AAFE9A9916569876B2 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 48% | 2 | 7 |
| routing | 24% | 2 | 3 |
| services | 34% | 2 | 3 |
| ownership | 36% | 3 | 9 |
| reputation | 20% | 1 | 2 |
| geolocation | 31% | 2 | 3 |
| Overall | 32% | 12 | 27 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:50 UTC |
| Last Seen | 2026-06-26 21:06:52 UTC |
| Profile Built | 2026-06-27 16:05:00 UTC |
| Data Freshness | Live |
| Signal Types | 24 |
| Total Observations | 61 |
Full dossier details are available via our API.