IP Intelligence Briefing: 23.129.64.168
Date: 2026-06-17
---
**1. Risk Profile**
- Overall Risk Score: 80 (High Risk)
- Threat Indicators:
- Confirmed Tor exit node (emerging from the Tor network).
- High abuse density in its /24 subnet (23.129.64.0/24).
- 54 of 96 neighboring IPs in the subnet are flagged as malicious.
- Ownership:
- Assigned to Emerald Onion (ASN 396507), a Tor-related entity.
- ARIN-registed with a 3,274-day allocation history.
---
**2. Geolocation & Validation**
- Claimed Location: Seattle, WA, US.
- Geo Validation:
- Inconsistent: RTT (Round-Trip Time) of 83ms contradicts the 7,626km distance, suggesting potential spoofing or routing anomalies.
- Geolocation Plausibility: False (likely inaccurate or synthetic data).
---
**3. Network & Service Activity**
- Open Ports:
- TCP 80 (HTTP), TCP 443 (HTTPS).
- TLS certificate observed with issuer `CN=www.hnf2fi4sjrsnfixam6g.com` and subject `CN=www.nq6wmbwnpjcpxn75.net`.
- Network Role:
- Classified as a Tor exit node (not a standard Tor relay).
- BGP route stability: Stable (no recent changes).
---
**4. Threat Observations**
- Historical Signals:
- 57 observations over 30 days, with 85% confidence in ownership and routing data.
- No persistent malicious activity detected (threat persistence days: 0).
- Malicious Associations:
- 5 DNSBL listings (high-risk IP in 8/10 DNSBLs).
- No known campaigns or malware families linked.
---
**5. Subnet & Neighborhood Context**
- Subnet: 23.129.64.0/24 (97 total IPs).
- Neighbor Risk:
- 23 IPs in the subnet have high risk (β₯70).
- 73 IPs have medium risk (50β69).
- 0 IPs have low risk (<50).
- Abuse Density: 55.7% of subnet IPs are flagged as abusive.
---
**6. Recommendations**
- Block Traffic: Consider blocking this IP in firewalls (e.g., iptables, AWS WAF) due to its Tor exit node status and high-risk profile.
- Monitor Subnet: Investigate neighboring IPs (e.g., 23.129.64.99, 23.129.64.130) for potential lateral movement or network compromise.
- Verify Geolocation: Validate the IPβs claimed location using additional geolocation tools, as RTT anomalies suggest possible spoofing.
- Check TLS Certificates: Monitor traffic using the observed TLS certificates for potential data exfiltration or C2 (command and control) activity.
---
Source: IPDebrief Threat Intelligence Platform
Note: This IP is associated with Tor exit nodes, which are commonly used for anonymizing malicious activities. Further investigation is recommended to confirm the intent of traffic originating from this IP.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Emerald Onion |
| ASN | AS396507 |
| Network Name | β |
| CIDR Block | 23.129.64.0/24 |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 β Basic operator with some routing infrastructure |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | 2026-04-06T00:00:00+00:00 |
| Valid Until | 2026-07-09T00:00:00+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 94 days |
| Serial Number | 236A91FF9A00D96A |
| Thumbprint | 91FE746A76FD101C9E3C44DB89254456F89FF356 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 46% | 2 | 8 |
| routing | 24% | 2 | 3 |
| services | 30% | 2 | 3 |
| ownership | 42% | 3 | 10 |
| reputation | 28% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 33% | 12 | 30 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:50 UTC |
| Last Seen | 2026-06-26 21:06:52 UTC |
| Profile Built | 2026-06-27 16:00:30 UTC |
| Data Freshness | Live |
| Signal Types | 26 |
| Total Observations | 64 |
Full dossier details are available via our API.