MORE Honeypot Fingerprinting Scans discusses how attackers can discern they are connected to a honeypot by the way installations appear to succeed, with Cowrie acting as the SSH and Telnet emulation. According to Johannes Ullrich, one attacker connected from 45.135.194[.]48 and exploited a pattern where random username and password combinations seem to work, signalling a honeypot connection.
The article lists example credentials the attacker tried, including admin with definitely_not_valid_creds, honeypot with indexer, honeypotter with imaginegettingindexed, and xXhoneypotXx with P@ssw0rd1337!, among others like youjustgotindexed and getindexedretard. It notes that many honeypots are on home networks with dynamic IPs, making attacker-generated IP lists somewhat ephemeral, and that the emphasis is on internet-wide scans rather than targeted or zero-day attacks.
Published on 8 April 2026, the piece explains that if installations appear to succeed, the attacker realises they are connected to a honeypot, reinforcing the value of medium-interaction simulations.