STARTING 10 March 2026, my DShield sensor began receiving probes for various AI models such as claude, openclaw, huggingface and openai, with reporting from other DShield sensors to ISC confirming activity from that day onward. According to DShield, the database shows these probes have been active ever since. The only source observed scanning for this activity appears to be IP 81.168.83[.]103, which has also been scanning ports commonly associated with web content.
Beside the AI probes, this source has continued to scan other targets, and the ES|QL query run in Kibana recovered 52 queries between 10 March and 13 April 2026, with 3 April 2026 receiving the most activity. Indicators list the host 81.168.83[.]103 (AS 20860) and files such as /.openclaw/workspace/db[.]sqlite, /.openclaw/workspace/chroma[.]db, and /.claude/settings[.]json among the observed artefacts.