Hacker using Digital Ocean IPs

I report a particular hacker using Digital Ocean on nearly a daily basis. I supply logs to show the hacker access to my droplet. I provide links to to show the IP is being used for hacking.

What does it take for Digital Ocean to simply refuse to provide a user service when they are demonstratively show to be a bad actor?


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

You find details and you can drill down by every IP in the problems and registered attacks from AS14061 (Digital Ocean). This here are only 660 IPs, they have attacked our servers in between of 7 days - example via:

<mod snip>

I reported a phisher and a spammer and got a response via email saying they will not do anything.

I’ve basically given up on the sys admins to block the DO hackers. I assume this is a problem on all VPSs, given the cost we pay these days. That is, I used to get hacked without mercy from Linode until I blocked most of Linode. I have slowly put together the IP space of DO as I’ve been hacked. Don’t expect perfection, but it will block many DO droplets. DO IP space It expires in a week, but just ask again if you need it.

I’m probably stating the obvious here, and this is hardly the only solution, but my workflow is look up the IP on Once I determine it is a datacenter, VSP, VPN or what I determine to be a trouble maker, I put the IP address into and get the AS. You can either block the one CIDR from, or you can look at the IPV4 space list and select the matching names.

For example, from my nginx log:

400 - - [17/Jan/2018:03:42:43 +0000] "SSH-2.0-Go" 173 "-" "-" "-"

Clearly an IP that isn’t going to do any browsing. Ip2location show that IP is at DO SFO. The associated CIDR is, which you can block in the firewall of your choice from everything but maybe port 25 should you want email from the hacker. identifies the IP as the infamous stretchoid hacker, or researcher if you believe them. ( 

abusedb Shocker, it is in the abuse database. ;-) The IP CIDR is in AS14061. The associated IPV4 space is at as14061 which is not exclusively DO. You can cut, paste, sed the results to get it in the form you want.

There are other ways to get the contents of an AS, but they don’t seem to be up to date. That is has more IP CIDRs. Here is one example of how to enumerate an AS. [list AS]

I just got hit by a script kiddie, using DigitalOcean to brute force ssh.

current IP of the attacker (as of 9th january, 2018):

I guess this is the dude you’re talking about. If I/you/we are lucky, DI sysops might see this post - and will do SOMETHING.

Are you using tickets? I doubt you’ll get much done by creating a ticket. I suggest you send them an email to with all the information regarding users malicious actions. All hosting companies will have people who abuse their services and to be honest with you not many of them do much about it anyway.