This study addresses the growing threat of large-scale cyberattacks targeting critical infrastructure and IoT systems. To enhance threat intelligence collection, we propose HoneyTrap—a globally distributed, adaptive dynamic honeynet architecture. Our approach innovatively integrates ASN-enhanced geolocation, salted SHA-256 pseudonymization, and IP identifier encryption to ensure privacy-preserving, high-throughput attack traffic capture. Raw logs undergo structured cleaning and are serialized into Apache Parquet format, substantially improving storage efficiency and analytical performance. Over a 24-day empirical deployment, HoneyTrap captured over 60.3 million attack events, revealing prevalent threat patterns: frequent port 80/443 scanning (daily peak >1.7 million), SSH brute-force attacks (4.6 million total), and Minecraft server scanning (average 118,000 daily). The architecture demonstrates scalability, privacy compliance, and operational effectiveness in real-world adversarial environments.

The increasing sophistication of cyber threats demands novel approaches to characterize adversarial strategies, particularly those targeting critical infrastructure and IoT ecosystems. This paper presents a longitudinal analysis of attacker behavior using HoneyTrap, an adaptive honeypot framework deployed across geographically distributed nodes to emulate vulnerable services and safely capture malicious traffic. Over a 24 day observation window, more than 60.3 million events were collected. To enable scalable analytics, raw JSON logs were transformed into Apache Parquet, achieving 5.8 - 9.3x compression and 7.2x faster queries, while ASN enrichment and salted SHA-256 pseudonymization added network intelligence and privacy preservation. Our analysis reveals three key findings: (1) The majority of traffic targeted HTTP and HTTPS services (ports 80 and 443), with more than 8 million connection attempts and daily peaks exceeding 1.7 million events. (2) SSH (port 22) was frequently subject to brute-force attacks, with over 4.6 million attempts. (3) Less common services like Minecraft (25565) and SMB (445) were also targeted, with Minecraft receiving about 118,000 daily attempts that often coincided with spikes on other ports.