IPs used to attacks or gain access to a system : bruteforce ssh/ftp/system account, IPs that have been detected by fail2ban, ports scan, vulnerabilities scan, DDoS.
IPs used to spam forum, boards, blogs or smtp servers, automated web scripts or scrappers (bad bots)
IPs that have been identified distributing malware, form-grabber and stealer, Viruses, Worms, Trojans, Ransomware, Adware, Spyware
Onion Router IP addresses. TOR network IPs, TOR exit points, socks or ssl proxy.