diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 9e4540c..f190767 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -328,7 +328,19 @@ write_ip_data_to_file() {
         cp "$TEMP_DIR/ip_data" "$temp_file" 2>/dev/null || touch "$temp_file"
 
         # Remove old entry for this IP (if exists)
-        grep -v "^${ip}=" "$temp_file" > "${temp_file}.new" 2>/dev/null || true
+        # CRITICAL FIX: Check if grep succeeds before relying on output
+        # Bug: If grep fails (file error), ${temp_file}.new is not created
+        # Result: echo appends to non-existent file, losing all previous IPs!
+        # Fix: Create new file first, then filter, then verify success
+        if grep -v "^${ip}=" "$temp_file" > "${temp_file}.new" 2>/dev/null; then
+            # grep succeeded - ${temp_file}.new contains all IPs except the old one
+            :
+        else
+            # grep failed - copy all data to new file and manually remove the old entry
+            cp "$temp_file" "${temp_file}.new" 2>/dev/null || touch "${temp_file}.new"
+            # Try to remove old entry with sed as fallback
+            sed -i "/^${ip}=/d" "${temp_file}.new" 2>/dev/null || true
+        fi
 
         # Add new entry
         echo "${ip}=${data}" >> "${temp_file}.new"