Hackers Expose Credential Stuffing Botnet with Root

A live credential stuffing botnet, specifically designed to target Twitter/X accounts, was recently found completely exposed to the internet. This critical vulnerability meant no password was required to access its control panel, worker server credentials, or real-time attack data, as detailed in a recent <a href="https://ppl-ai-file-upload.s3.amazonaws.com/

The exposed system, running under the name “Twitter Checker Master Panel – FULL FIX v2.3,” left root SSH passwords for all 18 worker servers readable by anyone who connected to the right IP address and knew which port to hit.

The botnet’s command-and-control panel was running at 144[.]76[.]57[.]92 on port 5000, hosted on a Windows Server 2019 machine through Hetzner Online GmbH in Falkenstein, Germany.

The panel was built on Python Flask with Socket.IO for live log streaming, but had no authentication layer of any kind — no login page, no API keys, and no session checks.

Anyone who reached the server could see everything: live attack statistics, worker server details, active credential lists, and a running log of compromised accounts. Additional services including RDP, SMB, and WinRM were also exposed on the same machine.

Breakglass Intelligence analysts uncovered the exposed panel during routine infrastructure scanning on April 10, 2026. Over a 12-minute observation window, analysts watched the botnet test 722,763 credentials in real time and confirm 18 new compromises.

Lifetime statistics captured during the session showed the operation had already tested more than 4.8 million accounts, resulting in 138 confirmed compromises — all belonging to users who had no two-factor authentication on their accounts.

At publication time, neither the C2 server nor any worker server IPs had any detections on VirusTotal (0/94), ThreatFox, URLhaus, or AbuseIPDB.

All 18 worker servers sat within a single IP block (31[.]58[.]245[.]0/24) owned by Komuta Savunma Yuksek Teknoloji Limited Sirketi, a hosting provider in Ankara, Turkey.

Multiple indicators — server names using the Turkish word “Sunucu,” a panel built entirely in Turkish, and root passwords ending with “kmt” (short for Komuta) — point clearly to a Turkish-speaking operator.

The initial deployment began on Christmas Day, December 25, 2025, when five servers came online, a timing consistent with threat actors standing up infrastructure when security teams are least active and response times are slowest.

One of the more revealing details buried in the operation’s own data is what the numbers say about two-factor authentication. Out of 4,862,580 accounts tested, 85.6% returned a 2FA challenge, stopping the botnet cold.

The operation had no way to bypass 2FA — it simply flagged those accounts and moved on, hunting exclusively within the 14.1% that relied on passwords alone. That figure directly confirms that enabling 2FA removes most users from this type of attack entirely.

The Exposed API: A Botnet Anyone Could Control

The most serious element of this case was not just that the botnet existed, but that anyone who found it could fully control it. The Flask panel exposed a complete set of REST API endpoints with no authentication on any of them.

A single GET request to /api/servers returned every worker’s IP address, root SSH password, installation state, and health metrics in plain text.

The operator built the panel without any access controls, relying entirely on the assumption that nobody would discover port 5000 on that IP address.

The accessible endpoints went well beyond reading credentials. Anyone with network access could start or stop the entire botnet, upload their own credential lists, download the results, push new settings to all 18 machines, and reinstall the checking software.

The /api/bulk/download endpoint meant that a third party could silently pull every compromised Twitter/X account from the operation without the original operator ever knowing.

Breakglass Intelligence analysts recommend that Twitter/X immediately block all 19 identified IP addresses and force-reset the 138 compromised accounts.

Both Hetzner and Komuta Savunma should urgently process abuse reports for their respective infrastructure.

For individual users, the findings are direct: enabling two-factor authentication protected 85.6% of all tested accounts in this operation, and avoiding password reuse across services removes the final remaining risk.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.