Exposed Twitter/X Credential-Stuffing Botnet Reveals Full Infrastructure and Operations
Security researchers at GHOST uncovered an unsecured credential-stuffing botnet targeting Twitter/X, exposing its entire command-and-control (C2) infrastructure, worker fleet, and operational details. The botnet’s control panel a Python Flask-based dashboard branded "Twitter Checker Master Panel – FULL FIX v2.3" was left completely unauthenticated, allowing unrestricted access to its management functions.
The C2 server, hosted on a Windows Server 2019 instance by Hetzner in Falkenstein, Germany, had multiple services (RDP, SMB, WinRM) exposed alongside the Flask panel. No authentication mechanisms were in place, enabling direct access to all endpoints via HTTP on port 5000. Researchers obtained the full 98 KB source code, confirming the absence of security controls and revealing hardcoded API routes for server management, campaign execution, and data exfiltration.
The botnet’s worker fleet consisted of 18 Linux servers in the 31.58.245.0/24 range, owned by Turkish provider Komuta Savunma Yuksek Teknoloji in Ankara. All workers were accessible via root SSH on port 22, with credentials following a predictable pattern: a 12-character lowercase hexadecimal string followed by "kmt.!" likely referencing the hosting provider. The servers were labeled in Turkish (e.g., "Sunucu 8"), suggesting a previous generation of at least seven decommissioned nodes.
During a 12-minute observation on April 10, 2026, the botnet tested 722,763 Twitter/X credential pairs, adding 18 newly compromised accounts to its hit list. Lifetime statistics revealed 4.86 million accounts checked, with 138 successful takeovers a 0.0028% success rate. Notably, 85.6% of tested accounts triggered two-factor authentication (2FA) and were discarded, demonstrating 2FA’s effectiveness in blocking such attacks. Only 211,662 accounts had valid passwords without 2FA, with just 138 fully compromised.
Attribution indicators point to a Turkish-speaking operator, given the UI’s Turkish language labels (e.g., "Sunucu Ekle" for "Add Server") and the use of Komuta Savunma’s infrastructure. The botnet’s deployment occurred in waves between December 25, 2025, and January 31, 2026, with a tool rollout in late February. Despite its scale, the operation remained undetected on major threat feeds, including VirusTotal, ThreatFox, and AbuseIPDB, highlighting how credential-stuffing campaigns can persist on general-purpose cloud hosts.
The exposed infrastructure including plaintext root passwords, bulk control endpoints, and real-time telemetry provided a rare, unfiltered view into the mechanics of a large-scale automated attack.
Source: https://gbhackers.com/botnet-exposed/
Hetzner cybersecurity rating report: https://www.rankiteo.com/company/hetzner-online
Twitter cybersecurity rating report: https://www.rankiteo.com/company/twitter
"id": "HETTWI1776176874",
"linkid": "hetzner-online, twitter",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '722,763 accounts tested, 138 '
'compromised',
'industry': 'Technology/Internet',
'location': 'Global',
'name': 'Twitter/X',
'size': 'Large',
'type': 'Social Media Platform'},
{'industry': 'Technology/Cloud Services',
'location': 'Ankara, Turkey',
'name': 'Komuta Savunma Yuksek Teknoloji',
'type': 'Hosting Provider'},
{'industry': 'Technology/Cloud Services',
'location': 'Falkenstein, Germany',
'name': 'Hetzner',
'type': 'Hosting Provider'}],
'attack_vector': 'Exposed unauthenticated control panel, predictable SSH '
'credentials',
'data_breach': {'number_of_records_exposed': '722,763 (tested), 138 '
'(compromised)',
'personally_identifiable_information': 'Potential (depends on '
'account contents)',
'sensitivity_of_data': 'High (account credentials, potential '
'PII in accounts)',
'type_of_data_compromised': 'Twitter/X account credentials, '
'account metadata'},
'date_detected': '2026-04-10',
'description': 'Security researchers at GHOST uncovered an unsecured '
'credential-stuffing botnet targeting Twitter/X, exposing its '
'entire command-and-control (C2) infrastructure, worker fleet, '
'and operational details. The botnet’s control panel, a Python '
'Flask-based dashboard, was left completely unauthenticated, '
'allowing unrestricted access to its management functions. The '
'C2 server had multiple services exposed without '
'authentication, and the full source code was obtained. The '
'botnet tested 722,763 Twitter/X credential pairs during a '
'12-minute observation, with 18 newly compromised accounts '
'added to its hit list. Lifetime statistics revealed 4.86 '
'million accounts checked and 138 successful takeovers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Twitter/X due to credential-stuffing '
'attacks',
'data_compromised': 'Twitter/X account credentials (722,763 '
'tested, 138 compromised)',
'identity_theft_risk': 'High (compromised accounts may contain PII '
'or linked services)',
'operational_impact': 'Potential unauthorized access to '
'compromised Twitter/X accounts',
'systems_affected': 'Twitter/X accounts, botnet infrastructure (C2 '
'server, 18 worker nodes)'},
'initial_access_broker': {'entry_point': 'Unauthenticated C2 panel, exposed '
'services (RDP, SMB, WinRM)'},
'investigation_status': 'Ongoing (as of disclosure)',
'lessons_learned': '2FA is highly effective in blocking credential-stuffing '
'attacks (85.6% of tested accounts triggered 2FA). '
'Unauthenticated control panels and weak credentials can '
'lead to full infrastructure exposure. Credential-stuffing '
'campaigns can persist undetected on general-purpose cloud '
'hosts.',
'motivation': 'Account takeover for unknown purposes (likely financial or '
'data exploitation)',
'post_incident_analysis': {'corrective_actions': ['Secure all management '
'panels and services with '
'authentication',
'Rotate and strengthen SSH '
'credentials',
'Disable root login and '
'enforce key-based '
'authentication',
'Implement network '
'segmentation',
'Deploy enhanced monitoring '
'for credential-stuffing '
'activity'],
'root_causes': ['Unauthenticated Flask-based '
'control panel',
'Exposed services (RDP, SMB, '
'WinRM) without authentication',
'Predictable SSH credentials on '
'worker nodes',
'Lack of monitoring for '
'credential-stuffing activity']},
'recommendations': ['Enforce authentication on all management panels and '
'services (RDP, SMB, WinRM, Flask dashboards).',
'Implement strong, unpredictable SSH credentials and '
'disable root login.',
'Monitor for credential-stuffing activity and enforce 2FA '
'on all accounts.',
'Segment network access to critical infrastructure.',
'Conduct regular audits of cloud-hosted services for '
'misconfigurations.',
'Threat intelligence feeds should include monitoring of '
'general-purpose cloud hosts for malicious activity.'],
'references': [{'source': 'GHOST Security Research'}],
'response': {'third_party_assistance': 'GHOST security researchers'},
'threat_actor': 'Turkish-speaking operator (attribution based on UI language '
'and infrastructure)',
'title': 'Exposed Twitter/X Credential-Stuffing Botnet Reveals Full '
'Infrastructure and Operations',
'type': 'Credential Stuffing',
'vulnerability_exploited': 'Lack of authentication on C2 panel, weak SSH '
'credentials, exposed services (RDP, SMB, WinRM)'}