top of page

GoBruteforcer Botnet: How Weak Credentials Are Compromising Crypto Project Databases

The security of crypto projects depends heavily on protecting sensitive data stored in their databases. Yet, many projects overlook a simple but critical vulnerability: weak credentials. The GoBruteforcer botnet exploits this gap, targeting crypto project databases and causing significant damage. This post explores how this botnet operates, why weak credentials remain a problem, and what steps crypto projects can take to defend themselves.


Close-up view of a computer screen displaying code with a focus on login attempts
GoBruteforcer botnet targeting login credentials

What Is the GoBruteforcer Botnet?


GoBruteforcer is a botnet designed to automate brute force attacks on servers and databases. It scans for exposed services, then tries thousands of username and password combinations to gain unauthorized access. Unlike traditional brute force tools, GoBruteforcer is built with efficiency and stealth in mind, allowing it to operate at scale without triggering many security alarms.


The botnet primarily targets services commonly used by crypto projects, such as database management systems and web admin panels. Once it breaches a database, it can steal sensitive information, manipulate data, or deploy ransomware.


Why Crypto Projects Are Vulnerable


Crypto projects often rely on open-source tools and cloud-based infrastructure, which can introduce security risks if not properly configured. The main vulnerability exploited by GoBruteforcer is weak or reused credentials. Here are some reasons why this remains a widespread issue:


  • Default passwords are not changed: Many projects leave default admin passwords unchanged, making them easy targets.

  • Weak password policies: Simple or common passwords like "password123" or "admin" are still in use.

  • Credential reuse across services: Using the same password for multiple accounts increases risk.

  • Lack of multi-factor authentication (MFA): Without MFA, a compromised password grants full access.

  • Exposed services without proper firewall rules: Open ports allow the botnet to find and attack services directly.


How GoBruteforcer Attacks Work


The attack process typically follows these steps:


  1. Scanning: The botnet scans IP ranges looking for open ports associated with database services like MongoDB, MySQL, or Redis.

  2. Brute forcing: It attempts to log in using a list of common usernames and passwords.

  3. Access and exploitation: Once access is gained, the botnet can extract data, inject malicious code, or disrupt operations.

  4. Persistence: Some variants install backdoors to maintain control even if credentials are changed later.


For example, in early 2023, a popular DeFi project suffered a breach when GoBruteforcer accessed its MongoDB database using default credentials. The attackers extracted user wallet information and drained funds from connected wallets.


Real-World Impact on Crypto Projects


The consequences of such breaches are severe:


  • Financial losses: Stolen funds or manipulated transactions can lead to direct monetary damage.

  • Loss of user trust: Users may abandon a project after a security incident.

  • Regulatory scrutiny: Data breaches can attract legal penalties and compliance investigations.

  • Operational disruption: Restoring compromised databases takes time and resources.


One notable case involved a crypto exchange that lost over $2 million after attackers used brute force to access their admin panel. The breach exposed customer data and halted trading for several days.


Best Practices to Protect Crypto Project Databases


Preventing GoBruteforcer attacks requires a combination of technical controls and good security habits:


  • Use strong, unique passwords for all accounts and services.

  • Implement multi-factor authentication wherever possible.

  • Change default credentials immediately after installation.

  • Limit access with firewall rules to block unauthorized IP addresses.

  • Monitor login attempts and set up alerts for suspicious activity.

  • Regularly update and patch software to fix known vulnerabilities.

  • Encrypt sensitive data both at rest and in transit.

  • Conduct security audits and penetration tests to identify weak points.


Tools and Techniques to Detect and Respond


Crypto projects can use several tools to detect brute force attempts and respond quickly:


  • Intrusion detection systems (IDS) monitor network traffic for unusual patterns.

  • Log analysis tools help identify repeated failed login attempts.

  • Rate limiting on login endpoints slows down brute force attacks.

  • Honeypots can trap and analyze botnet activity.

  • Incident response plans ensure teams act fast to contain breaches.


Building a Security Culture in Crypto Teams


Technology alone is not enough. Teams must prioritize security awareness:


  • Train developers and admins on password hygiene.

  • Encourage regular credential updates.

  • Promote the use of password managers.

  • Share lessons learned from past incidents.

  • Foster a mindset that security is everyone's responsibility.


Looking Ahead: The Future of Botnet Threats in Crypto


As crypto projects grow, attackers will continue evolving their methods. Botnets like GoBruteforcer may incorporate AI to guess passwords more efficiently or exploit new vulnerabilities. Projects must stay vigilant and adapt their defenses accordingly.


Emerging solutions such as decentralized identity verification and zero-trust architectures offer promising ways to reduce reliance on passwords alone.



A new wave of GoBruteforcer attacks has targeted databases of cryptocurrency and blockchain projects to co-opt them into a botnet that's capable of brute-forcing user passwords for services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.

"The current wave of campaigns is driven by two factors: the mass reuse of AI-generated server deployment examples that propagate common usernames and weak defaults, and the persistence of legacy web stacks such as XAMPP that expose FTP and admin interfaces with minimal hardening," Check Point Research said in an analysis published last week.

GoBruteforcer, also called GoBrut, was first documented by Palo Alto Networks Unit 42 in March 2023, documenting its ability to target Unix-like platforms running x86, x64, and ARM architectures to deploy an Internet Relay Chat (IRC) bot and a web shell for remote access, along with fetching a brute-force module to scan for vulnerable systems and expand the botnet's reach.

A subsequent report from the Black Lotus Labs team at Lumen Technologies in September 2025 found that a chunk of the infected bots under the control of another malware family known as SystemBC were also part of the GoBruteforcer botnet.

Check Point said it identified a more sophisticated version of the Golang malware in mid-2025, packing in a heavily obfuscated IRC bot that's rewritten in the cross-platform programming language, improved persistence mechanisms, process-masking techniques, and dynamic credential lists.

The list of credentials includes a combination of common usernames and passwords (e.g., myuser:Abcd@123 or appeaser:admin123456) that can accept remote logins. The choice of these names is not happenstance, as they have been used in database tutorials and vendor documentation, all of which have been used to train Large language models (LLMs), causing them to produce code snippets with the same default usernames.

Some of the other usernames in the list are cryptocurrency-focused (e.g., cryptouser, appcrypto, crypto_app, and crypto) or target phpMyAdmin panels (e.g., root, wordpress, and wpuser).

"The attackers reuse a small, stable password pool for each campaign, refresh per-task lists from that pool, and rotate usernames and niche additions several times a week to pursue different targets," Check Point said. "Unlike the other services, FTP brute-force uses a small, hardcoded set of credentials embedded in the bruteforcer binary. That built-in set points to web-hosting stacks and default service accounts."

In the activity observed by Check Point, an internet-exposed FTP service on servers running XAMPP is used as an initial access vector to upload a PHP web shell, which is then used to download and execute an updated version of the IRC bot using a shell script based on the system architecture. Once a host is successfully infected, it can serve three different uses -

  • Run the brute-force component to attempt password logins for FTP, MySQL, Postgres, and phpMyAdmin across the internet

  • Host and serve payloads to other compromised systems, or

  • Host IRC-style control endpoints or act as a backup command-and-control (C2) for resilience

Further analysis of the campaign has determined that one of the compromised hosts has been used to stage a module that iterates through a list of TRON blockchain addresses and queries balances using the tronscanapi[.]com service to identify accounts with non-zero funds. This indicates a concerted effort to target blockchain projects.

"GoBruteforcer exemplifies a broader and persistent problem: The combination of exposed infrastructure, weak credentials, and increasingly automated tools," Check Point said. "While the botnet itself is technically straightforward, its operators benefit from the vast number of misconfigured services that remain online."

The disclosure comes as GreyNoise revealed that threat actors are systematically scanning the internet for misconfigured proxy servers that could provide access to commercial LLM services.

Of the two campaigns, one has leveraged server-side request forgery (SSRF) vulnerabilities to target Ollama's model pull functionality and Twilio SMS webhook integrations between October 2025 and January 2026. Based on the use of ProjectDiscovery's OAST infrastructure, it's posited that the activity likely originates from security researchers or bug bounty hunters.

The second set of activity, starting December 28, 2025, is assessed to be a high-volume enumeration effort to identify exposed or misconfigured LLM endpoints associated with Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, and xAI. The scanning originated from IP addresses 45.88.186[.]70 and 204.76.203[.]125.

"Starting December 28, 2025, two IPs launched a methodical probe of 73+ LLM model endpoints," the threat intelligence firm said. "In eleven days, they generated 80,469 sessions – systematic reconnaissance hunting for misconfigured proxy servers that might leak access to commercial APIs."


 
 
 

Comments

bottom of page