Exposed Botnet Panel Reveals Live Twitter/X Credential-Stuffing Operation With No Authentication
A fully operational credential-stuffing botnet targeting Twitter/X accounts has been discovered running entirely without authentication, leaving its command-and-control infrastructure, worker fleet, and root server passwords openly accessible to anyone who stumbled upon it.
Researchers at GHOST uncovered an exposed Flask-based control panel — branded “Twitter Checker Master Panel – FULL FIX v2.3” — hosted at a publicly routable IP address on port 5000. The panel contained no login page, no API key validation, and no session handling whatsoever, meaning every function was reachable over plain HTTP by anyone with the address.
The command-and-control (C2) server runs on a Hetzner-hosted Windows Server 2019 instance in Falkenstein, Germany, with RDP, SMB, WinRM, and the Flask panel all simultaneously exposed — a configuration consistent with a largely unhardened deployment. GHOST captured the full 98 KB panel source code, confirming both the lack of access controls and the hardcoded API structure powering the operation.
Complete Infrastructure Left Wide Open
Every operational function within the botnet was mapped to unauthenticated REST endpoints. A call to /api/servers returned the IP address, root SSH password, health status, and installation state for each worker node in plain text — effectively publishing the attacker’s own server credentials to the open internet.
Any visitor could use bulk endpoints to start, stop, or restart credential checks across all workers, upload new combo lists, download freshly compromised account data, push new proxy configurations, or wipe result files entirely. The exposure gave outsiders the same level of control as the botnet’s operators.
Behind the C2, 18 Linux worker servers were identified in the 31[.]58[.]245[.]0/24 network range, all registered to Komuta Savunma Yuksek Teknoloji Limited Şirketi, a company based in Ankara, Turkey. All nodes were accessible via root SSH on port 22. Server labels used the Turkish word “Sunucu” (meaning “Server”), numbered from Sunucu 8 through Sunucu 25 — implying at least seven earlier nodes had already been decommissioned.
Over 700,000 Accounts Tested in 12 Minutes
During a 12-minute observation window on April 10, 2026, GHOST watched the panel process 722,763 Twitter/X credential pairs in real time, adding 18 newly compromised accounts to its results during that period alone.
Lifetime counters embedded in the panel recorded 4,862,580 total accounts tested, yielding 138 successful account takeovers — an overall hit rate of approximately 0.0028%. While modest as a percentage, the figure becomes significant when the pipeline operates continuously at millions of attempts per day.
The data also revealed a striking insight into the role of two-factor authentication (2FA): roughly 4,163,790 accounts — about 85.6% of those tested — returned a two-factor challenge and were immediately abandoned by the tool. Only 211,662 accounts had valid passwords without 2FA enabled, and just 138 of those were fully taken over. The botnet shows no capability for bypassing 2FA, making it exclusively reliant on unprotected accounts.
Attribution Points to a Turkish-Speaking Operator
Multiple indicators point to a Turkish-speaking actor. The entire web interface is rendered in Turkish, using labels such as “Sunucu Ekle” (Add Server), “Toplu Başlat” (Bulk Start), and “Canlı İstatistikler” (Live Statistics). All 18 worker servers reside on a RIPE-registered IP block tied to Komuta Savunma, an entry dating to December 2024 that also hosts a mix of ordinary Turkish businesses — suggesting a small regional provider rather than a dedicated bulletproof hosting service.
Root passwords across all worker servers followed a consistent pattern: a 12-character lowercase hexadecimal string followed by the suffix kmt.! — likely a shorthand for “Komuta” combined with a static complexity character. This uniformity points to an automated provisioning pipeline controlled by a single actor or small team. Three deployment bursts were observed between December 25, 2025 and January 31, 2026, followed by a coordinated tool rollout in late February.
Still Flying Under the Radar of Major Threat Feeds
Despite operating openly at scale, the botnet had gone undetected across major public threat intelligence platforms. At the time of reporting, VirusTotal showed zero detections for both the C2 and worker IPs, and no coverage existed on ThreatFox, URLhaus, or AbuseIPDB.
The C2 server also carried an expired Let’s Encrypt certificate previously issued for an unrelated domain, reinforcing how commodity credential-stuffing operations can quietly persist on general-purpose cloud infrastructure without attracting attention.
This operation underscores several practical recommendations for defenders and everyday users alike:
- Enable 2FA on Twitter/X immediately. This campaign treats two-factor authentication as a hard stop — over 85% of checked accounts were skipped solely because 2FA was active.
- Enforce rate limiting and anomaly detection on authentication endpoints to throttle high-volume checking from shared or sequentially numbered IP blocks.
- Monitor for credential exposure using services like Have I Been Pwned to identify whether your credentials appear in combo lists used by operations like this one.