53
Attacker IPs
26.345
Credentials tested
26.584
SSH sessions
3 days
Observed duration
99,5%
SSH-2.0-Go

Context: what the honeypot captured

Between 11 and 13 June 2026, our SSH honeypot recorded an unusually coordinated credential stuffing campaign. Instead of the usual scattered noise —thousands of different IPs trying generic combinations—, we observed a different pattern: 53 unique IPs with homogeneous behavior, dictionaries focused on blockchain infrastructure terminology, and a second phase of GPU hardware reconnaissance in every session that passed authentication.

Automated campaign indicator

99.5% of the connections used the client identifier SSH-2.0-Go. This indicates that the campaign operates with a custom scanner or bot written in Go, not with standard SSH clients. Only 359 connections used legitimate clients (paramiko, PuTTY, libssh2).

The dictionary: credentials targeting Solana

The most striking finding is the distribution of credentials. The most frequent usernames are not the usual admin or pi: they are terms specific to the Solana ecosystem.

PositionUsernameAttemptsContext
1root4.447Generic
2sol3.530Solana abbreviation / common user on nodes
3solana2.995Direct name of the protocol
4ubuntu1.654Common base operating system
5solv1.538Solv Protocol — Solana staking node
6trader633Typical role in DeFi infrastructure
7firedancer287Solana validator client by Jump Crypto
8validator275Standard Solana node role

The most-tried passwords reflect the same logic: basic numeric combinations mixed with terms from the ecosystem.

PositionPasswordAttempts
11234561.711
21231.036
312345678977
4solana927
5sol844
61234756
7node557
8firedancer502
9solv433
10ethereum275

Second phase: GPU reconnaissance

In every session that passed authentication, the attacker ran an identical hardware reconnaissance sequence before any other action. The goal: detect whether the machine has a GPU, which would indicate a staking node or a high-value crypto-mining server.

root@host:~#lspci | grep VGA | cut -f5- -d ' '
root@host:~#lspci | grep VGA -c
root@host:~#nvidia-smi -q | grep "Product Name" | head -n 1 | awk '{print $4, $5, $6, $7}'
root@host:~#lspci | grep "3D controller" | cut -f5- -d ' '
root@host:~#/bin/./uname -s -v -n -r -m
root@host:~#uptime -p

This sequence ran in 10,701 sessions — practically all of those that passed the authentication phase. The uniformity of the sequence confirms that this is an automated script, not a human operator.

Evasion technique: /bin/./uname

A relevant technical detail: instead of running uname directly, the script uses the variant /bin/./uname. This trivial path traversal (./ in the middle of an absolute path is ignored by the kernel) can evade simple detection rules based on exact string matching, which look for uname but not the variant with the dot.

Observed evasion

2,180 executions of /bin/./uname instead of uname. It is the same binary — the result is identical — but the string representation differs, which can bypass simple IDS signatures.

Campaign structure: 53 coordinated IPs

The distribution of attempts per IP reveals a botnet structure or distributed infrastructure with load sharing:

Attacker IPAttemptsUnique credentials
45.148.[REDACTED].1835.17351
2.57.[REDACTED].1774.40337
45.148.[REDACTED].2403.402101
83.168.[REDACTED].991.524379
91.92.[REDACTED].611.522761
192.109.[REDACTED].781.520
92.118.[REDACTED].621.407
195.178.[REDACTED].301.365

The three IPs with the highest volume of attempts use small, repetitive dictionaries (51–101 unique credentials), while the IPs with fewer attempts use broader dictionaries. This suggests a division of tasks within the campaign: some nodes test the most common credentials at high speed, others perform a broader sweep.

Payload download attempts

During the observation period, four payload download attempts were recorded. Two distinct URLs appear:

Observed dropper URLs

https://14.46.[REDACTED].77/sh — Direct IP, no domain. Typical ephemeral C2 format.

http://[REDACTED].sh/x — 3 attempts. The domain is deliberately obvious, possibly a researcher honeypot or an attacker connectivity test.

No download resulted in actual execution. Execution was blocked in every case — 0 bytes executed on the real host.

Conclusions

The observed campaign has specific characteristics that set it apart from generic mass scanning:

Methodological note: This analysis is based exclusively on the data recorded by our honeypot in production over 3 days. Attribution to a specific actor or particular group would require correlation with additional intelligence beyond the scope of this analysis.

Data collected for cybersecurity research purposes. All information comes from unsolicited activity recorded on our own infrastructure.

Data source
honeypot CipherSentry · 119,205 lines · 2026-06-11 to 2026-06-13
← All articles