Botnet exploits weak passwords to breach crypto and blockchain servers

Cryptocurrency and blockchain project databases with weak credentials and AI-generated are being hacked through deployment patterns picked up by botnets, according to new research from Check Point.

A malware botnet named GoBruteforcer is capable of compromising Linux servers and turning them into automated password-cracking nodes, said the cybersecurity company. The hacking program has affected infrastructure used by crypto projects, including database servers, file transfer services, and web administration panels. 

GoBrut can scan the internet for poorly secured services and attempt to log into services using popular usernames and weak passwords. Once a system is compromised, it is then added to a distributed network that can be remotely accessed by a network of hackers.

GoBruteforcer botnet can hack vaguely thought-out passwords

According to Check Point’s report published last Wednesday, the botnet can walk past protections in services like FTP, MySQL, PostgreSQL, and phpMyAdmin. These programs are used by blockchain startups and decentralized app developers to manage user data, application logic, and internal dashboards.

Systems GoBrute has hacked can accept commands from a command-and-control server, dictating which service to attack while supplying credentials for brute-force attempts. The revealed login details are reused to access other systems, steal private data, create hidden accounts, and add to the botnet’s reach.

Check Point also mentioned that infected hosts can also be repurposed to host malicious payloads, distribute malware to new victims, or become backup control servers if the core system is experiencing downtimes.

Many development teams now, including those from big tech firms like Microsoft and Amazon, use code snippets and setup guides generated by large language models (LLMs) or copied from online forums. 

Check Point explained that since AI models cannot create new passwords and usually mimic what they have been taught, they make usernames and default passwords very predictable, not changing them fast enough before systems are exposed to the internet. 

The problem becomes even more dire when legacy web stacks like XAMPP are used, which can expose administrative services by default and provide an easy entry point for hackers.

GoBruteforcer campaigns began in 2023, Unit 42 research found

GoBruteforcer was first documented in March 2023 by Palo Alto Networks’ Unit 42, which detailed its ability to compromise Unix-like systems x86, x64, and ARM architectures. The malware deploys an Internet Relay Chat bot and web shell, which attackers use to keep their remote access.

In September 2025, researchers at Lumen Technologies’ Black Lotus Labs found that a portion of infected machines linked to another malware family, SystemBC, were also GoBruteforcer nodes. Check Point analysts compared the password lists used in attacks against a database of roughly 10 million leaked credentials and found an overlap of about 2.44%.

Based on that overlap, they estimated that tens of thousands of database servers could accept one of the passwords used by the botnet. Google’s 2024 Cloud Threat Horizons report found that weak or missing credentials were responsible for 47.2% of initial access vectors in breached cloud environments.

Blockchain and AI reconnaissance expose private data, research finds

In instances where GoBrute was traced in cryptocurrency environments, network hackers used crypto-themed usernames and password variants that matched naming conventions from blockchain projects. Other campaigns targeted phpMyAdmin panels linked to WordPress sites, a service for project websites and dashboards. 

“Some tasks are clearly sector-focused. For example, we observed an attack that used crypto-themed usernames such as cryptouser, appcrypto, crypto_app, and crypto. In these runs, the passwords used combined the standard weak list with crypto-specific guesses such as cryptouser1 or crypto_user1234,” Check Point said, mentioning examples of passwords.

Check Point identified a compromised server being used to host a module that scanned TRON blockchain addresses and queried balances through a public blockchain API to identify wallets holding funds.

“The combination of exposed infrastructure, weak credentials, and increasingly automated tools. While the botnet itself is technically straightforward, its operators benefit from the number of misconfigured services online,” the security company wrote.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.