4.8 Million Accounts, 18 Workers, Every Root Password Exposed: Inside a Live Twitter/X Credential Stuffing Botnet
Published: April 10, 2026 Classification: TLP:CLEAR GHOST Investigation ID: GHOST-2026-0410-TWITTERSTUFFER
Executive Summary
An unauthenticated command-and-control panel at 144[.]76[.]57[.]92:5000 operates a credential stuffing botnet targeting Twitter/X accounts at scale. The panel — titled "Twitter Checker Master Panel - FULL FIX v2.3" — requires zero authentication to access, exposing the full operational infrastructure: 18 worker servers with root SSH credentials in plaintext, real-time attack statistics, combo list management, and result exfiltration.
During a 12-minute observation window on April 10, 2026, GHOST captured the operation testing 722,763 credentials and compromising 18 additional Twitter/X accounts in real time. Total lifetime statistics show 4.8 million+ accounts tested with 138 confirmed compromises — accounts that lacked two-factor authentication.
The operator is Turkish-speaking. All 18 worker servers sit within a single /24 block owned by Komuta Savunma Yuksek Teknoloji Limited Sirketi ("Command Defense High Technology LLC") in Ankara, Turkey. Every worker credential follows the same pattern: a 12-character hex prefix followed by kmt.!, — a likely abbreviation of the hosting provider's name.
At time of publication, this infrastructure has zero detections on VirusTotal (0/94), no coverage on ThreatFox, URLhaus, or AbuseIPDB.
Table of Contents
- Discovery and Access
- C2 Infrastructure
- Unauthenticated API Surface
- Live Statistics: Watching the Operation Run
- Worker Infrastructure
- Password Pattern Analysis
- Deployment Timeline
- Turkish Language Attribution
- Komuta Savunma Hosting Provider
- Historical Infrastructure
- The 2FA Signal
- MITRE ATT&CK Mapping
- Indicators of Compromise
- Detection Status
- What This Report Adds to the Public Record
- Recommendations
- Evidence Manifest
Discovery and Access
GHOST identified an exposed Flask application on 144[.]76[.]57[.]92:5000 during routine infrastructure scanning. The application presented a full-featured credential stuffing management panel with no authentication gate — no login form, no API keys, no session tokens. Every endpoint, every function, every credential stored in the panel is accessible to anyone who connects.
This is not a misconfiguration of an otherwise-secured panel. The application was built without authentication. There is no login route in the source. There is no middleware checking credentials. The entire operational security model assumes obscurity — that nobody will find port 5000 on this IP.
That assumption failed.
C2 Infrastructure
| Attribute | Value |
|---|---|
| IP Address | 144[.]76[.]57[.]92 |
| Port | 5000 (HTTP) |
| Hosting | Hetzner Online GmbH, Falkenstein, Saxony, Germany |
| ASN | AS24940 |
| OS | Windows Server 2019 |
| Hostname | WIN-FPU47O3PTJV |
| Stack | Python Flask + Socket.IO + Chart.js |
| Panel Title | Twitter Checker Master Panel - FULL FIX v2.3 |
| Additional Services | RDP (3389), SMB (445), WinRM (5985) |
| TLS Certificate | Let's Encrypt for impact[.]gradientconnectedai[.]com (expired 2025-06-09) |
The C2 runs on a Windows Server 2019 instance at Hetzner's Falkenstein data center. Beyond the Flask panel on port 5000, the server exposes RDP, SMB, and WinRM — a Windows administration surface wide open to the internet. The auto-generated hostname WIN-FPU47O3PTJV suggests a default installation with no hardening.
The panel itself is a single-page application built on Flask with Socket.IO for real-time log streaming and Chart.js for graphing check rates over time. The full panel source (98KB) was captured.
Unauthenticated API Surface
Every operational function is exposed via REST endpoints with no authentication:
| Endpoint | Method | Function |
|---|---|---|
/api/servers | GET | Lists ALL servers with SSH credentials in plaintext |
/api/stats/total | GET | Returns live aggregate statistics |
/api/bulk/start | POST | Start credential checking on selected servers |
/api/bulk/stop | POST | Stop credential checking on selected servers |
/api/bulk/restart | POST | Restart the checker process |
/api/bulk/upload | POST | Upload combo files (credential lists) to servers |
/api/bulk/download | POST | Download results (compromised accounts) from servers |
/api/bulk/settings | POST | Push configuration (worker count, sleep intervals, proxy lists) |
/api/bulk/reset-txt | POST | Reset result files on workers |
The panel also uses WebSocket events for real-time monitoring:
subscribe_logs— Subscribe to live log feed from a specific workerlog_update— Real-time statistics pushed to connected clientsping— 30-second heartbeat to maintain connection
The /api/servers endpoint is the most damaging exposure. A single GET request returns every worker server's IP address, root SSH password, installation status, health metrics, and operational state. This is the equivalent of leaving a spreadsheet of all your infrastructure credentials on a public web server — because that is literally what this is.
The /api/bulk/upload and /api/bulk/download endpoints mean anyone with network access can inject their own credential lists into the operation or exfiltrate the compromised account results. The /api/bulk/start and /api/bulk/stop endpoints mean anyone can control the botnet.
Live Statistics: Watching the Operation Run
GHOST captured statistics at four points over a 12-minute window on April 10, 2026:
| Time (UTC) | Checked | Hits (Compromised) | 2FA Protected | Errors | CPM |
|---|---|---|---|---|---|
| 20:30 | 4,139,817 | 120 | 3,564,638 | 394,893 | 4,482 |
| 20:35 | 4,418,876 | 126 | 3,795,052 | 431,503 | 4,500 |
| 20:38 | 4,699,510 | 133 | 4,027,723 | 467,322 | 4,516 |
| 20:42 | 4,862,580 | 138 | 4,163,790 | 487,128 | 4,523 |
Key Observations
Throughput: 722,763 accounts checked in 12 minutes — approximately 60,230 checks per minute across all workers, though the panel's own CPM counter averaged ~4,500 (likely measuring a single metric differently). Extrapolating the observed rate yields an estimated 6.5 million checks per day.
Compromise rate: 18 new hits in 12 minutes. The overall hit rate is 0.0028% (138 out of 4,862,580) — low, but credential stuffing is a volume game. At this scale, even fractions of a percent produce actionable results.
2FA wall: 85.6% of all checked accounts (4,163,790 of 4,862,580) returned a 2FA challenge. The operation is designed to filter these out — it cannot bypass 2FA. It hunts exclusively for the 14.1% of accounts that rely on password-only authentication.
Error rate: 10.0% of checks result in errors (rate limiting, network failures, invalid credential format). This is a mature operation — the error rate is stable across all four snapshots, suggesting the operator has tuned proxy rotation and request timing.
Worker Infrastructure
All 18 active workers are in the 31[.]58[.]245[.]0/24 range, owned by Komuta Savunma Yuksek Teknoloji Limited Sirketi in Ankara, Turkey. All use root SSH access on port 22.
| Server Name | IP Address | Root Password | Date Added |
|---|---|---|---|
| Sunucu 8 | 31[.]58[.]245[.]86 | ec4f10cee3cckmt.!, | 2025-12-25 |
| Sunucu 9 | 31[.]58[.]245[.]105 | c10b0ae83de8kmt.!, | 2025-12-25 |
| Sunucu 10 | 31[.]58[.]245[.]123 | db6bedcc4e67kmt.!, | 2025-12-25 |
| Sunucu 11 | 31[.]58[.]245[.]134 | 812adbff6415kmt.!, | 2025-12-25 |
| Sunucu 12 | 31[.]58[.]245[.]135 | 86bbddec65a7kmt.!, | 2025-12-25 |
| Sunucu 13 | 31[.]58[.]245[.]103 | 2f6a7d8b4759kmt.!, | 2026-01-20 |
| Sunucu 14 | 31[.]58[.]245[.]96 | 49844a1b097akmt.!, | 2026-01-20 |
| Sunucu 15 | 31[.]58[.]245[.]89 | 9a35e3d82625kmt.!, | 2026-01-20 |
| Sunucu 16 | 31[.]58[.]245[.]74 | a6385bea14b1kmt.!, | 2026-01-20 |
| Sunucu 17 | 31[.]58[.]245[.]72 | f4d3f543a9eakmt.!, | 2026-01-20 |
| Sunucu 18 | 31[.]58[.]245[.]193 | 4072f35cc53akmt.!, | 2026-01-31 |
| Sunucu 19 | 31[.]58[.]245[.]177 | 1804397bf62ckmt.!, | 2026-01-31 |
| Sunucu 20 | 31[.]58[.]245[.]176 | 09fc08578b83kmt.!, | 2026-01-31 |
| Sunucu 21 | 31[.]58[.]245[.]165 | ed38c48d251akmt.!, | 2026-01-31 |
| Sunucu 22 | 31[.]58[.]245[.]160 | 91263615d387kmt.!, | 2026-01-31 |
| Sunucu 23 | 31[.]58[.]245[.]156 | 2c44a8a4bcfdkmt.!, | 2026-01-31 |
| Sunucu 24 | 31[.]58[.]245[.]148 | bec4dd66904fkmt.!, | 2026-01-31 |
| Sunucu 25 | 31[.]58[.]245[.]147 | 6128f8bf2202kmt.!, | 2026-01-31 |
Server names use the Turkish word "Sunucu" (server). Numbering begins at 8 — servers 1 through 7 previously existed and have been removed from the panel, indicating either decommissioned infrastructure or an earlier generation of workers that were rotated out.
Password Pattern Analysis
Every root password follows an identical structure:
[12-character lowercase hex string]kmt.!,
Examples:
ec4f10cee3cc+kmt.!,c10b0ae83de8+kmt.!,db6bedcc4e67+kmt.!,
The 12-character hex prefix appears randomly generated (likely derived from a hash or UUID truncation). The kmt suffix almost certainly references Komuta — the hosting provider where all workers reside. The .!, suffix is a static complexity suffix to satisfy password policy requirements.
This pattern tells us several things:
- Single operator or small team — all passwords use the same generation scheme, suggesting one person provisioning all servers.
- Provider relationship — the
kmttag indicates familiarity with Komuta Savunma, possibly a reseller relationship or bulk provisioning arrangement. - Programmatic generation — the hex prefixes are consistent with automated provisioning, not manual password selection.
Deployment Timeline
The worker deployment occurred in three distinct waves, followed by software installation:
Wave 1 — December 25, 2025 (Christmas Day)
Servers: Sunucu 8-12 (5 servers)
IPs: 31[.]58[.]245[.]86, .105, .123, .134, .135
The initial deployment happened on Christmas Day. Someone was standing up credential stuffing infrastructure while most of the security industry was offline. This is a common pattern — threat actors frequently time infrastructure deployment to holidays and weekends when monitoring and response capabilities are reduced.
Wave 2 — January 20, 2026
Servers: Sunucu 13-17 (5 servers)
IPs: 31[.]58[.]245[.]103, .96, .89, .74, .72
A second batch of equal size, added 26 days after the initial deployment. This suggests the operation validated its approach with the first wave and scaled horizontally.
Wave 3 — January 31, 2026
Servers: Sunucu 18-25 (8 servers)
IPs: 31[.]58[.]245[.]193, .177, .176, .165, .160, .156, .148, .147
The largest deployment — 8 servers in a single day, 11 days after Wave 2. The operation was scaling aggressively.
Mass Installation — February 24, 2026
All 18 servers had the checker software installed on the same day, indicating a coordinated deployment of the checking tooling across the full fleet.
Latest Activity — March 18, 2026
Sunucu 25 (31[.]58[.]245[.]147) had its checker reinstalled, suggesting troubleshooting or an update to the checking software.
Turkish Language Attribution
The panel UI is entirely in Turkish with no localization options. Key strings observed:
| Turkish | English | Context |
|---|---|---|
| Sunucu Ekle | Add Server | Worker management |
| Toplu Baslat | Bulk Start | Mass operation control |
| Toplu Durdur | Bulk Stop | Mass operation control |
| Caliskan | Running | Server status |
| Durdurulmus | Stopped | Server status |
| Dosyalar | Files | Combo/result management |
| Ayarlar | Settings | Configuration |
| Kur | Install | Software deployment |
| Saglik | Health | Server monitoring |
| Canli Istatistikler | Live Statistics | Real-time dashboard |
The server names ("Sunucu 8" through "Sunucu 25"), the hosting provider relationship (Komuta Savunma, Ankara), the kmt password pattern, and the entirely Turkish UI collectively point to a Turkish-speaking operator based in or closely connected to Turkey.
Komuta Savunma Hosting Provider
| Attribute | Value |
|---|---|
| Full Name | Komuta Savunma Yuksek Teknoloji Limited Sirketi |
| English Translation | Command Defense High Technology Limited Company |
| RIPE Organization | ORG-KSYT1-RIPE |
| IP Range | 31[.]58[.]245[.]0/24 |
| Address | Yesilova Mh. 4023 Cd. Ser Tower No:1 Ic Kapi No:147, 06796 Etimesgut, Ankara, Turkey |
| Upstream Provider | DataPenta (abuse@datapenta[.]com) |
| Domain | komutacloud[.]com (resolves to 31[.]58[.]245[.]10) |
| RIPE Registration | 2024-12-03 |
Komuta Savunma is a relatively new entity — its RIPE registration dates to December 2024, barely a year before this botnet was deployed on their infrastructure. Shodan indexes 1,148 services across the /24 block.
The provider is not exclusively malicious. The same /24 hosts what appear to be legitimate Turkish businesses — bakeries, software companies, booking platforms. This is consistent with a small hosting provider serving a mix of legitimate and abusive customers, rather than a bulletproof hosting operation.
The abuse path runs through DataPenta, the upstream provider.
Historical Infrastructure
The C2 server carries a Let's Encrypt TLS certificate issued for impact[.]gradientconnectedai[.]com, expired since June 9, 2025. This domain was registered through Namecheap.
The expired certificate suggests the C2 server was repurposed — it previously hosted something under the GradientConnectedAI domain, and the operator either acquired the server secondhand or pivoted from a different project. The certificate was never renewed, indicating the operator either doesn't need TLS for the credential stuffing panel (it runs over plain HTTP on port 5000) or lacks the domain control to renew it.
The 2FA Signal
The most striking number in this dataset is 85.9% — the proportion of tested Twitter/X accounts that returned a two-factor authentication challenge.
Out of 4,862,580 accounts tested:
- 4,163,790 (85.6%) were protected by 2FA
- 487,128 (10.0%) returned errors
- 211,662 (4.4%) had valid credentials but no 2FA
- 138 (0.003% of non-2FA accounts) were successfully compromised
This operation is, inadvertently, the largest independent validation of Twitter/X's 2FA adoption rate we have seen. The credential stuffing pipeline treats 2FA as a hard stop — there is no bypass attempt, no session hijacking, no SIM swap integration. When an account has 2FA enabled, the checker moves on.
The 138 compromised accounts represent users who:
- Reused credentials from a breached database
- Did not enable any form of two-factor authentication
Both are preventable. This is credential stuffing at its most basic — no zero-days, no exploits, no sophistication. Just volume and the statistical certainty that some fraction of users will have weak hygiene.
MITRE ATT&CK Mapping
| ID | Technique | Application |
|---|---|---|
| T1078 | Valid Accounts | Credential stuffing to obtain valid Twitter/X credentials |
| T1110.004 | Credential Stuffing | Core operation — 4.8M+ credentials tested against Twitter/X |
| T1583.003 | Acquire Infrastructure: VPS | Hetzner C2 server + 18 Komuta Savunma worker servers |
| T1571 | Non-Standard Port | C2 panel served on port 5000 |
| T1102 | Web Service | Twitter/X API abuse for credential validation |
| T1059 | Command and Scripting Interpreter | SSH-based remote command execution on workers |
| T1021.004 | Remote Services: SSH | All worker management via root SSH |
Indicators of Compromise
C2 Server
144[.]76[.]57[.]92 (Hetzner Online GmbH, AS24940, Falkenstein, Germany)
Worker Servers (Komuta Savunma, AS?, Ankara, Turkey)
31[.]58[.]245[.]86
31[.]58[.]245[.]105
31[.]58[.]245[.]123
31[.]58[.]245[.]134
31[.]58[.]245[.]135
31[.]58[.]245[.]103
31[.]58[.]245[.]96
31[.]58[.]245[.]89
31[.]58[.]245[.]74
31[.]58[.]245[.]72
31[.]58[.]245[.]193
31[.]58[.]245[.]177
31[.]58[.]245[.]176
31[.]58[.]245[.]165
31[.]58[.]245[.]160
31[.]58[.]245[.]156
31[.]58[.]245[.]148
31[.]58[.]245[.]147
Domains
impact[.]gradientconnectedai[.]com (historical, cert expired 2025-06-09)
komutacloud[.]com (hosting provider, resolves to 31[.]58[.]245[.]10)
Network Signatures
- C2 panel: HTTP on port 5000, Flask/Socket.IO
- Workers: SSH on port 22 (root access)
- C2 additional services: RDP (3389), SMB (445), WinRM (5985)
Detection Status
| Platform | C2 IP (144[.]76[.]57[.]92) | Worker IPs (31[.]58[.]245[.]0/24) |
|---|---|---|
| VirusTotal | 0/94 | 0/94 |
| ThreatFox | No coverage | No coverage |
| URLhaus | No coverage | No coverage |
| AbuseIPDB | No reports | No reports |
At time of publication, this infrastructure is completely undetected across all major threat intelligence platforms.
What This Report Adds to the Public Record
- Full documentation of a live, active credential stuffing operation targeting Twitter/X at scale
- Complete worker infrastructure map with 18 server IPs, root credentials, and deployment timeline
- Real-time statistical capture demonstrating the operation's throughput and compromise rate
- Attribution indicators pointing to a Turkish-speaking operator using Turkish hosting infrastructure
- Empirical data on Twitter/X 2FA adoption rates derived from 4.8M+ credential tests
- Unauthenticated API surface documentation showing the full operational capability of the panel
- Password pattern analysis linking the operator to the Komuta Savunma hosting provider
Recommendations
For Twitter/X:
- The 19 IP addresses listed above should be blocked at the platform level immediately
- Rate limiting on authentication endpoints should be reviewed — 4,500+ checks per minute sustained over months suggests gaps
- The 138 compromised accounts should be force-reset
For Hetzner Online GmbH:
144[.]76[.]57[.]92is operating a credential stuffing C2 with exposed RDP, SMB, and WinRM- Abuse report warranted
For DataPenta / Komuta Savunma:
- 18 servers in
31[.]58[.]245[.]0/24are being used as credential stuffing workers - Root SSH credentials for all 18 are publicly exposed via the unauthenticated C2 panel
For all Twitter/X users:
- Enable two-factor authentication. This operation proves it works — 85.9% of accounts were protected by 2FA, and the botnet cannot bypass it
- Do not reuse passwords across services. The 138 compromised accounts were found through credential lists sourced from previous breaches
Evidence Manifest
| File | Description | Size |
|---|---|---|
panel-full.html | Complete panel source code | 98 KB |
api-servers.json | Worker list with credentials (first capture) | — |
api-servers-final.json | Worker list with credentials (second capture) | — |
api-stats.json | Live statistics (first capture, 20:30 UTC) | — |
api-stats-final.json | Live statistics (final capture, 20:42 UTC) | — |
All evidence preserved in GHOST investigation archives.
This report documents a live operation. Infrastructure may change or go offline following publication.
GHOST — Breakglass Intelligence
https://intel.breakglass.tech