GoBruteforcer Botnet Targets Crypto and Blockchain Projects in New Attack Wave

Check Point Research has uncovered an evolved version of the GoBruteforcer botnet actively targeting databases belonging to cryptocurrency and blockchain projects. This sophisticated campaign leverages weak passwords - many inadvertently propagated through AI-generated server deployment examples - to compromise Linux servers and ultimately steal funds from blockchain wallets.

The scale of this threat is significant. According to the researchers' analysis, more than 50,000 internet-facing servers may be vulnerable to GoBruteforcer attacks. The botnet specifically targets [FTP](/glossary/ftp "GLOSSARY:FTP:## What is FTP?

File Transfer Protocol (FTP) is a standard network protocol designed to upload, download, and manage files between a client and a server. It operates over TCP and has historically been used for website hosting, file distribution, and administrative transfers.

FTP is one of the oldest protocols still encountered in IT environments.

Why FTP matters

FTP matters because it:

• Established early standards for file transfer
• Is still present in legacy systems and workflows
• Is widely supported by tools and platforms
• Helps explain modern secure alternatives

Understanding FTP is essential for assessing legacy risk.

How FTP works (simplified)

FTP uses two separate connections:

1. Control channel -- for commands and responses
2. Data channel -- for file transfers

Depending on the mode, the server or client initiates the data connection.

Active vs passive mode

FTP supports two connection modes:

Passive mode is more firewall-friendly and commonly used today.

Authentication in FTP

FTP typically supports:

• Username and password authentication
• Anonymous access (public downloads)

By default, credentials are sent in clear text, which poses security risks.

Security issues with FTP

FTP is considered insecure by default because:

• Credentials are transmitted unencrypted
• Data is sent in clear text
• Sessions can be intercepted
• Susceptible to credential theft and sniffing
• Often targeted in brute-force attacks

FTP should not be exposed on untrusted networks.

Secure alternatives to FTP

Modern secure alternatives include:

• FTPS -- FTP over TLS encryption
• SFTP -- File transfer over SSH
• HTTPS -- Web-based secure transfers
• Cloud storage and managed file services

Most organizations are migrating away from plain FTP.

FTP in enterprise environments

FTP is still encountered in:

• Legacy applications and integrations
• Automated batch file transfers
• Industrial or embedded systems
• Older hosting platforms

Such usage typically requires isolation and compensating controls.

FTP vs SFTP

SFTP is generally preferred for secure environments.

Common misconceptions

• 'FTP is encrypted by default'
• 'FTP and SFTP are the same'
• 'FTP is obsolete everywhere'
• 'FTP is safe on internal networks without controls' :") servers, MySQL and PostgreSQL databases, and phpMyAdmin panels. Once a server is compromised, it becomes a scanning node that perpetuates the attack by searching for additional vulnerable targets.

A Crypto-Focused Campaign

This variant of GoBruteforcer stands out because of its clear financial motivation. On one compromised host, researchers recovered Go-based tools specifically designed for cryptocurrency theft. These tools included a TRON balance scanner and "token-sweep" utilities for both TRON and Binance Smart Chain (BSC). Alongside these tools, they found a file containing approximately 23,000 TRON wallet addresses - likely harvested from compromised databases.

On-chain transaction analysis of the attackers' recipient wallets confirmed that at least some of the financially motivated attacks were successful. The researchers determined with moderate confidence that the compromised database likely belonged to an older or legacy blockchain product - possibly a custodial wallet service that stored user private keys.

The AI Connection

What makes this campaign particularly concerning is how modern development practices may be inadvertently fueling it. Check Point researchers observed that credential lists used by GoBruteforcer include common operational usernames like appuser, myuser, cryptouser, and crypto_app. These are exactly the kind of generic names that frequently appear in AI-generated server deployment examples and tutorials.

When researchers asked mainstream large language models to help create a MySQL instance in Docker, both produced near-identical snippets featuring stock username patterns with weak default passwords. While AI assistants boost productivity and lower barriers to entry, blindly following their configuration examples without modification introduces serious security risks. Developers who copy and paste AI-generated code directly into production are essentially deploying known-weak credentials.

Beyond AI-generated defaults, the second driver behind successful attacks is the persistence of legacy web server stacks like XAMPP. These all-in-one packages often ship with FTP servers enabled by default and use weak or predictable credentials unless administrators explicitly run security hardening procedures.

Massive Attack Surface

The scale of exposed infrastructure is staggering. According to recent Shodan data, millions of database and file transfer services are directly exposed to the internet. FTP servers alone account for 5.7 million exposed instances, MySQL databases contribute another 2.23 million, and PostgreSQL adds 560,000 more. Each of these represents a potential entry point for attackers.

When researchers compared GoBruteforcer's credential list against a database of approximately 10 million leaked passwords, they found an overlap of roughly 2.44%. While this might seem like a small percentage, the sheer number of exposed services makes brute-force attacks economically attractive. Even a 1% success rate against millions of targets yields thousands of compromised servers.

This finding aligns with Google's 2024 Cloud Threat Horizons report, which found that weak or missing credentials accounted for 47.2% of initial access vectors in compromised cloud environments - making credential attacks the single most common entry point for attackers.

An Evolved Threat

The 2025 variant of GoBruteforcer introduces several significant improvements over the version first documented in 2023. The malware has been completely rewritten in Go and obfuscated using the Garbler tool, which makes reverse engineering and analysis considerably more difficult for security researchers.

The botnet includes an IRC bot component with sophisticated process masking capabilities. It changes its process name and command line to appear as init in system monitors, allowing it to blend in with legitimate system processes. For persistence, the malware installs cron jobs that restart the binary every five minutes, ensuring it survives reboots and manual termination attempts.

From a performance standpoint, a single infected host can sustain approximately 20 IP scans per second with minimal bandwidth usage - less than 64 kb/s outbound. This efficient design allows the botnet to scan vast swaths of the internet without triggering bandwidth-based detection mechanisms.

The attackers also implement operational security measures. The malware explicitly avoids scanning IP ranges belonging to AWS, major cloud providers with aggressive abuse response teams, and U.S. Department of Defense networks. This selective targeting is likely designed to avoid honeypots and reduce the chances of drawing unwanted attention from sophisticated defenders.

How the Attack Chain Works

Understanding the attack chain helps organizations defend against GoBruteforcer infections. The attack typically begins through compromised FTP servers, particularly on XAMPP installations where default credentials remain unchanged.

In the initial access phase, attackers gain FTP access using weak or default credentials from their wordlists. Once inside, they upload a PHP web shell to the webroot, giving them command execution capabilities on the server. The web shell then downloads and executes the IRC bot, establishing command-and-control communications. The compromised machine joins the botnet and receives instructions from the attacker infrastructure. The bruteforcer module then begins scanning random public IP ranges for additional vulnerable targets.

When blockchain databases are compromised, the attack takes a financial turn. The attackers deploy token-sweep utilities that scan for and transfer cryptocurrency funds. For these crypto-focused campaigns, the credential lists are specifically tailored with blockchain-themed usernames combined with common weak passwords.

Protection Recommendations

Organizations can defend against GoBruteforcer and similar botnet campaigns through several layers of protection. The key is addressing the root cause - weak credentials on exposed services.

The GoBruteforcer campaign demonstrates that despite years of security awareness, weak credentials remain one of the most exploited vulnerabilities. As AI tools make server deployment more accessible to less experienced developers, the importance of secure-by-default configurations only grows. Organizations must assume that any default or AI-suggested credential combination is already in attacker wordlists.