A live credential stuffing botnet targeting Twitter/X accounts has been discovered completely exposed to the internet, allowing unauthorized access to its control panel, worker server credentials, and real-time attack data. This vulnerability means that anyone with the correct IP address and port could gain full administrative control over the malicious operation, highlighting a significant security lapse in the attackers’ own setup.
The exposed system, identified as “Twitter Checker Master Panel – FULL FIX v2.3,” provided unrestricted access to root SSH passwords for all 18 worker servers. The botnet’s command-and-control (C2) panel was hosted on a Windows Server 2019 machine in Germany, operating under the IP address 144[.]76[.]57[.]92 on port 5000. Initial analysis by Breakglass Intelligence on April 10, 2026, revealed an alarming lack of any authentication, including no login pages, API keys, or session checks.
The Exposed API: A Botnet Anyone Could Control
The most critical aspect of this discovery is the complete lack of security on the botnet’s administrative interface. The Python Flask application, enhanced with Socket.IO for live log streaming, featured a full set of REST API endpoints, all of which were completely unauthenticated. This means that any individual who could find the C2 server was effectively handed the keys to the kingdom, able to manage and manipulate the botnet at will.
A simple GET request to the `/api/servers` endpoint would reveal crucial information such as each worker server’s IP address, its root SSH password, its current operational state, and vital health metrics. This level of access allowed for complete oversight and potential takeover of the entire botnet infrastructure. The operators appear to have relied solely on the obscurity of port 5000 on the specific IP address to maintain security, a strategy that has proven to be fundamentally flawed.
Furthermore, the accessible API endpoints extended far beyond simple monitoring. Unauthorized users could initiate or halt the botnet’s operations, upload new lists of credentials for testing, download the results of ongoing attacks, and even push new configuration settings or reinstall the botnet’s checking software across all 18 machines. The `/api/bulk/download` endpoint presented a particular risk, enabling third parties to silently extract lists of compromised Twitter/X accounts without the original botnet operator’s knowledge.
During a brief 12-minute observation period, Breakglass Intelligence analysts witnessed the botnet test 722,763 credentials in real time and successfully confirm 18 new account compromises. Lifetime statistics captured during this session indicated that the operation had already tested over 4.8 million accounts, leading to 138 confirmed successful compromises. Notably, all these successful compromises were attributed to accounts that lacked two-factor authentication (2FA).
At the time of publication, none of the identified C2 or worker server IP addresses garnered any detections on common threat intelligence platforms such as VirusTotal, ThreatFox, URLhaus, or AbuseIPDB. This suggests the botnet, despite its exposed control, has managed to evade standard detection mechanisms thus far.
The 18 worker servers were found to be operating within a single IP block, specifically 31[.]58[.]245[.]0/24, which is registered to Komuta Savunma Yuksek Teknoloji Limited Sirketi, a hosting provider based in Ankara, Turkey. Several indicators, including server names utilizing the Turkish word “Sunucu” (server), a control panel interface entirely in Turkish, and root passwords appended with “kmt” (a likely abbreviation for Komuta), strongly suggest that the operation is managed by Turkish-speaking individuals.
The initial deployment of this botnet infrastructure commenced on Christmas Day, December 25, 2025, with five servers brought online. This timing is often favored by threat actors looking to establish infrastructure when security teams may be less vigilant and response times could be slower.
A significant takeaway from the botnet’s own data concerns the effectiveness of two-factor authentication. Out of the 4,862,580 accounts that were tested, an overwhelming 85.6% presented a 2FA challenge. This effectively halted the botnet’s progress on those accounts, as it lacked any capability to bypass this security layer. This statistic vividly demonstrates that enabling 2FA renders the vast majority of users immune to this specific type of credential stuffing attack. The botnet could only proceed against the remaining 14.1% of accounts that relied solely on passwords.
Breakglass Intelligence has recommended that Twitter/X immediately block all 19 identified IP addresses associated with the botnet and, where possible, initiate forced password resets for the 138 accounts confirmed as compromised. Both Hetzner and Komuta Savunma have been urged to investigate and act upon abuse reports concerning their respective infrastructure. For individual users, the findings reinforce critical security advice: enabling two-factor authentication is paramount, as it effectively nullifies the threat posed by this type of attack for most users, and avoiding password reuse across different online services further mitigates the remaining risks.
The immediate next step is for the identified hosting providers and the targeted platform to take action to secure the compromised infrastructure and protect user accounts. The continued operation of such an easily exploitable botnet highlights ongoing challenges in cybersecurity, and users are advised to remain vigilant and implement strong security practices.