A major security lapse has exposed a credential-stuffing botnet operation after attackers unintentionally left their command-and-control (C2) panel completely unsecured. As a result, researchers discovered that the infrastructure targeting Twitter/X accounts was openly accessible without any authentication, effectively turning the attackers’ own system into a vulnerable target.
To begin with, the exposed interface, labeled “Twitter Checker Master Panel – FULL FIX v2.3,” operated on an unauthenticated Flask application hosted at 144.76.57.92:5000. Because of this misconfiguration, anyone who accessed the panel could directly interact with its functions. Moreover, the public API allowed users to list servers, initiate or halt credential checks, upload combo lists, download attack results, and even modify operational settings. Consequently, the botnet’s entire control mechanism was left wide open.
During a brief 12-minute observation window on April 10, 2026, the system reportedly processed 722,763 credentials and successfully compromised 18 Twitter/X accounts in real time. In addition, lifetime metrics revealed that the botnet had tested over 4.8 million credentials and confirmed 138 account breaches. However, the operation frequently failed when two-factor authentication (2FA) was enabled, highlighting a critical limitation.
Furthermore, the botnet relied on a fleet of 18 worker servers, all operating within a single /24 IP range. Each server was managed using root SSH credentials, which were also exposed in plaintext via the panel. Notably, the naming conventions and Turkish-language interface strongly suggest that a Turkish-speaking operator or team, likely based in Ankara, Turkey, managed the infrastructure.
Beyond that, the system displayed multiple operational security weaknesses. The command server reportedly exposed additional administrative services such as RDP, SMB, and WinRM. At the same time, threat intelligence platforms had not flagged these IP addresses during the investigation period. Interestingly, researchers observed that the same password pattern was reused across multiple systems, indicating automated credential generation rather than manual configuration.
From a broader perspective, credential stuffing continues to thrive because many users reuse passwords across platforms. Therefore, attackers only need a small success rate to justify large-scale campaigns. Industry experts emphasize that defenses such as strong password hygiene, rate limiting, and multi-factor authentication remain essential.
According to Breakglass research, the most important detail is the 2FA signal. The report says the botnet could not bypass accounts protected by two-factor authentication, meaning the exposed campaign succeeded only against users with password-only protection.
Ultimately, this incident highlights two critical insights. First, credential-stuffing infrastructures are often simple and fragile despite their scale. Second, attacker missteps can expose entire operational ecosystems, providing defenders with valuable intelligence to detect, block, and dismantle such threats more effectively.
Recommended Cyber Technology News:
- NTT Research Launches Scale Academy, Introduces Zero-Trust Security Suite SaltGrain
- n8n Webhook Abuse Fuels Phishing Malware Campaigns
- Triad Nexus Scam Network Resurfaces With 175 Domains
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
