New GoBruteforcer Attack Wave Targets Crypto, Blockchain Projects

The GoBruteforcer botnet has resurfaced with a focused campaign against cryptocurrency and blockchain infrastructures. Leveraging compromised Linux hosts, the malware scans public IPv4 space and launches high‑speed brute‑force attacks against FTP, MySQL, PostgreSQL and phpMyAdmin endpoints. Once a credential is guessed, the attacker uploads a web shell, pulls an IRC bot and activates a module that can harvest wallet addresses, notably on the TRON and Binance Smart Chain networks. Check Point estimates more than 50,000 internet‑facing servers are presently exposed to this threat.

A distinctive driver of the current wave is the proliferation of AI‑generated deployment scripts. Large language models often suggest default usernames such as appuser, myuser or operator, which developers copy into Dockerfiles or XAMPP configurations without alteration. These predictable accounts match a hard‑coded list of 22 credential pairs embedded in the GoBrut binary, dramatically lowering the effort required for password‑spraying. Outdated stacks like XAMPP continue to ship with open FTP services and weak defaults, providing a low‑hanging fruit for the botnet’s automated scanner.

Defending against GoBruteforcer demands a shift in both tooling and practice. Organizations should audit exposed services, disable unnecessary FTP and phpMyAdmin ports, and replace legacy stacks with hardened alternatives. Credential hygiene—unique, strong passwords and the elimination of default accounts—remains the most effective barrier. Moreover, teams must scrutinize AI‑generated code snippets, treating them as templates rather than production‑ready configurations. As blockchain projects increasingly rely on cloud‑native deployments, the incident underscores the broader risk that insecure DevOps pipelines pose to digital‑asset security.