A new botnet campaign powered by GoBruteforcer (also known as GoBrut) is actively scanning the internet and breaking into systems linked to cryptocurrency and blockchain projects. Security researchers report a noticeable increase in attacks against exposed servers that host crypto databases and backend infrastructure.

What GoBruteforcer actually is

GoBruteforcer is a modular piece of malware written in the Go programming language. It works as both a botnet and a brute-force attack tool, going after poorly secured services such as FTP, MySQL, PostgreSQL, and phpMyAdmin that are left open to the internet.

Once installed, it usually runs on compromised Linux servers, turning them into scanning machines that try to guess login credentials and spread the infection further.

Why this campaign matters

This isn’t a random spray-and-pray attack. The operators are clearly targeting crypto and blockchain projects rather than generic servers. Investigators found that the attackers are focusing on databases and services tied to blockchain applications, which strongly points to financial motives.

On some infected systems, researchers discovered tools designed to scan wallet balances on the TRON network and automatically sweep tokens. Transaction analysis suggests that at least some of these theft attempts were successful.

How the attacks unfold

The initial break-in usually happens through weakly configured services. Common entry points include XAMPP FTP setups, exposed phpMyAdmin panels, or MySQL and PostgreSQL servers still using default or weak passwords.

After gaining access, attackers upload web shells or small downloader tools. These are then used to install an IRC bot along with the GoBruteforcer module. From there, the malware begins large-scale brute-force scans across public IP ranges, systematically testing credential lists against exposed services.

Scale of the problem

Researchers estimate that more than 50,000 servers could still be vulnerable to these attacks due to poor security practices, reused passwords, and default configurations left unchanged.

Why these attacks keep working

Several factors are making this campaign effective:

• Default or easily guessable credentials on critical services
• AI-generated example configurations that unintentionally promote insecure setups
• Fully automated brute-force tools that can test huge numbers of credentials without human involvement

What this means for crypto and blockchain teams

While blockchain networks themselves rely on strong cryptography and decentralized design, the surrounding infrastructure is often far less secure. Databases, admin panels, and backend services remain a major weak point — and attackers know it.

How to reduce your risk

To protect against similar botnet campaigns:

• Lock down exposed services: Disable or strictly restrict FTP, phpMyAdmin, and database access from the public internet
• Fix credentials: Eliminate default logins and enforce strong, unique passwords
• Control network access: Use firewalls or VPNs for admin interfaces and block suspicious scanning traffic
• Strengthen authentication: Enable multi-factor authentication wherever possible
• Monitor continuously: Watch for abnormal login attempts and brute-force behavior
• Audit regularly: Review server configurations and public-facing systems on a routine basis