Detection Brief #4 2026-03-30

Blockchain Validator Hunter

A Go-based SSH scanner is systematically brute-forcing credentials targeting blockchain validator infrastructure - including usernames for Firedancer, Jito MEV, and Raydium. The wordlist reveals targeted familiarity with the Solana validator ecosystem, not opportunistic guessing.

300+ Login attempts · 14h window

26 Targeted usernames

4 Sigma rules

Update 2026-04-02 - The campaign is still active. Over the 72 hours following initial observation, the same infrastructure (HASSH: 16443846184eafde36765c9bab2f4397, SSH-2.0-Go) continued scanning all three observable nodes. On 2026-04-02 alone, 92.118.39.x triggered 15 post-auth executions across Node 1 (DE, accepts all credentials) and Node 3 (FR, selective auth), every one followed by /bin/./uname -s -v -n -r -m and immediate disconnect - no Phase 2 activity observed. Additional credential pairs submitted: sol/sol, sol/1q2w3e, ubuntu/ubuntu. The campaign is consistent with sustained credential testing, not a targeted one-off.

What We Observed

On 2026-03-30 starting at ~01:39 UTC, five IP addresses from a single ASN began a sustained credential stuffing campaign against two of our honeypot nodes - one in Germany, one in France. Both nodes received the same wordlist. The campaign was still active at 15:40 UTC when this brief was written.

What sets this apart from standard SSH brute-forcing is the credential wordlist itself. The targeted usernames read like a directory of Solana validator services: jito, firedancer, raydium, validator, solana. The corresponding passwords - proxy, jitoproxy, firedancer - match the actual default configurations of those services.

Infrastructure

IP	N1 (DE) attempts	N3 (FR) attempts	First seen (UTC)
`92.118.39.x`	160	84	2026-03-30 01:39
`92.118.39.x`	29	29	2026-03-30 04:04
`2.57.122.x`	26	13	2026-03-30 01:19
`80.94.92.x`	0	40	2026-03-30 06:18
`80.94.92.x`	1	2	2026-03-30 04:24

All five IPs resolve to AS47890 UNMANAGED LTD (Romania) - an abuse-friendly hosting provider whose name is almost certainly a deliberate operational choice. The two 92.118.39.x addresses share a /24, as do the two 80.94.92.x addresses. Pattern is consistent with coordinated use of shared infrastructure, though common control across all five IPs is plausible but not proven.

Post-Authentication Behavior

On our Node 1 honeypot (which accepts all credentials), two sessions succeeded. Both followed an identical pattern:

SSH-2.0-Go
HASSH: 16443846184eafde36765c9bab2f4397

cowrie.login.success  [solana/solana]
cowrie.command.input  /bin/./uname -s -v -n -r -m
cowrie.session.closed  Connection lost after 0.2 seconds

The session duration of 0.2–0.3 seconds and immediate disconnect confirm that observed behavior was limited to post-auth host fingerprinting - no exploitation activity was observed. The tool logs in, runs the obfuscated /bin/./uname path (a known evasion pattern), and disconnects. What happens to submitted credentials after this phase is outside our observation window.

The TTY log hash was identical across both sessions on Node 1 (876deb10d4cf5b5c09201...b60d9cab81), confirming the same command sequence and exit behavior - consistent with automated tooling executing a fixed script.

The Wordlist: A Taxonomy of Blockchain Infrastructure

The full credential wordlist covers 26 unique usernames and 54 unique passwords across both nodes. Categorized by what they target:

Username	Passwords tried	Target	Notes
`firedancer`	`firedancer`, `ubuntu/firedancer`	Solana validator	Jump Trading's Solana validator client (C/Zig), limited mainnet-beta deployments
`jito`	`jito`, `proxy`	Solana MEV	Jito-Solana validator; proxy = default jito-proxy service name
`root`	`jitoproxy`	Solana MEV	Root access to Jito proxy process
`raydium`	`raydium`	Solana DeFi	Raydium AMM; likely targeting hot wallet / liquidity bot
`validator`	`validator`	Solana validator	Generic validator user - common naming convention
`solana`	`solana`, `solana123`, `sol@123`, `validator`, `p@ssw0rd`, +7	Solana node	Default Solana installer creates this user
`sol`	`sol`, `sol123`, `sol@123`, +5	Solana node	Common short alias
`solv`	`solv`, `123456`, `12345678`	Solana staking	Solv Protocol - Bitcoin liquid staking infrastructure
`ethereum`	`ethereum`	Ethereum node
`eth`	`eth`	Ethereum node	Short alias
`mina`	`mina`	Mina Protocol	ZK-based L1 blockchain
`minima`	`minima`	Minima	Mobile-first blockchain
`cmu`, `svn-cmu`	`cmu`, `svn-cmu`	HPC/university	Carnegie Mellon University naming convention
`mapr`	`mapr`	HPC cluster	MapR/HPE Ezmeral - Hadoop ecosystem default user
`grid`	`grid`	Grid computing	Generic compute cluster naming
`node`	`node`	Generic node op
`ubuntu`	`ubuntu`, `solana`, `validator`, `firedancer`, `qwer1234`, +5	Default user	Cloud VPS default account

On Firedancer: Firedancer is Jump Trading's from-scratch reimplementation of the Solana validator client in C and Zig, with limited mainnet-beta deployments as of early 2026. Including firedancer/firedancer in a credential wordlist suggests familiarity with the Solana validator ecosystem - this is not a username that appears in generic brute-force lists.

On Jito: Jito Labs' MEV infrastructure runs a jito-proxy service on validators that participate in the Jito block engine. The default configuration runs this proxy as the jito system user with service name proxy. The presence of jito/proxy and root/jitoproxy in the wordlist suggests awareness of Jito's specific service architecture, not just the existence of Jito as a concept.

The HPC Credentials

The inclusion of cmu, mapr, and grid credentials is unexpected alongside blockchain-specific targets. One interpretation: high-performance Solana validators require serious compute resources, and some operators run validators on university HPC infrastructure or repurpose cluster management tooling. The scanner may be targeting compute infrastructure broadly, not only Solana-branded deployments.

Attack Chain

Phase 1 - Credential validation (observed) ───────────────────────────────────────────────────────────────────── Coordinator (AS47890 RO) │ ├─ 92.118.39.x ──→ Systematic sweep, 160 attempts (Node 1) + 84 (Node 3) ├─ 92.118.39.x ──→ Parallel sweep, 29 attempts per node ├─ 2.57.122.x ──→ Supplementary sweep, partial wordlist ├─ 80.94.92.x ──→ Extended wordlist (incl. firedancer, raydium) └─ 80.94.92.x ──→ Minimal activity (probe / fallback) On success: → SSH-2.0-Go client connects → /bin/./uname -s -v -n -r -m (OS fingerprint) → Disconnect (0.2–0.3s) → Credentials logged for Phase 2 Phase 2 - Not observed (outside observation window) ───────────────────────────────────────────────────────────────────── Possible follow-on objectives (unproven): → Host triage / credential resale → Follow-up access with different tooling → If targeting validators: key extraction, wallet access, MEV interference

No Phase 2 activity was observed over 72 hours. Submitted credentials (solana/solana, sol/sol, others) did not trigger follow-up sessions during the observation window. This is consistent with asynchronous credential processing - where harvested credentials are assessed or resold separately from the scanning operation.

Why Solana Validators Are High-Value Targets

If this campaign is specifically targeting Solana validators, compromised infrastructure could provide access to several high-value assets:

Validator identity keys - in many deployments, the vote key and identity key are stored on disk. Shell access may allow extraction of these keys, potentially enabling impersonation or vote history manipulation depending on stake weight.

Hot wallets - validators typically maintain funded wallets for vote transaction fees. Operators running AMM bots (e.g. Raydium) may hold larger balances on the same host.

MEV infrastructure - validators participating in the Jito block engine have access to MEV tip flows. A compromised jito-proxy could potentially redirect tips or interfere with bundle submission.

Compute as a pivot - validators run on powerful hardware with trusted network positions. The HPC credentials in the wordlist suggest the campaign may also target compute infrastructure broadly, beyond blockchain-specific assets.

Prior Art

The closest documented prior art is GoBruteforcer, a Go-based credential stuffing tool analyzed by Unit42 (2023) and revisited by Check Point Research and Flare.io in January 2026. GoBruteforcer targets FTP, MySQL, PostgreSQL, and phpMyAdmin services using credential pairs derived from AI-generated tutorial code - accounts like cryptouser, myuser, appuser. After successful FTP access it deploys a PHP web shell, establishes an IRC C2 channel, and runs a TRON wallet sweep targeting BSC and TRON assets.

The campaign documented here is distinct from GoBruteforcer across every measurable dimension: it targets SSH exclusively (not FTP/web), uses a Solana-ecosystem credential wordlist with no overlap against GoBruteforcer's confirmed list, targets Solana rather than TRON/BSC, and shows no web shell, IRC bot, or C2 infrastructure. The only shared characteristics are Go-based tooling and a broad crypto focus - insufficient for attribution. These are different actors or campaigns.

In our review of public threat intelligence - Mandiant, CrowdStrike, Recorded Future, Talos, and available honeypot studies - we did not identify prior reporting that clearly documents an SSH credential campaign centered on Solana validator usernames. The firedancer, jito, and raydium usernames were not found in the public wordlists we checked, including SecLists; this should be treated as a bounded search result, not proof of absence. A 2025 honeypot study captured sol:sol as a credential pair but did not associate it with a coordinated campaign or validator-specific wordlist. The specific combination of HASSH, Go client, Solana-ecosystem wordlist, and /bin/./uname probe appears novel in public reporting.

The obfuscated /bin/./uname post-auth fingerprint is structurally identical to techniques associated with the Panchan P2P botnet family, though the HASSH fingerprint (16443846184eafde36765c9bab2f4397 vs. ec3a3c9aacd71c4e...) indicates different tooling. Shared technique, not necessarily shared actor.

Sigma Detection Rules

SSH Blockchain Validator Credential Stuffing - Username Match nullroute-2026-0401

title: SSH Blockchain Validator Credential Stuffing
id: nullroute-2026-0401
status: stable
description: >
  Detects SSH authentication attempts targeting usernames associated with
  Solana validator infrastructure (Firedancer, Jito, Raydium, validator).
author: nullroute.live
date: 2026-03-30
tags:
  - attack.credential_access
  - attack.t1110.001
logsource:
  product: cowrie
  category: honeypot
detection:
  selection:
    eventid: 'cowrie.login.failed'
    username|contains:
      - 'firedancer'
      - 'jito'
      - 'raydium'
      - 'solana'
      - 'validator'
      - 'solv'
  condition: selection
falsepositives:
  - Legitimate honeypot users (remove if your environment has solana users)
level: high

SSH Blockchain MEV Infrastructure - Jito-Specific Credential Pair nullroute-2026-0402

title: SSH Blockchain MEV Infrastructure - Jito Credential Targeting
id: nullroute-2026-0402
status: stable
description: >
  Detects SSH attempts using Jito MEV infrastructure credential pairs.
  High-confidence indicator - these are highly specific and not in
  general password lists.
author: nullroute.live
date: 2026-03-30
tags:
  - attack.credential_access
  - attack.t1110.001
logsource:
  product: ssh
  category: authentication
detection:
  selection_jito_user:
    username: 'jito'
    password|contains:
      - 'jito'
      - 'proxy'
  selection_root_jito:
    username: 'root'
    password|contains:
      - 'jitoproxy'
      - 'jito'
  condition: selection_jito_user or selection_root_jito
falsepositives:
  - None expected in standard environments
level: critical

SSH Blockchain Scanner - Go Client + Post-Auth OS Fingerprint nullroute-2026-0403

title: SSH Blockchain Scanner - Go Client with Obfuscated Uname
id: nullroute-2026-0403
status: stable
description: >
  Detects a Go-based SSH client that immediately runs an obfuscated uname
  command (/bin/./uname) after authentication and disconnects within 1s.
  Observed in blockchain validator credential validation campaigns.
author: nullroute.live
date: 2026-03-30
tags:
  - attack.discovery
  - attack.t1082
  - attack.t1033
logsource:
  product: cowrie
  category: honeypot
detection:
  selection_cmd:
    eventid: 'cowrie.command.input'
    input|contains: '/bin/./uname'
  selection_client:
    eventid: 'cowrie.client.version'
    version|startswith: 'SSH-2.0-Go'
  timeframe: 30s
  condition: selection_cmd and selection_client
falsepositives:
  - Go-based automation tools (rare, verify context)
level: medium

SSH Blockchain Scanner - HASSH Fingerprint nullroute-2026-0404

title: SSH Blockchain Scanner - HASSH Fingerprint Match
id: nullroute-2026-0404
status: experimental
description: >
  HASSH fingerprint 16443846184eafde36765c9bab2f4397 observed in blockchain
  validator credential stuffing campaign. Go-based SSH client targeting
  Solana/Ethereum infrastructure from AS47890 (UNMANAGED LTD, RO).
author: nullroute.live
date: 2026-03-30
tags:
  - attack.credential_access
  - attack.t1110.001
logsource:
  product: cowrie
  category: honeypot
detection:
  selection:
    eventid: 'cowrie.client.kex'
    hassh: '16443846184eafde36765c9bab2f4397'
  condition: selection
falsepositives:
  - HASSH collisions are possible; verify with IP and username context
level: medium

Indicators of Compromise

Type	Value	Context	Confidence
/24	`92.118.39.x`	Primary scan range - 2 hosts, 273 total attempts across 2 nodes	HIGH
/24	`80.94.92.x`	Extended wordlist range - 2 hosts (incl. firedancer, raydium creds)	HIGH
/24	`2.57.122.x`	Supplementary scanner	MEDIUM
ASN	`AS47890` (UNMANAGED LTD, RO)	All observed IPs; abuse-friendly hosting	HIGH
SSH Client	`SSH-2.0-Go`	Go-based SSH client used for scanning	MEDIUM
HASSH	`16443846184eafde36765c9bab2f4397`	SSH client fingerprint; verify with IP + username context	MEDIUM
Command	`/bin/./uname -s -v -n -r -m`	Post-auth OS fingerprint, obfuscated path	HIGH

IPs are anonymized above (last octet replaced with .x) per responsible disclosure practice. These should be treated as infrastructure that may rotate. The ASN and HASSH fingerprint are more durable indicators than individual IPs.

Recommendations

If you operate Solana validator infrastructure:

Rename system users. The default solana, validator, and jito user accounts are on every wordlist. Use non-default names for system accounts running validator processes.

Disable password authentication. Key-only SSH authentication renders this entire campaign ineffective. If you have not already done this, do it now. PasswordAuthentication no in /etc/ssh/sshd_config.

Restrict SSH access. Validator servers do not need to accept SSH connections from the public internet. Use a bastion host or VPN for management access.

Audit who can access validator keys on disk. The vote key and identity key files are the primary targets. Ensure they are only readable by the validator process user, not by shell users.

Data collected via multi-node SSH honeypot infrastructure (2 geographic locations). All IPs have been defanged. Raw session data available to verified researchers upon request. Originally observed 2026-03-30. Updated 2026-04-02 with 72h follow-up data - campaign confirmed ongoing.

Methodology note: Two nodes are operated in different geographic regions with different personas. This campaign targeted both nodes with an identical credential wordlist, suggesting geographic breadth scanning rather than targeted persona detection.

Related research: The Solana Scanner - same HASSH fingerprint, same ASN 47890, 31-IP Go botnet targeting crypto infrastructure