Crypto Infrastructure Under Fire: SSH Credential Campaigns Targeting Blockchain Validators
Over the past 11 days, MIRAGE — a production SSH honeypot running on a publicly routable Frankfurt address — has captured 44,118 intrusion sessions from real attacker infrastructure. The sensor accepts every connection, logs every credential pair, and produces structured threat intelligence without ever executing a single attacker command on real hardware.
Within that dataset, a persistent pattern emerged that warrants specific documentation: automated credential campaigns explicitly targeting blockchain validator and cryptocurrency node infrastructure.
WHAT WE OBSERVED
Across the 11-day capture window, 217 authentication attempts used usernames associated with cryptocurrency and blockchain infrastructure. Every single one arrived via an automated Go-based SSH client (SSH-2.0-Go), consistent with the 99.97% scanner composition of the broader dataset.
Targeted usernames by frequency:
node — 89 attempts solana — 52 attempts sol — 39 attempts btc — 27 attempts validator — 4 attempts ethereum — 4 attempts eth-docker — 1 attempt eth — 1 attempt
This is not noise. node, solana, and sol are the default or commonly documented usernames for Solana validator node deployments. eth-docker is the literal username convention used by the eth-docker project, a popular Ethereum node management toolkit. These are not generic terms — an attacker has to know what they're targeting to use them.
THE CREDENTIAL WORDLIST
The passwords attempted against these accounts:
1234 — 36 attempts node — 32 attempts 123456 — 30 attempts 1qaz2wsx — 27 attempts btc — 27 attempts solana — 14 attempts sol — 12 attempts sol123 — 2 attempts zxcvasdfqwer@1234 — 1 attempt
Two things stand out. First, the bulk of attempts use trivially weak passwords. This is a volume play. Second, the wordlist includes blockchain-specific credentials: solana, sol, btc, sol123. Someone built or curated a wordlist specifically for this target class.
PERSISTENCE ACROSS THE OBSERVATION WINDOW
Crypto-targeted attempts arrived on every day of the capture window:
Jun 16: 32 attempts Jun 17: 10 attempts Jun 18: 3 attempts Jun 19: 30 attempts Jun 20: 35 attempts Jun 21: 17 attempts Jun 22: 23 attempts Jun 23: 15 attempts Jun 24: 21 attempts Jun 25: 25 attempts Jun 26: 6 attempts (partial day)
The dip on June 17-18 followed by recovery on June 19-20 is consistent with rotational botnet behaviour — cycling through targets and returning.
WHAT THIS MEANS
Cryptocurrency node operators running Solana validators or Ethereum nodes on publicly accessible infrastructure are being actively targeted by automated credential stuffing campaigns. The attack profile is low-sophistication but persistent: no exploitation, no shell interaction, pure credential guessing at scale.
DEFENSIVE RECOMMENDATIONS
- Disable password authentication entirely on any node with a public IP. SSH key authentication only.
- Move SSH management to a non-standard port or restrict via firewall to known IP ranges.
node,solana,sol, andeth-dockershould never exist as SSH usernames on production validator infrastructure. Use non-obvious system usernames.- Monitor for
SSH-2.0-Goclient banners in auth logs — this banner fingerprints the scanner family responsible for the majority of automated SSH scanning observed in this dataset.
DATASET
All findings are derived from the MIRAGE honeypot dataset: 44,118 sessions, June 16–26 2026, Frankfurt sensor. Source code and live threat intelligence: https://github.com/Mirage-Source/mirage-core