MDRFCKR - a (almost) decade old botnet
Between May 3 and June 3, 2026, a threat actor operating under the handle "mdrfckr" conducted a sustained SSH credential-stuffing campaign against my internet-facing SSH honeypots. The campaign deployed 3,929 successful authentication events from 1,702 unique source IPs across 32+ countries. Upon gaining access, the attacker deployed a persistent SSH public key bearing the "mdrfckr" comment - a classic botnet recruitment / persistence mechanism.