A team of researchers has found a clever way to uncover thousands of hacked computers across the internet by using the attackers’ own methods against them.
More than 16,000 compromised servers were identified through a new scanning technique that relies on Secure Shell (SSH), one of the most widely used tools for managing computers remotely.
SSH is the standard way system administrators and developers log into servers, send commands, and transfer files securely.
It uses encryption to protect connections, but once attackers break into a machine, they often quietly install their own SSH keys.
These keys give hackers ongoing access without needing a password, allowing them to slip in unnoticed again and again. Because the original user’s password remains the same, many security systems never realize anything is wrong.
The challenge has been detecting such intrusions across the vast number of machines connected to the internet.
That’s where the new research, presented at the 2025 USENIX Security Symposium, comes in.
The project, named “Catch-22: Uncovering Compromised Hosts using SSH Public Keys,” was developed by scientists from the Max Planck Institute for Informatics in Germany and Delft University of Technology in the Netherlands. Their work won both a Distinguished Paper Award and the Internet Defense Prize.
The method works by sending servers public keys that were previously seen in criminal hacking operations.
SSH has a subtle quirk: if a server has one of those keys on its internal list, it replies with a special cryptographic challenge.
This tiny response, even without completing the login, reveals that the key is authorized—which means the server has likely been compromised.
To test the approach, the team scanned the internet’s IPv4 and IPv6 address spaces using 52 attacker-linked keys tied to groups such as “teamtnt,” “mozi,” and “fritzfrog.”
To ensure accuracy, they introduced “canary” keys—brand new keys that should never appear on any server.
If a server mistakenly responded to a canary key, it was excluded from results. Cross-checking with botnet intelligence confirmed that the method was both reliable and precise.
The findings were sobering: over 16,000 servers belonging to hosting providers, universities, and companies were compromised. Many were tied to known malware infrastructures. But the study didn’t stop at detection.
The researchers partnered with the nonprofit Shadowserver Foundation, along with Germany’s Federal Office for Information Security (BSI) and CERT-Bund, to notify affected organizations. Follow-up scans showed a noticeable drop in compromised systems after the warnings.
According to Prof. Anja Feldmann of the Max Planck Institute, the strength of this approach lies in its simplicity.
Hackers cannot easily evade it by using random keys for each machine, since managing thousands of unique keys would be too difficult.
By exploiting a feature of SSH itself, the researchers have turned a long-standing weakness into a tool for defenders—shining light on hidden compromises and helping strengthen the security of the internet as a whole.
