Over 4,000 ISP Networks Hacked Because People Still Use ‘admin123’ as a Password — WTF?

Written By Noel Bradford

Imagine you run an ISP, the backbone of people’s internet, and your idea of security is a fucking Post-it note with the login written on it. That’s basically what just happened to over 4,000 ISP networks across China and the US West Coast. A bunch of bored cyber goons scanned the internet, found thousands of routers, servers, and switches with shite passwords, and decided to have a party inside them.

What Went Down (Besides Security Standards)

This wasn’t some advanced zero-day campaign by a nation-state using quantum AI hacking sorcery. No. This was “admin:password” bullshit — the sort of thing a GCSE computing student could crack in under five minutes with a Raspberry Pi and a bad attitude.

The attackers brute-forced their way into over 4,000 ISP networks, dumped infostealers to hoover up everything from login creds to customer data, then dropped cryptominers to make money off the stolen processing power. That’s right — your shitty ISP service might have been slow last month because some twat was mining Monero on their core infrastructure.

Who’s Behind This Festival of Fuckery?

The Splunk Threat Research Team uncovered the campaign and politely wrote a report. Personally, I’d have sent every compromised ISP a letter reading “sort your fucking life out” in size 72 font. But no, Splunk traced it back to Eastern European threat actors, who, for reasons only they know, targeted ISPs specifically — not banks, not governments — just ISPs. Maybe they figured if anyone deserves to be punished, it’s broadband companies.

How Did It Work? Oh, It’s Beautifully Dumb

Step 1: Fire up Masscan, the cyber equivalent of pissing through every letterbox in town to see who forgot to lock their door.
Step 2: Find systems with management ports wide open to the internet (because why wouldn’t you expose SSH and WinRM directly to the world, right?).
Step 3: Use a shitty list of default passwords like it’s 2003 and brute force your way in. Spoiler: it worked over 4,000 times.
Step 4: Drop malware — mainly infostealers to hoover up data and XMRig to mine Monero like it’s going out of fashion.
Step 5: Profit.

And the best bit? They barely even hid themselves. They used off-the-shelf Python scripts and shoved their stolen data through fucking Telegram bots like they were running a discount spyware drop-shipping service.

The Impact — How Fucked Are These ISPs?

First, let’s pour one out for all the poor bastards who got their home internet slowed to a crawl because their ISP’s servers were too busy mining crypto for some Eastern European scumbag’s wallet.

Then there’s the data theft. Every compromised ISP had infostealers rummaging through internal files — meaning network configs, customer details, and admin credentials probably all got hoovered up and packed off to Telegram. That’s basically handing your customer data to the Russian dark web on a fucking silver platter.

And if you think they stopped at one box per ISP? Think again. Once they got in, they pivoted sideways like a crab on coke, hopping from router to switch to server, infecting everything they could find. The whole infrastructure became a malware-hosting, crypto-mining, data-leaking mess.

What Kind of Security Dipshit Allows This?

Here’s the real kicker — these were all brute-force attacks. That’s not advanced. That’s entry-level cybercrime for idiots with free time. It’s 2025 and we’re still seeing ISPs running kit with passwords like:

  • admin/admin

  • password123

  • changeme

  • isp2024

If you work for an ISP and recognise one of those passwords? Congratulations, you should be fired yesterday.

A Quick Word on Cryptominers

For anyone thinking “oh well, at least it’s just miners and not ransomware” — no. Fuck off with that optimism. Cryptominers steal your hardware and electricity to generate about £3 worth of Monero a month, while simultaneously creating enough heat to melt a fucking server rack. This isn’t some passive nuisance — this is actively burning your infrastructure down for pocket change.

And the fact they managed to mine on ISP kit, which should be handling mission-critical traffic, is fucking criminal negligence. Your internet connection was buffering because your ISP’s edge routers were solving blockchain maths puzzles for the mob.

How to Stop Being This Fucking Stupid

The fixes here aren’t rocket science. If you’re an ISP, do these things immediately or hand in your fucking badge:

1. Stop Exposing Admin Ports to the Internet

SSH, RDP, WinRM — none of these should be open to the whole planet. You want remote access? Put it behind a VPN. And not some VPN where the password is vpnpassword. I mean actual 2FA-secured VPN. If you leave management ports open to the world, you deserve every single hack you get.

2. Change Default Passwords, You Absolute Melons

If your gear still uses admin/admin, you shouldn’t be running an ISP — you should be running a lemonade stand. Rotate passwords, enforce complex ones, and add bloody MFA while you’re at it.

3. Monitor for Masscan and Brute Force Attempts

If someone hammers your login page 1,000 times in 10 minutes, maybe notice? Basic logging and monitoring would have caught this shit before it became a full-scale incident.

4. Network Segmentation — Heard of It?

If a compromised router can lead to the whole ISP infrastructure getting owned, you have designed your network like a fucking clown. Segregate management, customer data, core infra — all of it. One box falling shouldn’t mean the whole network collapses.

5. Assume You’ve Already Been Owned

Because you probably have. Do a full compromise assessment. Assume they’re still inside, hiding malware in some dark corner of your firmware, waiting for round two.

Remember this

This wasn’t some elite nation-state attack. This was script kiddie shit that worked because ISPs can’t be bothered to do even the bare minimum. If you run an ISP and you’re offended by this article? Good. Be offended enough to fix your fucking infrastructure.

Because if you can’t be arsed to protect your own kit, why the fuck should we trust you with our internet?

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Tata Technologies Ransomware Attack: 1.4TB of Data Gone Walkabout
Next

The Impact of 5G on Cyber Security: What Small Businesses Need to Know