Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting
An exposed server reveals a large-scale credential harvesting operation using the Bissa scanner platform, with AI tools embedded in the operator's workflow.
The DFIR Report has uncovered an exposed server that provides rare visibility into a large-scale, multi-victim exploitation and credential harvesting operation. The server, part of the Bissa scanner ecosystem, contained over 13,000 files across 150+ directories, revealing a structured campaign that leveraged AI tools to streamline exploitation and data collection. The operator embedded Claude Code and OpenClaw into their daily workflow, using these AI assistants for troubleshooting, orchestration, and pipeline refinement.
Central to the operation was the exploitation of React2Shell (CVE-2025-55182), a vulnerability that allowed the scanner to target millions of internet-facing systems. Logs on the server indicated more than 900 confirmed compromises, with an automated pipeline handling scanning, hit scoring, alerting, and secret harvesting. The operator did not stop at opportunistic collection; they triaged access, validated stolen data, and focused deeper collection on organizations meeting a clear value threshold, particularly in financial, cryptocurrency, and retail sectors.
The credential haul was massive, spanning every tier of modern SaaS. Dumped credentials included keys for AI platforms such as Anthropic, Google, OpenAI, and HuggingFace; cloud providers like AWS, Azure, and Cloudflare; payment systems including Stripe and PayPal; messaging services like Telegram and Twilio; and databases such as Supabase and MongoDB. Tens of thousands of .env files were harvested, yielding credentials across AI, cloud, payments, messaging, and databases. The operator was also actively validating and prioritizing the most useful access.
Beyond credentials, the server contained victim-specific data clusters that extended well beyond tokens. For one victim, a mid-sized tax resolution and financial advisory firm, the recovered material included Plaid tokens, linked bank-account data, IRS transcript material, ACH-related records, Twilio calls, Salesforce contacts, and case data containing Social Security numbers and dates of birth. Other victims showed similar depth, with financial, payroll, HR, CRM, and communications records indicating that the operation supported both initial exploitation and deeper post-compromise collection.
The server also provided insight into the operator behind the activity. Telegram-based alerting artifacts hardcoded within the Bissa scanner harness tied the operation to a single operator, publicly identifiable by the Telegram username @BonJoviGoesHard and display name "Dr. Tube." The operator appears to run at least two dedicated bots: @bissapwned_bot for scanner alerting and @bissa_scan_bot within the AI-control subsystem. This infrastructure suggests a disciplined and long-running campaign with strong success rates.
The Bissa scanner platform is a mature, modular operation designed to exploit targets at scale, harvest and validate secrets, and use an AI-enabled workflow to increase the efficiency of collection and triage. The evidence demonstrates not only technical competence but a clear understanding of how to convert internet-scale scanning into reliable, high-value compromises. This case highlights the growing trend of adversaries incorporating AI tools into their offensive operations, raising the bar for defenders.