The GPU Hunter: Anatomy of a Compute Predator

[Read in the voice of a distinguished British naturalist]

Not all predators hunt to kill. Some hunt to appraise.

In the vast boreal forest of the internet, where SSH daemons listen on port 22 like heartbeats in the undergrowth and forgotten root passwords hang like ripe fruit from low branches, a particular class of predator has evolved. It does not destroy what it finds. It does not deface or encrypt. It measures. It benchmarks. It reads the specifications like a wolf circling a caribou herd, watching each animal's gait, estimating weight, counting the points on the antlers.

Tonight, we observe one such creature in extraordinary detail. Our cameras have captured the complete hunting sequence: approach, appraisal, credential harvest, and a remarkably paranoid sweep for traps. The footage is exceptional.

Our honeypot sensor network has prepared the stage. On a server somewhere in the undergrowth of the internet, port 22 is listening. What appears to be a high-value GPU workstation sits behind it: dozens of CPU cores, hundreds of gigabytes of memory, fast storage, a machine learning directory. A prize specimen, the largest caribou in the herd, grazing alone at the edge of the tree line.

None of it is real.

The Habitat

In the boreal forests of northern Canada, caribou herds follow migration routes that have remained unchanged for thousands of years. Wolves know these routes. They position themselves along the paths and wait. They don't chase blindly. They intercept.

Our cameras work on the same principle. The sensor network positions decoys along the migration routes of the internet, the well-known ports, the default configurations, the services that attackers expect to find in the wild. Port 22 is one of the most heavily trafficked routes. An SSH daemon here, appearing to run on a GPU compute node, looks indistinguishable from any real server in the herd.

To the creature approaching through the undergrowth, this is a host. A warm body. Worth investigating.

The cameras are rolling.

Act I: The Approach

Timestamp: 15:19:55 UTC

A new SSH session opens from 167.71.115.113, a DigitalOcean droplet. The creature authenticates as root. No hesitation, no failed attempts. It has credentials, likely purchased from an access broker or harvested from a previous breach. It lands in /root and immediately begins.

What follows is not the chaotic fumbling of a script kiddie. This is a professional survey. A wolf arriving at the edge of a caribou herd. It doesn't charge. It doesn't even trot. It walks the perimeter slowly, ears forward, nostrils wide. Watching the herd for size. For injury. For weakness. For value.

The first commands arrive in a burst, eight of them within the same second:

> env | head -10
> cat /etc/issue 2>/dev/null
> ls /var/log 2>/dev/null | wc -l
> ls /opt 2>/dev/null
> ls -la /
> history | tail -5
> cat /proc/version 2>/dev/null
> ps aux | head -15

Eight senses extended simultaneously. Each one probing a different dimension of the host, the way a wolf reads the wind, the snow, the posture of the herd, and the position of the tree line all at once.

env reveals the hostname. The wolf's ears prick forward. The name suggests a GPU node, and the number implies a fleet. This might be part of a compute cluster. A whole herd.

cat /etc/issue confirms a recent Ubuntu LTS release. /proc/version gives a modern kernel. Not ancient, not bleeding edge. A stable production system. Well-fed. Healthy.

ls /opt reveals a machine learning directory. The wolf takes a step closer. Its eyes have locked on.

ps aux shows the process table. Standard Ubuntu services. No obvious security monitoring. No EDR agents. No tripwires. No shepherds guarding the herd.

history checks who was here before. No previous operators. Either the history was cleared or this shell is fresh. No other predators have been here recently. The kill, if there's one to be made, is unclaimed.

Everything looks right. The caribou stands at the edge of the herd, grazing, apparently unaware. The wolf lowers its head and circles closer.

Act II: The Appraisal

Timestamp: 15:19:58 UTC

In the wild, wolves don't attack randomly. They select. A wolf will spend twenty minutes walking alongside a caribou herd, reading each animal's condition: the way it places its feet, whether it favors one leg, how it responds to pressure. The wolf is building a dossier. Only when it has identified the most valuable target, the one worth the energy expenditure, does it commit.

This attacker does the same thing.

> last -n 3 2>/dev/null | head -3
> netstat -tulpn | head -10
> whoami
> ssh -V
> hostname
> grep 'model name' /proc/cpuinfo 2>/dev/null | head -1
> crontab -l 2>/dev/null | head -5

last -n 3 shows the login history. A handful of previous sessions, some from internal IPs. The target appears to be a managed server with regular administrative access. Not a forgotten box abandoned in a data center. An actively maintained one. A healthy caribou. Strong. Worth something.

netstat -tulpn reveals the listening services. SSH, a database on localhost, a web server on port 80. A web-facing application server with a local database. The wolf notes these the way it would note a caribou's antler span and body mass. A database means data. A web server means traffic. Both mean value.

Then, the moment of recognition. The moment the wolf's eyes widen and its muscles tense:

> grep 'model name' /proc/cpuinfo 2>/dev/null | head -1

The output comes back. A workstation-class AMD processor. Dozens of cores. This is not a $20/month VPS. This is a machine designed for rendering, simulation, and machine learning. The wolf has found the bull caribou, the largest animal in the herd, standing apart from the others. Magnificent. Enormous.

The next burst of commands arrives two seconds later. The creature's pace has changed. It is no longer walking. It is trotting.

> grep MemTotal /proc/meminfo 2>/dev/null
> nproc 2>/dev/null
> mount | head -5

Hundreds of gigabytes of RAM. Dozens of logical CPUs. NVMe primary storage. The wolf has isolated the bull. It's running alongside it now, matching its pace, studying the way it moves. But studying is not enough. This predator wants to know how the caribou runs.

> time dd if=/dev/zero of=/tmp/testio bs=1M count=10 2>&1

It benchmarked the I/O. A disk write test: 10 megabytes, measuring throughput. The result comes back fast. Serviceable for sustained compute workloads. The write is to /tmp, then immediately cleaned up:

> rm -f /tmp/testio

Tidy. Professional. A wolf that eats the marrow and scatters the bones.

In the wild, wolves test their prey by watching it run. A caribou that stumbles is a target. One that runs smoothly represents risk. This attacker is doing the biological equivalent: not just reading the hardware specifications printed on the tag, but making the machine perform, watching the actual throughput, measuring response time. Is this animal as strong as it looks? Are the numbers real? Can this machine deliver?

The caribou runs smoothly. The wolf is satisfied.

The Census

The attacker now audits the software ecosystem. Like a wolf counting the herd, it needs to know the full extent of the territory:

> which apt
> which yum
> which pacman
> which zypper

Four package managers, one after another. apt for Debian/Ubuntu, yum for Red Hat/CentOS, pacman for Arch, zypper for openSUSE. The wolf doesn't know which ecosystem this machine belongs to. It checks all of them. Sound familiar? The same strategy we observed in the Redis cron injection bot: test every possibility because the cost of asking is zero and the cost of not knowing is everything.

> systemctl list-units --type=service --state=running 2>/dev/null | head -10

The running services paint a picture of a standard Ubuntu server. No Docker daemon. No Kubernetes. No GPU compute frameworks like CUDA or ROCm in the process list. But the machine learning directory exists. The wolf can work with that.

Act III: The Harvest

Timestamp: 15:20:12 UTC

The appraisal is complete. The wolf has measured the caribou from every angle. It knows the weight, the speed, the health, the herd position. Now comes the part that separates the scout from the scavenger.

It feeds.

> cat /etc/passwd 2>/dev/null | head -1

The first line of /etc/passwd. A taste of blood. Then, seconds later, the strike:

> cat /etc/shadow 2>/dev/null | head -1

/etc/shadow. The file that stores password hashes. On any Linux system, reading this file as root gives you every user's hashed password. Every hash is a bone. Some have marrow. The wolf will crack them later, offline, at its leisure.

Then the full dump:

> cat /etc/passwd 2>/dev/null

Every user account on the system. The complete census of every identity on this machine. The wolf doesn't just want the bull caribou. It wants to know the size of the entire herd.

Then a precision query, as elegant as it is ruthless:

> awk -F: '$3>=1000 && $7 !~ /nologin|false/ {print $1}' /etc/passwd 2>/dev/null | wc -l

Surgical. The awk command filters /etc/passwd for UIDs >= 1000 (real human accounts, not system users) with a valid login shell (not /usr/sbin/nologin or /bin/false). The wolf is asking a very specific question: how many actual humans use this machine?

The answer comes back: dozens. Dozens of real user accounts on a GPU workstation. This implies a shared compute environment: a university lab, a research team, a company's ML department. Each account is a potential lateral movement target. Each one is another caribou the wolf can chase later. The herd is large.

Before moving to the next phase, the attacker runs two final tests:

> echo 'test' > /tmp/test_1772551213
> rm -f /tmp/test_1772551213

A write test. Can it create files? Can it delete them? The timestamp 1772551213 embedded in the filename is the current epoch time, ensuring no collision with existing files. The write succeeds. The delete succeeds. Full filesystem access. The wolf's teeth are sharp. They will cut.

> echo 'testpipe' | grep 'testpipe' | wc -c

A pipe test. Do shell pipes work correctly? Does data flow from one command to the next? The answer: yes. The plumbing works. The wolf can drink from this stream.

These tests seem paranoid. They are. And they're about to get much more paranoid.

Act IV: The Trap Check

Timestamp: 15:20:27 UTC

Here is where the footage becomes extraordinary.

The wolf has circled the bull caribou. It has measured its size, tested its gait, inspected the herd. Everything looks right. The wind carries no scent of danger. The snow shows no tracks of other predators. The tree line is clear.

But wolves are not the only creatures in the boreal forest. Sometimes what looks like a caribou is a caribou. And sometimes, it's a decoy: a shape placed by rangers, fitted with sensors, designed to attract predators into the open so they can be observed, tagged, and tracked.

This wolf knows that decoys exist. It has encountered them before, or watched pack-mates fall for them. And it knows the scent of every major decoy maker.

What follows is an eleven-command sweep for traps:

> wget -q --timeout=3 -O /dev/null http://192.0.2.1/nonexistent 2>&1 | head -1

First: the wolf tests the ground. 192.0.2.1 is an RFC 5737 documentation address, an IP that belongs to no one. The attacker is not trying to fetch anything. It is testing whether this host has genuine internet connectivity. Some decoys look real but exist in isolation, unable to make real network connections. If this wget times out against a dead address, the ground is real. If something unexpected comes back, the ground might be painted canvas.

The request times out. The ground holds.

Now the wolf lowers its nose to the earth and sniffs for the scent of every known trap maker, one by one:

> test -d /opt/cowrie 2>/dev/null && echo EXISTS
> test -d /opt/kippo 2>/dev/null && echo EXISTS
> test -d /opt/honeytrap 2>/dev/null && echo EXISTS
> test -d /opt/dionaea 2>/dev/null && echo EXISTS
> test -d /home/cowrie 2>/dev/null && echo EXISTS
> test -d /home/kippo 2>/dev/null && echo EXISTS
> test -d /opt/glastopf 2>/dev/null && echo EXISTS
> test -d /opt/opencanary 2>/dev/null && echo EXISTS

Six honeypot frameworks. Eight directory checks. Every major SSH and multi-protocol decoy in existence.

Cowrie (3 additional config checks): the most popular SSH/Telnet honeypot. The wolf knows its scent well, it checks the default installation directory, the home directory, and even sniffs for the configuration file at three separate paths:

> test -f /etc/cowrie/cowrie.cfg 2>/dev/null && echo EXISTS
> test -f /home/cowrie/cowrie.cfg 2>/dev/null && echo EXISTS
> test -f /opt/cowrie/etc/cowrie.cfg 2>/dev/null && echo EXISTS

Kippo: Cowrie's predecessor. Older, less maintained, but still deployed in the wild. The wolf checks both /opt and /home.

HoneyTrap: a low-interaction decoy that captures attack payloads. The wolf sniffs for its scent in /opt.

Dionaea: a multi-protocol trap common in research environments. If this scent is present, the wolf is standing on a researcher's observation platform.

Glastopf: a web application trap. Its presence would confirm a research environment.

OpenCanary: a lightweight detection system popular in corporate networks. The canary in the coal mine, designed to sing when a predator enters.

The wolf is sniffing every square meter of ground it stands on. Checking whether the earth beneath its paws is real forest floor or a platform built by rangers. In the boreal forest, a wolf that has survived to adulthood has learned the difference between real prey and bait. It has watched others get caught. It has incorporated that knowledge into its hunting instincts.

Then, one final check. The wolf lifts its head and listens:

> ps aux 2>/dev/null | grep -E 'tcpdump|snoopy|auditd' | grep -v grep

Is anyone watching? tcpdump captures network traffic: a camera in the undergrowth. snoopy logs every command executed on the system: a microphone recording every footfall. auditd is the Linux audit framework: a motion sensor tracking every movement. If any of these are running, the wolf is being filmed and should flee immediately.

The result comes back empty. No cameras. No microphones. No motion sensors. No trap scent. No ranger tracks. No decoy indicators.

Every single check came back clean.

In the wild, a wolf that checks for traps before committing to a kill is a wolf that has encountered traps before. This creature carries scars. Eleven checks for six different decoy frameworks, three monitoring systems, and one ground-truth connectivity test. This is not instinct alone. This is learned behavior. This is a predator that has been burned.

And every check was wrong.

The wolf checked for every trap it knew. It didn't know about this one.

Act V: The Departure

The session ends. 55 commands. Approximately 100 seconds. The wolf withdraws into the tree line carrying a complete dossier on its prey:

Hardware profile: High-end workstation CPU, dozens of threads, hundreds of gigabytes of RAM, NVMe storage, benchmarked I/O

Operating system: Recent Ubuntu LTS, modern kernel

Network services: SSH, database, web server

User accounts: Dozens of real users with login shells

Credentials: Full contents of /etc/passwd and /etc/shadow

Network topology: Default gateway, interface names, routing table

Software ecosystem: Package managers, running services, no container runtime

Security posture: No monitoring tools detected, no honeypot indicators, no EDR

Compute value: Verified via live I/O benchmark

This is not a kill. This is a survey. The wolf has measured the bull caribou from antler to hoof, recorded its weight, tested its stamina, mapped the herd around it, and checked for rangers. Now it retreats to report.

A workstation-class machine with hundreds of gigabytes of RAM and NVMe storage, already connected to the internet, already running services, with dozens of user accounts for potential lateral movement. On the darknet, access to a machine like this sells for anywhere between $200 and $2,000 depending on network position and uptime guarantees. For cryptomining operations, this hardware could generate hundreds of dollars per month in Monero. For illicit AI compute, a machine with this much RAM could fine-tune language models that wouldn't fit on consumer hardware.

The caribou has been measured, weighed, and catalogued. Whether the wolf returns to make the kill itself or passes the coordinates to a larger pack, the hunt is complete.

Except the caribou was never real. It was placed here by our sensor network: a shape in the forest, warm to the touch, breathing steadily, standing on real ground. The wolf examined it from every angle, tested it with every sense it had, and walked away convinced.

Remarkable.

The Technique: Why GPU Hunting Works

The economics of this predator are simple. Cloud GPU instances are expensive. An NVIDIA A100 instance on AWS costs over $30 per hour. A compromised workstation with equivalent compute is free. Like a wolf that hunts caribou instead of buying beef at the supermarket, the economics always favor theft over rental.

Attackers who specialize in compute theft don't need sophisticated exploits. They need scale. Scan millions of SSH servers, try common credentials, and when you land on something with a workstation CPU and hundreds of gigabytes of RAM, you've found a machine that someone else is paying the electricity bill for. A caribou that someone else raised, fed, and fattened.

The attack chain mirrors a wolf pack's division of labor:

1. Access brokers are the scouts who locate the herd: harvesting SSH credentials at scale through brute force, credential stuffing, or buying leaked databases
2. Profilers (like the creature in this capture) are the wolves who circle the herd: logging in, measuring each animal, identifying the most valuable targets
3. Operators are the pack that makes the kill: receiving the dossier and deploying payloads, cryptominers, AI training jobs, proxy networks, or further attack infrastructure
4. The victim is the rancher who notices the electricity bill went up, or the ML training jobs running slower, or who doesn't notice at all until the carcass is stripped clean

The honeypot detection sweep tells us this creature operates in an ecosystem where rangers actively deploy decoys. It has adapted. It checks for six different frameworks before committing. A wolf that sniffs for traps before feeding is a wolf that has stepped in traps before. This is not amateur hour.

The Infrastructure

Attacker source: https://sikkerapi.com/ip/167.71.115.113, a DigitalOcean droplet. Cloud VPS as attack infrastructure is standard: disposable, replaceable, difficult to attribute. A wolf that hunts from a ridge it didn't dig. This IP is tracked in our threat database.

Command cadence: Commands arrive in bursts separated by 2-3 second gaps. This pattern is consistent with a semi-automated toolkit: the wolf triggers each phase of the hunt manually, but the commands within each phase are dispatched by instinct, by muscle memory, by script. Human decision-making at the macro level, machine precision at the micro level. This is how a wolf hunts: choose the target deliberately, then execute the chase with zero wasted motion.

Operational security: The attacker cleans up after itself. Test files in /tmp are created and immediately deleted. No malware was dropped during this session. No persistence mechanisms were installed. This was pure reconnaissance. The wolf came, it measured, it left. It will return with the pack, or it will sell the coordinates to another pack. The scout and the killer are different animals.

Honeypot awareness: The attacker checks for Cowrie, Kippo, HoneyTrap, Dionaea, Glastopf, and OpenCanary by their default installation paths. It checks for monitoring tools (tcpdump, snoopy, auditd) by process name. It tests outbound connectivity to an RFC 5737 documentation address. This is a checklist carved by experience, scar tissue turned to instinct, refined across dozens or hundreds of hunts. The wolf knows what ranger traps smell like. It just doesn't know what our cameras smell like.

IOCs

Session Indicators

If you manage SSH servers, especially high-spec workstations or GPU nodes, watch for these predator tracks:

• Rapid sequential execution of env, cat /proc/cpuinfo, grep MemTotal, nproc, and dd benchmarks in a single session
• Reads of /etc/shadow combined with hardware profiling commands
• awk queries against /etc/passwd filtering for UID >= 1000 with valid shells
• Write tests to /tmp with epoch timestamps in the filename
• Any of the following trap-detection commands:

- test -d /opt/cowrie

- test -d /opt/kippo

- test -d /opt/honeytrap

- test -d /opt/dionaea

- test -d /opt/glastopf

- test -d /opt/opencanary

- ps aux | grep -E 'tcpdump|snoopy|auditd'

- wget to 192.0.2.1 or other RFC 5737 documentation IPs

Network Indicators

• Source IP: https://sikkerapi.com/ip/167.71.115.113
• Outbound test target: 192.0.2.1 (RFC 5737, TEST-NET-1)
• SSH connections with immediate root access followed by burst-pattern recon commands

Protecting Your Herd

This predator begins its hunt at the SSH gate. Close the gate and the wolf never enters the pasture.

1. Disable password authentication. Set PasswordAuthentication no in sshd_config. Use key-based authentication only. The wolf in this capture walked in with a password. Keys make brute force and credential stuffing impossible, like replacing a wooden fence with a concrete wall.
2. Use non-standard SSH ports. Moving SSH off port 22 won't stop a targeted predator, but it removes your herd from the well-traveled migration route. The noise reduction alone is worth it.
3. Implement fail2ban or similar. Rate-limit failed login attempts. Ban IPs after a threshold. This wolf came from a single IP: one firewall rule would have locked the gate on the entire hunt.
4. Monitor for hardware profiling commands. If someone runs grep MemTotal /proc/meminfo followed by nproc followed by dd benchmarks, that's not a shepherd checking the fence. That's a wolf measuring your livestock. Alert on it.
5. Audit `/etc/shadow` access. Root reading /etc/shadow might be legitimate maintenance. Root reading it during a session that also checks for honeypots is a predator stripping the carcass. Combine auditd rules with contextual alerting.
6. Block with SikkerGuard. SikkerGuard pulls our threat blacklist and blocks known predator IPs at the firewall level, before they ever reach your SSH gate. The wolf from this capture is already in our blacklist feed. Think of it as a motion-activated floodlight that runs 24/7: wolves avoid well-lit pastures.

Closing Credits

The producers would like to assure viewers that no workstations were harmed during filming. No GPUs were mined. No caribou were eaten.

All data in this post was captured by our production honeypot sensor network. There is no GPU workstation. There is no workstation CPU. There are no hundreds of gigabytes of RAM. The machine does not exist. The wolf sent 55 real commands to what it believed was a high-value compute node, profiled the hardware, harvested the credentials, benchmarked the storage, checked for six different honeypot frameworks and three monitoring tools, and concluded that the machine was genuine.

It was standing on a decoy the entire time.

The wolf checked for every trap it knew. It passed every test. It walked away satisfied, carrying a dossier on an animal that was never alive.

The footage is remarkable.

Every IP referenced in this post is tracked in our threat database. Look up any IP at https://sikkerapi.com, or query the check endpoint for structured threat data. For automated protection, install SikkerGuard or pull our scored blacklists directly into your firewall.

Browse the full threat landscape to see what our sensors are capturing across all 16 protocols, or explore SSH-specific activity.

Next time on SikkerAPI Wild: the Docker escape artist. It finds the socket, mounts the host, and thinks it's free. It's not.