An exposed server sitting open on the internet handed forensic investigators something rarely available; an unobstructed view inside a running criminal operation, complete with code, logs, victim data, Telegram alert streams, and transcripts showing an operator using Claude Code and OpenClaw as day-to-day workflow assistants to build, debug, and refine an automated credential harvesting machine.

The DFIR Report published its findings, after discovering the exposed host and documenting its contents in full. The platform — identified across multiple operator-controlled tools and bot handles as "Bissa scanner" — combined React2Shell exploitation at internet scale with an AI-assisted operation...