It’s likely they’re just using hacked sites. I’ve seen a WordPress site used as a Viagra botnet. The owner of the business thought it was good for them because they would get more traffic so they had given the other party root access. :sigh: the shit you see as a contractor…
But I’d be willing to bet you’re seeing hacked servers, not necessarily Hetzner’s fault. Hell, they didn’t even have ipv6 firewalls until recently (like the last six months).
I have pretty good reason to believe that scammers are using purchased Hetzner credentials — which is that some scammers are just right out there in the open, talking about how they do what they do: https://teletype.in/@slivmens/LjPaei8pMTT
Translated quote:
> To do this, we go here: [link to carding forum] and create a topic in the section "verified Hetzner accounts."
> Offer price — no more than 400 rubles is needed. The priority is people from Ukraine, as they have benefits. GEO of the person who verifies the account - any, excluding Russia due to sanctions.
> Another important detail: the seller must register a fresh GMail account, use that account to create an account on Hetzner, and verify it themselves.
> After verification, we wait 3 days before the creation of the new server — otherwise the likelihood of the account being blocked for abuse increases.
> After purchasing the account credentials, we change the password, both on the Gmail account, and on the Hetzner account.
But I’d be willing to bet you’re seeing hacked servers, not necessarily Hetzner’s fault. Hell, they didn’t even have ipv6 firewalls until recently (like the last six months).