GoPhish is the most popular open-source phishing framework. It is used by red teams, security awareness trainers, and threat actors alike. The admin panel is designed to run on a private network. We found 200 of them indexed on the public internet via Shodan, with their login pages accessible to anyone. We probed every one.
The Scan
We queried Shodan for http.title:"Gophish - Login" and pulled 200 unique panels across two pages of results. 134 were still alive with accessible login pages. The geographic distribution skews heavily toward the United States (38 panels), followed by Germany (16), India (7), France (6), the Netherlands (6), Indonesia (6), and Canada (6). The remaining panels are scattered across 23 additional countries.
DigitalOcean hosts the most GoPhish infrastructure (25 panels), followed by Google Cloud (21), Microsoft Azure (13), Hetzner (6), Linode (5), and Oracle Cloud (4). The majority of operators chose major cloud providers with free tier or low-cost compute options.
Port Choices Reveal Operator Experience
The admin panel port distribution tells its own story:
| Port | Panels | Assessment |
|---|---|---|
| 443 | 56 | HTTPS default, admin panel on the same port as phishing listener |
| 3333 | 42 | GoPhish default admin port |
| 8443 | 12 | Common alternative HTTPS |
| 80 | 8 | Plaintext HTTP, credentials transmitted unencrypted |
| 1337 | 5 | "Leet", cosmetic choice |
| 4444 | 3 | Metasploit default handler port (interesting overlap) |
42 operators left the admin panel on GoPhish's default port 3333, meaning Shodan trivially fingerprints it. 8 panels run the admin interface over plaintext HTTP on port 80, transmitting admin credentials in cleartext. 3 operators chose port 4444, the default Metasploit handler port, which may indicate broader offensive tooling on the same host.
No Default Credentials: But That Is the Only Thing They Got Right
None of the 134 live panels were running default credentials, and none exposed their API without authentication. Since GoPhish version 0.11.0 (released 2021), the initial admin password is randomly generated and displayed once in the console output. On this singular metric, every operator passed.
On everything else, they failed.
The Selki Operation: A Full Business Exposed
The most comprehensive OPSEC failure belongs to 51[.]81[.]155[.]58, hosted on OVH US (AS16276). This server runs GoPhish on port 3333 alongside 18 other exposed services:
| Port | Service | Exposure |
|---|---|---|
| 443 | Phishing listener | Live Mailcow webmail clone capturing credentials |
| 3333 | GoPhish admin | Login page indexed by Shodan |
| 8080 | Selki CRM | Business application |
| 3000 | Twenty CRM | Second CRM platform |
| 25, 465, 587, 2525 | SMTP | Full outbound mail infrastructure |
| 110, 143, 993, 995 | IMAP/POP3 | Mail retrieval |
| 9090 | Prometheus | Monitoring dashboard |
| 9100 | Node Exporter | System metrics |
| 22 | SSH | Remote access |
The phishing listener on port 443 serves a pixel-perfect clone of the Mailcow webmail interface at mail[.]selki-relay[.]com. The landing page includes a credential capture form with login_user and pass_user fields that POST to the GoPhish listener. It supports 30 languages (from Bulgarian to Vietnamese), includes references to /admin and /domainadmin paths to maintain the Mailcow illusion, and uses a Let's Encrypt certificate issued January 15, 2026.
The domain selki-relay[.]com has three DNS records pointing to this IP: mail, autoconfig, and autodiscover, the standard trio for a mail server with client auto-configuration. The operator built a complete mail infrastructure to support the phishing campaign, then exposed the admin panel, the CRM, the monitoring stack, and the mail servers to the entire internet.
French Schools: Everything Open
Two French technical schools run GoPhish for what appears to be cybersecurity curriculum exercises, and both expose their entire lab infrastructure:
Lycee Saint-John Perse (83[.]173[.]113[.]66): GoPhish on :3333, Proxmox hypervisor admin on :8009, RDP on :3389 (hostname: VM003.sio.lan), MySQL on :3306, FTP on :8021, Odoo ERP on :8069, and the school's BTS SIO student portal on :443. Fourteen ports open. The RDP hostname reveals the internal domain structure.
Lycee Guynemer (185[.]67[.]144[.]27): GoPhish on :3333, RDP on :3389 (hostname: winext.sno.lan), MySQL on :3306, Odoo ERP on :8069, and the school's SNO student portal on :443. Eleven ports open. The same pattern of exposing internal Windows infrastructure alongside the phishing training platform.
These are educational environments, but the exposure is real. Proxmox admin panels, RDP endpoints with internal hostnames, and MySQL databases accessible from the internet are not training exercises, they are attack surface.
Indonesian Government Infrastructure
103[.]169[.]3[.]162 runs GoPhish on port 443 with the domain admin[.]bmkg[.]site. BMKG is Indonesia's Badan Meteorologi, Klimatologi, dan Geofisika (Meteorology, Climatology and Geophysics Agency). The same server exposes a Portainer instance on port 9443, giving anyone with credentials full Docker container management access. Whether this is an authorized phishing awareness exercise or a targeting operation against BMKG, the Docker admin panel should not be on the public internet.
Phishing Listeners in the Wild
Beyond the admin panels, we probed alternate ports on every GoPhish server to identify active phishing listener infrastructure. 26 confirmed GoPhish listeners were found across 19 unique IPs. Most serve the default GoPhish page or redirect to the admin panel, but several host active campaigns:
34[.]159[.]98[.]118 redirects its phishing listener to training[.]deutscher-bauservice[.]de, a German construction company running phishing awareness training through Google Cloud infrastructure.
47[.]238[.]237[.]1 redirects to itassist[.]cienet-security[.]xyz, a domain mimicking IT support for CIeNET Technologies. Let's Encrypt certificate issued January 8, 2026.
What This Tells Us
The GoPhish ecosystem on the public internet breaks into three categories: corporate security awareness training (the German construction company, the IT services firm), educational lab environments (the French schools), and unclear-purpose operations where phishing infrastructure sits alongside business tools (the Selki operation). The common thread is not malicious intent, it is operational negligence.
None of these panels were running default credentials. Not one of the operators audited what else was exposed on the same host. The result is 134 phishing platforms broadcasting their existence to search engines, alongside databases, RDP endpoints, Docker panels, monitoring stacks, and full mail infrastructure that provide far more access than a compromised admin password ever would.
For defenders: if you recognize your organization's GoPhish instance in the IOCs below, it means Shodan indexed it before we did. Assume others have already found it. For operators: binding GoPhish to 0.0.0.0 instead of 127.0.0.1 is not a deployment strategy. A firewall is.
IOC Summary
GoPhish Panel Statistics
| Metric | Count |
|---|---|
| Panels indexed by Shodan | 200 |
| Still alive | 140 (70%) |
| Login page accessible | 134 (67%) |
| Default credentials | None |
| Unauthenticated API | None |
| Active phishing listeners | 26 |
| Credential harvesting pages | 3 |
Notable Infrastructure
| Indicator | Type | Notes |
|---|---|---|
51.81.155.58 | GoPhish Server | OVH US, 19 ports exposed, Mailcow phishing clone, CRM, mail infra |
mail[.]selki-relay[.]com | Phishing Domain | Mailcow webmail clone, Let's Encrypt cert |
83.173.113.66 | GoPhish Server | French school, Proxmox, RDP, MySQL, FTP exposed |
185.67.144.27 | GoPhish Server | French school, RDP, MySQL, Odoo exposed |
103.169.3.162 | GoPhish Server | Indonesian ISP, BMKG domain, Portainer exposed |
admin[.]bmkg[.]site | Phishing Domain | Indonesian government agency targeting |
34.159.98.118 | GoPhish Server | Google Cloud, German company training |
training[.]deutscher-bauservice[.]de | Phishing Domain | Phishing awareness training |
47.238.237.1 | GoPhish Server | Alibaba Cloud, IT support lure |
itassist[.]cienet-security[.]xyz | Phishing Domain | IT support impersonation |
Hosting Provider Distribution
| Provider | Panels |
|---|---|
| DigitalOcean | 25 |
| Google Cloud | 21 |
| Microsoft Azure | 13 |
| Hetzner | 6 |
| Linode | 5 |
| Oracle Cloud | 4 |
| OVH | 3 |
| Alibaba Cloud | 3 |