← Dispatches

TLP:CLEAR · 2026-02-27

You Changed the Password. You Forgot Everything Else: 200 GoPhish Panels Exposed

We found 200 GoPhish phishing platforms indexed on Shodan and probed all of them. None were running default credentials. But the operators left everything else exposed: active credential-harvesting pages, co-hosted business infrastructure, open databases, Docker admin panels, RDP endpoints, and full mail servers sitting alongside their phishing tools. You changed the password. You forgot everything else.

GoPhish is the most popular open-source phishing framework. It is used by red teams, security awareness trainers, and threat actors alike. The admin panel is designed to run on a private network. We found 200 of them indexed on the public internet via Shodan, with their login pages accessible to anyone. We probed every one.

The Scan

We queried Shodan for http.title:"Gophish - Login" and pulled 200 unique panels across two pages of results. 134 were still alive with accessible login pages. The geographic distribution skews heavily toward the United States (38 panels), followed by Germany (16), India (7), France (6), the Netherlands (6), Indonesia (6), and Canada (6). The remaining panels are scattered across 23 additional countries.

DigitalOcean hosts the most GoPhish infrastructure (25 panels), followed by Google Cloud (21), Microsoft Azure (13), Hetzner (6), Linode (5), and Oracle Cloud (4). The majority of operators chose major cloud providers with free tier or low-cost compute options.

Port Choices Reveal Operator Experience

The admin panel port distribution tells its own story:

PortPanelsAssessment
44356HTTPS default, admin panel on the same port as phishing listener
333342GoPhish default admin port
844312Common alternative HTTPS
808Plaintext HTTP, credentials transmitted unencrypted
13375"Leet", cosmetic choice
44443Metasploit default handler port (interesting overlap)

42 operators left the admin panel on GoPhish's default port 3333, meaning Shodan trivially fingerprints it. 8 panels run the admin interface over plaintext HTTP on port 80, transmitting admin credentials in cleartext. 3 operators chose port 4444, the default Metasploit handler port, which may indicate broader offensive tooling on the same host.

No Default Credentials: But That Is the Only Thing They Got Right

None of the 134 live panels were running default credentials, and none exposed their API without authentication. Since GoPhish version 0.11.0 (released 2021), the initial admin password is randomly generated and displayed once in the console output. On this singular metric, every operator passed.

On everything else, they failed.

The Selki Operation: A Full Business Exposed

The most comprehensive OPSEC failure belongs to 51[.]81[.]155[.]58, hosted on OVH US (AS16276). This server runs GoPhish on port 3333 alongside 18 other exposed services:

PortServiceExposure
443Phishing listenerLive Mailcow webmail clone capturing credentials
3333GoPhish adminLogin page indexed by Shodan
8080Selki CRMBusiness application
3000Twenty CRMSecond CRM platform
25, 465, 587, 2525SMTPFull outbound mail infrastructure
110, 143, 993, 995IMAP/POP3Mail retrieval
9090PrometheusMonitoring dashboard
9100Node ExporterSystem metrics
22SSHRemote access

The phishing listener on port 443 serves a pixel-perfect clone of the Mailcow webmail interface at mail[.]selki-relay[.]com. The landing page includes a credential capture form with login_user and pass_user fields that POST to the GoPhish listener. It supports 30 languages (from Bulgarian to Vietnamese), includes references to /admin and /domainadmin paths to maintain the Mailcow illusion, and uses a Let's Encrypt certificate issued January 15, 2026.

The domain selki-relay[.]com has three DNS records pointing to this IP: mail, autoconfig, and autodiscover, the standard trio for a mail server with client auto-configuration. The operator built a complete mail infrastructure to support the phishing campaign, then exposed the admin panel, the CRM, the monitoring stack, and the mail servers to the entire internet.

French Schools: Everything Open

Two French technical schools run GoPhish for what appears to be cybersecurity curriculum exercises, and both expose their entire lab infrastructure:

Lycee Saint-John Perse (83[.]173[.]113[.]66): GoPhish on :3333, Proxmox hypervisor admin on :8009, RDP on :3389 (hostname: VM003.sio.lan), MySQL on :3306, FTP on :8021, Odoo ERP on :8069, and the school's BTS SIO student portal on :443. Fourteen ports open. The RDP hostname reveals the internal domain structure.

Lycee Guynemer (185[.]67[.]144[.]27): GoPhish on :3333, RDP on :3389 (hostname: winext.sno.lan), MySQL on :3306, Odoo ERP on :8069, and the school's SNO student portal on :443. Eleven ports open. The same pattern of exposing internal Windows infrastructure alongside the phishing training platform.

These are educational environments, but the exposure is real. Proxmox admin panels, RDP endpoints with internal hostnames, and MySQL databases accessible from the internet are not training exercises, they are attack surface.

Indonesian Government Infrastructure

103[.]169[.]3[.]162 runs GoPhish on port 443 with the domain admin[.]bmkg[.]site. BMKG is Indonesia's Badan Meteorologi, Klimatologi, dan Geofisika (Meteorology, Climatology and Geophysics Agency). The same server exposes a Portainer instance on port 9443, giving anyone with credentials full Docker container management access. Whether this is an authorized phishing awareness exercise or a targeting operation against BMKG, the Docker admin panel should not be on the public internet.

Phishing Listeners in the Wild

Beyond the admin panels, we probed alternate ports on every GoPhish server to identify active phishing listener infrastructure. 26 confirmed GoPhish listeners were found across 19 unique IPs. Most serve the default GoPhish page or redirect to the admin panel, but several host active campaigns:

34[.]159[.]98[.]118 redirects its phishing listener to training[.]deutscher-bauservice[.]de, a German construction company running phishing awareness training through Google Cloud infrastructure.

47[.]238[.]237[.]1 redirects to itassist[.]cienet-security[.]xyz, a domain mimicking IT support for CIeNET Technologies. Let's Encrypt certificate issued January 8, 2026.

What This Tells Us

The GoPhish ecosystem on the public internet breaks into three categories: corporate security awareness training (the German construction company, the IT services firm), educational lab environments (the French schools), and unclear-purpose operations where phishing infrastructure sits alongside business tools (the Selki operation). The common thread is not malicious intent, it is operational negligence.

None of these panels were running default credentials. Not one of the operators audited what else was exposed on the same host. The result is 134 phishing platforms broadcasting their existence to search engines, alongside databases, RDP endpoints, Docker panels, monitoring stacks, and full mail infrastructure that provide far more access than a compromised admin password ever would.

For defenders: if you recognize your organization's GoPhish instance in the IOCs below, it means Shodan indexed it before we did. Assume others have already found it. For operators: binding GoPhish to 0.0.0.0 instead of 127.0.0.1 is not a deployment strategy. A firewall is.

IOC Summary

GoPhish Panel Statistics

MetricCount
Panels indexed by Shodan200
Still alive140 (70%)
Login page accessible134 (67%)
Default credentialsNone
Unauthenticated APINone
Active phishing listeners26
Credential harvesting pages3

Notable Infrastructure

IndicatorTypeNotes
51.81.155.58GoPhish ServerOVH US, 19 ports exposed, Mailcow phishing clone, CRM, mail infra
mail[.]selki-relay[.]comPhishing DomainMailcow webmail clone, Let's Encrypt cert
83.173.113.66GoPhish ServerFrench school, Proxmox, RDP, MySQL, FTP exposed
185.67.144.27GoPhish ServerFrench school, RDP, MySQL, Odoo exposed
103.169.3.162GoPhish ServerIndonesian ISP, BMKG domain, Portainer exposed
admin[.]bmkg[.]sitePhishing DomainIndonesian government agency targeting
34.159.98.118GoPhish ServerGoogle Cloud, German company training
training[.]deutscher-bauservice[.]dePhishing DomainPhishing awareness training
47.238.237.1GoPhish ServerAlibaba Cloud, IT support lure
itassist[.]cienet-security[.]xyzPhishing DomainIT support impersonation

Hosting Provider Distribution

ProviderPanels
DigitalOcean25
Google Cloud21
Microsoft Azure13
Hetzner6
Linode5
Oracle Cloud4
OVH3
Alibaba Cloud3

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.