An international research team from the Max Planck Institute (MPI) for Informatics in Saarbrücken, Germany, and the Delft University of Technology in the Netherlands has developed a method to detect compromised hosts at an internet scale by probing servers with public SSH keys previously observed in attacker operations.

This way, the team was able to identify more than 16,000 compromised hosts. Their findings have now been published at the USENIX Security Symposium 2025, where they were awarded a Distinguished Paper Award and the Internet Defense Prize.

Secure Shell (SSH) is one of the most common tools used to manage servers remotely. It provides a secure, encrypted channel between a client and a server, allowing users to log in, execute commands, and transfer files safely. SSH is widely used by system administrators and developers for maintaining and configuring remote systems.