Monday 06 July 2026 09:45:53 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Breaches & Data Leaks

Inside the Telegram-Powered Heist: How Hackers Looted 900+ Companies with React2Shell and AI

Published: 24 April 2026 09:03Category: Breaches & Data LeaksAuthor: AUDITWOLF

A sprawling, AI-assisted hacking campaign exploited a critical React vulnerability, using Telegram bots to coordinate and profit from over 900 corporate breaches.

When a single HTTP request can open the door to a company’s most sensitive secrets, cybercriminals don’t just knock-they barge in, automate the process, and brag about their success in real time. That’s exactly what unfolded in the recent React2Shell campaign, where a disciplined crew of hackers fused AI tools and Telegram bots to orchestrate one of the most prolific data heists of the year. The breach left a trail of more than 900 compromised organizations, exposing a goldmine of credentials, business records, and financial data.

Fast Facts

  • Over 900 companies breached via the React2Shell (CVE-2025-55182) vulnerability.
  • Attackers used Telegram bots for instant updates and victim triage.
  • AI tools (Claude Code, OpenClaw) automated scanning, exploitation, and credential harvesting.
  • More than 65,000 stolen files archived in two weeks on a cloud storage service.
  • Victims included major SaaS, cloud, finance, and e-commerce providers.

The Anatomy of an AI-Assisted Mega Breach

Investigators stumbled onto a server tied to the Bissa scanner-a purpose-built platform designed for mass exploitation, credential theft, and organized operator workflows. At its core was the React2Shell flaw, a “perfect 10” remote code execution bug lurking in React Server Components and Next.js stacks. With a single unauthenticated HTTP request, attackers could run code on unpatched systems-no passwords or logins required.

Unlike smash-and-grab hacks of the past, these operators ran a tightly managed campaign. The exposed infrastructure revealed more than 13,000 files, spanning target scanning modules, credential harvesting scripts, and AI-driven workflow management. Notably, the attackers integrated cutting-edge AI models-Claude Code for code review and troubleshooting, OpenClaw for orchestration and triage-turning their operation into a self-improving, scalable credential-harvesting machine.

But the real innovation was in command and control. Rather than building custom dashboards, the hackers embedded Telegram bots directly into their workflow. Every successful breach triggered a bot alert-sent straight to a private chat controlled by the operator known as “Dr. Tube.” Each message summarized the compromised company, the privileges gained, and the secrets found, all delivered in emoji-coded lines for rapid triage.

Stolen data was anything but random. The Bissa scanner zeroed in on environment files, cloud credentials, API keys, and sensitive business records. Investigators found over 30,000 unique environment files and 65,000 archived entries uploaded to Filebase, a cloud S3-compatible storage service, in just 12 days. The loot included keys to AI platforms, payment processors, cloud hosts, and internal databases-giving attackers potential access to everything from payroll to customer transactions.

With evidence of over 900 confirmed breaches, this campaign stands out for its industrial scale, technical sophistication, and ruthless efficiency. The use of AI and messaging bots not only accelerated exploitation but also enabled real-time prioritization of high-value targets across finance, crypto, and e-commerce sectors.

Defending Against the New Normal

The React2Shell spree is a wake-up call: attackers are now leveraging automation and AI to outpace manual defenses. Security experts stress that organizations must urgently patch vulnerable stacks, move secrets out of plain-text files, enforce strict identity controls, monitor outbound data flows, and rotate credentials before attackers can weaponize them. In the era of AI-driven cybercrime, speed and discipline are no longer optional-they’re essential for survival.

WIKICROOK

  • Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
  • Environment Files (.env): .env files store sensitive configuration data like passwords and API keys for applications. They must be protected to prevent unauthorized access.
  • Telegram Bot: A Telegram Bot is an automated program on Telegram that can send or receive messages, often used for automation or by cybercriminals to manage malware.
  • Credential Harvesting: Credential harvesting is the theft of login details, such as usernames and passwords, often through fake websites or deceptive emails.
  • S3: S3 is Amazon's cloud storage service, offering secure, scalable data storage. Compatible storage uses S3 protocols for easy data management and integration.