ACCORDING to Flare, over 1,400 exposed MongoDB servers have been hijacked and wiped, with ransom notes left behind in the majority of cases. The report notes that 1,416 of 3,100 publicly visible servers were compromised, typically demanding around 500 USD in Bitcoin and often using the same wallet. The analysis highlights that more than 200,000 MongoDB servers are publicly reachable, but the primary risk stems from misconfiguration rather than widespread exploitation of a vulnerability.
Among the fully exposed servers, 45.6% were compromised, and the wallet bc1qe2l4ffmsqfdu43d7n76hp2ksmhclt5g9krx3du appeared in over 98% of cases, pointing to a single dominant actor. The researchers also found that more than 95,000 servers had at least one vulnerability, though most flaws enable only denial-of-service, reinforcing that misconfiguration is the critical enabling factor.
The piece notes there are currently no known pre-authentication RCE vulnerabilities in MongoDB, but a zero-day could rapidly broaden scale for ransom operations. February 2, 2026.