Command and Control Over Blockchain. Two Actors, One Year, A New Category That Cannot Be Taken Down.

There are exactly two Internet Computer Protocol blockchain canister command and control endpoints in DugganUSA's IOC index as of today. The first, cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io, was indexed by SSL Blacklist on April 23, 2026, attributed to an unnamed criminal actor. The second, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io, was indexed independently on May 22, 2026, attributed to TeamPCP, the cluster behind the Megalodon GitHub Actions mass-poisoning campaign that ate 5,561 repositories in six hours. The mechanic is the same in both cases. The actors are distinct. The category is now real.

What an ICP canister C2 actually is

Internet Computer Protocol is a decentralized compute network. A canister on ICP is the rough equivalent of a Lambda function on AWS — a containerized unit of code with its own state, its own API surface, and a publicly resolvable URL of the shape <canister-id>.raw.icp0.io. The compute runs on a distributed network of nodes globally; there is no single provider to call for takedown, no abuse desk to email, no DNS registrar to coerce. The canister persists as long as the cycles balance — the network's native compute-credits — remains topped up, which is a problem the attacker solves with a few hundred dollars of ICP tokens.

When an attacker plants a C2 endpoint on an ICP canister, the standard defender playbook breaks. There is no hosting provider to file an abuse report with. There is no CDN to ask for a JSON sinkhole. There is no nameserver to seize. The blockchain network keeps the canister online because that is what the blockchain network is for. The defender's only remaining lever is to add the canister URL to deny-lists and inspect outbound TLS to *.raw.icp0.io from inside the perimeter, which is exactly the kind of structural-correctness defense that does not scale across the eighty-thousand-domain corporate enterprise.

Why the category was inevitable

The defensive ecosystem has spent twenty years optimizing takedown response to centralized hosting. Bulletproof hosters in eastern Europe became unprofitable when registrar-level coordination got fast enough to deny them more than a few weeks of life per domain. The migration to fast-flux DNS extended the window slightly. The migration to Cloudflare Trycloudflare tunnels — which we have seen TeamPCP use heavily for their Canisterworm payload staging — extended it further by exploiting the legitimate-tunnel infrastructure that defenders are reluctant to block wholesale. Blockchain canister C2 is the next step in the same evolutionary pressure. It is the first hosting layer where the takedown lever does not exist by design.

The fact that both indexed instances were discovered by SSL Blacklist's automated TLS certificate fingerprinting is the half-decent news. The blockchain network does not hide the TLS handshake; SSL Blacklist's per-port fingerprint correlator surfaces the C2 on the basis of certificate reuse across known-bad endpoints. That works because the canister still has to terminate TLS somewhere recognizable, and recognizable TLS is detectable TLS, even when the underlying compute is decentralized. The fingerprinting layer is therefore the durable defender primitive against this category. Domain-name blocklists will lag every new canister by hours or days. TLS-fingerprint blocklists will catch many on first request.

Two actors is not coincidence

When one criminal actor adopts a novel hosting primitive, that is a probe. When a second adopts it within a month, especially when the second is a high-capability multi-victim cluster like TeamPCP, that is the technique crossing a confidence threshold inside the criminal market. The April 23 cjn37 canister was the demonstration. The May 22 tdtqy canister is the production deployment. The third, fourth, and tenth will come in shorter increments because the operational pattern is now field-validated and the documentation circulates in the same channels that taught the marketplace dependency confusion, typosquatting, OAuth-token resale, and Trycloudflare-tunneled phishing kits in the prior cycles.

The defender outcome that matters in the next ninety days is what fraction of perimeter products start matching against *.icp0.io and against the TLS fingerprints SSL Blacklist publishes for these canisters. Cloudflare, Palo Alto, Fortinet, and the cloud-native vendors should each be shipping the deny-pattern in their next signature pack. Our STIX feed has been carrying the indicators since indexing; subscribers had the block in their SIEM before the campaign that used the May 22 canister was publicly named.

What this changes about the threat model

The takedown lever is the second-to-last defensive primitive in the perimeter-era playbook — sanctions and indictments are the last. Blockchain C2 removes the takedown lever cleanly for the categories of attack where it has historically been the difference between containment and persistent compromise. Ransomware payment infrastructure, infostealer exfiltration endpoints, malware update channels, command-and-control beacon callbacks — every one of these becomes harder to disrupt when hosted on a decentralized canister than when hosted on a bulletproof VPS in the Russian Federation.

The asymmetric edge the defender retains is the one that lives inside the perimeter, not at the perimeter. Egress filtering, behavioral analytics on outbound TLS, identity-bound short-lived credentials, network segmentation that limits the blast radius of any single compromise, and the willingness to treat unknown destinations on the public internet as adversarial-by-default. None of these are new. All of them have been pushed for years by the same defender community that watched the takedown lever erode through one hosting generation after another. Blockchain C2 is the generation where the failure to adopt those primitives stops being a quibble and starts being the failure mode.

Pin to behavior, not destination. Watch the tag layer, not the repository name. Inspect the egress, not the perimeter. The category that cannot be taken down is here.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com