Most of the CVE-2026-4020 attackers are the same client

A single operation using a Google Cloud fleet of thousands of short-lived instances is responsible for 99.1 percent of attacks on the Gravity SMTP credential bug. The attacker rotates 3,299 user-agent strings across 3,158 IPs in 92 networks but cannot change the JA4H fingerprint ge11nn0500_9af7e0472034. The unauthenticated REST endpoint exposed SMTP credentials, API keys, and DKIM tokens.