# Run host-side, fleet-wide
sudo find / -name authorized_keys -type f -exec \
grep -l 'AAAAC3NzaC1lZDI1NTE5AAAAIMhfiGeykxXnvdARJXQSCouFsIHeG+H28W03yY2juP00' {} +Host
Any production host's `/root/.ssh/authorized_keys` (or any user's) containing the marker key is decisive evidence of this operator. Schedule as a daily corpus scan.