Live AWS keys in 75 throwaway repos, each made public for one of five windows from 60 seconds to 12 hours, every use logged. The keys were tripwires; the real question was who notices a private repo going public, and what they do once they’re in.
The most useful finding is the dull one: re-hiding the repo does nothing. One busy harvester kept re-validating the captured keys for a day after the repos went private again. Only rotating the key stops it.
This came out of building a monitor for exactly these repo-setting changes.
There are criminal but professsional groups with million-$ budgets out there.
Hell, there are nation states that have been doing this sort of thing for decades. 15 or so years ago I worked in IT at a university. They bought some servers from IBM and had IBM install them on public IP addresses. It is extremely well known that IBM regularly uses default passwords (or at least used to) like “PASSW0RD” with a zero for the O. I had access to one of these servers about 15 minutes after it was set up, and the first thing I did after changing the password was to check the logs. Sure enough an IP address from China had already logged in as root. I immediately wiped the entire server clean and reinstalled everything.