Yes, it was being used to target specific organizations prior to Microsoft's patches this week. Since then, attackers have basically used tools like Shodan to find unpatched servers, and mass-backdoored them -- regardless of who the victim organization is.
Do you have any details you can share with us (support@shodan.io) about how attackers are using Shodan? We have a lot of mechanisms to prevent abuse (blocking anonymous access, limiting number of results/ searches, restricting certain search filters) and if there's more we can do please let me know.
Btw Microsoft, CERTs and a bunch of other orgs are also using Shodan to find out who is exposed. We already had all the data to determine vulnerability before the announcement was made so enterprise customers could search their local Shodan database for affected systems. And we've been sending out notifications as well.
I don't think that's an accusation against you, but I have to imagine there's a Shodan inspired darkweb site somewhere that takes crypto in exchange for bypassing all those noble restrictions.
