Intercepting and exploiting first-contact SSH sessions is a security conference sport. People definitely do it.