A massive credential-theft campaign linked to two notorious ransomware operations has exposed over 73,000 Fortinet devices and compromised an estimated 430,000 firewalls worldwide. The operation, dubbed “FortiBleed,” has been tied to members of the INC and Lynx ransomware-as-a-service (RaaS) groups by researchers at SOCRadar.
The campaign’s scope is staggering, with over 19,000 devices deploying traffic sniffers to intercept VPN credentials and other sensitive data. This custom-built tool, known as “FortiGate Sniffer,” allowed attackers to bypass traditional security measures and directly access authentication data from network traffic. The operation’s infrastructure included more than 500 servers used for credential harvesting, cracking password hashes, and performing credential-stuffing attacks.
Following the discovery of a server containing exposed credentials in June, SOCRadar launched an investigation into the FortiBleed campaign. Their research revealed that the operation was not only massive but also highly organized, with roughly 20 members working together to carry out the attacks. The researchers identified over 200 additional operational servers beyond those originally associated with the campaign.
One of the most alarming findings from SOCRadar’s investigation is that an individual with access to FortiBleed infrastructure was also involved in ransomware negotiations for both the Lynx and INC groups. This suggests a level of coordination between the attackers and the ransomware operators, with stolen credentials potentially being used to fuel future network intrusions.
The link between FortiBleed and the ransomware operations raises significant concerns about the potential impact on affected organizations. SOCRadar identified overlaps in victim information harvested during the campaign and those listed on the INC ransomware leak site. The researchers also uncovered evidence suggesting that attackers exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise.
While Fortinet has notified impacted organizations, with over 11,000 compromised devices reported, the full extent of the damage remains unknown. SOCRadar is continuing its investigation and will release a second technical white paper containing indicators of compromise, attribution evidence, and additional analysis once complete.
The FortiBleed campaign serves as a stark reminder of the need for organizations to prioritize security and regularly test their defenses against potential threats. As SOCRadar notes, “Test every layer before attackers do.”
Source: Bleeping Computer — 2026-07-01