A large-scale credential-harvesting operation known as FortiBleed has exposed roughly 430,000 FortiGate firewalls across 150 countries and is now confirmed by threat intelligence firm SOCRadar to be feeding two active ransomware brands, INC Ransom and Lynx. Running since at least February 2026 and estimated to be operated by a Russian initial access broker, the campaign has harvested more than 110 million credentials and has already produced at least 12 confirmed ransomware deployments, with hundreds of endpoints encrypted across affected organizations.
What Happened
FortiBleed was uncovered in mid-June, targeting internet-facing FortiGate firewalls at scale. The attackers deploy a network sniffer dubbed FortigateSniffer directly onto compromised devices, capturing traffic as it passes through the firewall and extracting cleartext credentials and password hashes for later use. The goal is straightforward: harvest authentication material at the network chokepoint, then leverage it to move into Active Directory domains, steal data, and establish persistent access.
SOCRadar reports observing scanning activity against roughly 11,250 FortiGate portals. From that pool, the attackers gained administrative access on 409 targets and completed the full attack chain on 354 of them, including compromising VPNs, reaching the domain controller, and obtaining domain admin privileges. Twelve of those intrusions escalated into ransomware deployment.
What Was Taken
The primary theft is authentication material at an extraordinary scale. Because FortigateSniffer intercepts traffic transiting the firewall, it captures both cleartext credentials and password hashes as legitimate users authenticate. The operation is estimated to have compromised more than 110 million credentials since it began.
Beyond raw credentials, the completed intrusions gave attackers VPN access, domain controller access, and domain administrator privileges, effectively handing them the keys to entire enterprise networks. Where ransomware followed, the impact extended to full data encryption across hundreds of endpoints, alongside the sensitive information exfiltrated during the domain compromise phase.
Why It Matters
FortiBleed collapses the artificial boundary between an initial access broker and the ransomware crews it services. SOCRadar's investigation, aided by an operational security error that exposed the attackers' internal files, logs, and documentation, found a single operator logged into both the INC Ransom and Lynx negotiation panels, using infrastructure traceable back to FortiBleed. Investigators also confirmed overlaps between FortiBleed victims and INC targets, meaning the same organizations were hit in both operations.
That shared operator is the clearest evidence yet that firewall credentials harvested through this campaign are being handed off, or used directly, to deploy ransomware. Internal tracking documents suggest FortiBleed is run by roughly 20 individuals, some focused on high-impact intrusions and others providing technical support. INC Ransom, which emerged in mid-2023, is among the most prolific ransomware-as-a-service operations, and Lynx is believed to be an updated variant released about a year later. For defenders, this means a single exposed firewall is not an isolated risk but a direct pipeline into two of the most active ransomware brands operating today.
The Attack Technique
The attack begins at the perimeter. Attackers scan for and gain administrative access to FortiGate devices, then plant the FortigateSniffer network sniffer to passively intercept authentication traffic. Rather than brute-forcing or phishing users, they simply wait as credentials flow through the compromised firewall, extracting cleartext logins and hashes.
Armed with valid credentials, the operators pivot into the environment through VPN access, then work laterally toward the domain controller. From there they escalate to domain admin, giving them full control. At that point the access is either monetized directly through ransomware deployment or handed to affiliated crews. In the 12 confirmed cases, that handoff ended in INC Ransom or Lynx encrypting hundreds of endpoints.
What Organizations Should Do
- Treat every internet-facing FortiGate device as potentially compromised. Audit for unauthorized administrative access, unexpected configuration changes, and any unfamiliar processes or sniffer-like components such as FortigateSniffer.
- Rotate all credentials that may have traversed affected firewalls, including VPN, service, and administrative accounts, and force a domain-wide password reset if domain controller access cannot be ruled out.
- Enforce phishing-resistant multi-factor authentication on VPN and administrative logins so that harvested cleartext credentials alone cannot grant access.
- Restrict and monitor firewall management interfaces, limiting administrative access to trusted networks and requiring MFA for all admin sessions.
- Hunt for lateral movement and privilege escalation toward domain controllers, prioritizing detection of anomalous domain admin activity and unusual VPN authentication patterns.
- Apply all available FortiGate patches and vendor guidance promptly, and validate offline, tested backups so ransomware deployment does not become an unrecoverable event.
Sources: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks - SecurityWeek