Researchers have confirmed what network defenders feared: the industrialized FortiGate credential-theft operation known as FortiBleed is not a standalone criminal data project — it is the front end of an active ransomware delivery chain. SOCRadar’s Threat Research Unit (STRU) announced July 1 that a single operator with verified access to FortiBleed’s attack infrastructure was found simultaneously logged into the negotiation panels of both INC Ransom and Lynx, two of the most active ransomware-as-a-service operations in the world. Credentials harvested from 430,000 enterprise firewalls are now confirmed to be feeding ransomware deployments, and organizations that have not yet acted face a narrowing window — researchers estimate ransomware can follow initial credential compromise within 30 to 60 days.
The attribution transforms a campaign that first appeared to be credential trafficking into something with immediate, traceable consequences: at least 12 confirmed ransomware deployments have already been traced directly to FortiBleed access, with hundreds of endpoints encrypted across affected organizations.
FortiBleed’s Scale — and What Has Changed Since June
When security researcher Volodymyr “Bob” Diachenko first disclosed an exposed attacker server in mid-June 2026, the campaign was already staggering in scope: 86,644 verified working credentials for FortiGate firewalls and VPN gateways across 194 countries, drawn from a pool of 430,000 targeted devices representing roughly half of all internet-facing Fortinet hardware. CISA issued an emergency advisory on June 18, the same day the UK’s National Cyber Security Centre published a global warning.
SOCRadar’s continued investigation since then has materially changed the picture in three ways. First, the operation’s infrastructure is larger than the initial disclosure suggested: STRU’s infrastructure mapping using Shodan, Censys, and Validin surfaced roughly 200 additional operational servers beyond the original dataset, putting the total at approximately 500. Second, the operator headcount and organizational structure are now documented: an internal tracking document recovered during the investigation reveals a structured operation of roughly 20 people with a defined division of labor — a small core of primary operators responsible for the highest-impact intrusions, backed by technical specialists and a layer of junior operators and support staff. Third, and most consequentially, the destination of the harvested credentials has been confirmed.
How FortigateSniffer Turned 430,000 Firewalls Into Listening Posts
FortiBleed’s technical backbone is a custom Golang-based tool called FortigateSniffer, and understanding it explains why the campaign harvested so many credentials so silently.
The tool does not install malware in the traditional sense. Once an attacker gains access to a FortiGate device — through credential stuffing, brute force, or recycled credentials from prior Fortinet-related breach dumps — FortigateSniffer abuses FortiOS’s native diagnose sniffer packet command, a legitimate built-in diagnostic utility designed for network troubleshooting. Running that command on a compromised firewall turns the device into a passive listening post for every authentication session passing through it. FortigateSniffer captured credentials across 24 protocols simultaneously: Kerberos, RADIUS, NTLM, RDP, LDAP, MSSQL, and more. Nothing needed to be installed; no payload was dropped; no malware signature existed to detect.
To further evade detection, the sniffer operated only during 07:00 to 18:00 Moscow Time, deliberately blending its traffic-capture activity into normal business-hour network noise. Captured authentication hashes were then fed into a dedicated cracking pipeline: a distributed 45-GPU cluster managed via Hashtopolis, with Hashcat as the underlying engine, processing hashes around the clock. A Telegram bot provided live telemetry back to a single hardcoded administrator.
The operation’s scale is reflected in the numbers: 659-plus harvesting pipelines, more than 105 million credentials identified across the full dataset, and 1.16 billion credential attempts against more than 320,000 FortiGate targets. In parallel, the same infrastructure executed 2.1 billion brute-force attempts against more than 163,000 Microsoft SQL Server systems — confirming this is a broad initial-access operation, not a Fortinet-specific campaign.
Sniffers remain deployed on approximately 11,000 devices as of the latest STRU assessment. The campaign is active.
Legacy Password Storage Made Mass Cracking Possible
A critical engineering gap amplified the campaign’s success.
FortiGate devices historically stored administrator credentials as salted SHA-256 hashes inside the device configuration file. SHA-256, while adequate against casual attack, is computationally inexpensive to attack with GPU acceleration — precisely the kind of GPU cluster FortiBleed operated. Fortinet introduced PBKDF2-based hashing for administrator credentials in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, released in late 2025. But the upgrade carries a critical conditional: the PBKDF2 migration does not happen automatically. Each administrator must physically log into the device after upgrading firmware to trigger the re-hashing of their own credentials. The legacy SHA-256 hash remains stored in a hidden old-password configuration field — invisible to administrators logged into the device, but visible in a configuration backup — until that login occurs. On FortiOS 7.2.x and 7.4.x, even after re-login, the SHA-256 hash persists unless the login-lockout-upon-weaker-encryption setting is explicitly enabled.
An organization that upgraded FortiOS on schedule, never changed its administrator passwords, and never forced every admin to re-authenticate was still carrying crackable SHA-256 hashes. That structural gap is why complex passwords provided no protection: 63.3% of the compromised credentials in the FortiBleed dataset were either generic admin accounts or factory-default Fortinet system accounts that many deployments had never renamed — a target list the attackers could generate before running a single brute-force attempt.
Fortinet characterized the campaign as involving credential reuse from prior incidents and brute-force against devices with weak password hygiene and no multi-factor authentication, noting it is not related to any new Fortinet vulnerability. That framing is technically accurate. It does not, however, resolve the conditional PBKDF2 migration problem, which is a product design constraint affecting any organization that upgraded firmware without forcing a subsequent admin re-authentication.
Confirmed Attribution: One Operator, Two Ransomware Groups
The ransomware link materialized when STRU identified a Windows server belonging to the FortiBleed infrastructure that contained an operational security lapse — residual access that gave researchers visibility into the group’s own environment, including internal files, logs, and operational documentation.
Within that environment, one operator was found actively logged into the negotiation panels of both INC Ransom and Lynx ransomware simultaneously, engaging directly with victim ransom demands on behalf of both groups. The screenshots STRU shared with BleepingComputer show active negotiation dashboards from both operations. The attribution is corroborated by a second, independent data point: STRU cross-referenced target data from FortiBleed’s own operational servers against a separately discovered INC-linked open directory and found matching victims in both datasets — the same organizations were being tracked by both the credential-harvesting campaign and the ransomware group.
INC Ransom has been active since July 2023 and has claimed more than 800 victims, making it one of the most prolific ransomware-as-a-service operations by confirmed victim count. Its targets span healthcare, education, government, and manufacturing, predominantly in the United States and Europe. Notable victims have included NHS Scotland’s Dumfries and Galloway health board, Xerox, and the Texas State Bar.
Lynx emerged in July 2024 and is assessed by multiple security researchers as a direct successor to INC, sharing an estimated 90% or more of its codebase — the product of a reported $300,000 source-code sale on underground criminal forums in May 2024. Lynx has amassed nearly 300 confirmed victims and specifically targets manufacturing, legal services, and energy infrastructure.
The internal tracking document that STRU recovered organized FortiBleed’s victim database by sector, geography, and — critically — target revenue. That targeting methodology is a hallmark of ransomware-focused initial access brokerage rather than opportunistic credential dumping: the operation was not collecting credentials randomly. It was selecting for organizations whose ransomware payment capacity the attackers had already researched.
Beyond Ransomware: What Russian Operators Do With 86,000 Open Doors
Forensic analysis of the FortiBleed infrastructure’s tooling — Cyrillic-alphabet comments throughout the code and the Moscow-business-hours operational schedule for the sniffers — consistently points to Russian-speaking threat actors. Security researcher Volodymyr Diachenko, who first discovered the exposed server, attributed the operation to a Russian-speaking multi-operator cybercrime group. Recorded Future’s Insikt Group reached the same attribution independently and flagged a dimension that the ransomware pipeline story alone does not capture.
The confirmed breach of at least one NATO-aligned defense contractor, combined with Russian attribution, raises what Recorded Future’s Insikt Group called “the likelihood of espionage objectives alongside opportunistic access.” A credential database organized by sector and revenue — covering government agencies, defense contractors, telecommunications, financial institutions, and hospitals across 194 countries — does not serve only ransomware affiliates. The same dataset serves any actor who wants persistent access to foreign enterprise networks, whether for financial crime, intellectual property theft, or intelligence gathering.
This is the structural risk that pure ransomware framing obscures: a Russian-speaking operation with both criminal and potential state-adjacent uses for its credential pool is not just a ransomware precursor. It is an access infrastructure whose downstream applications cannot be fully predicted from the outside. SOCRadar confirmed that on 354 of the 409 targets where admin-level access was verified, the operators completed the full attack chain: VPN compromise, domain controller access, and domain admin privileges. At that level of access, the choice of what to do next — encrypt files for ransom, exfiltrate data quietly, or maintain persistent presence — belongs entirely to the operators.
What Organizations Must Do Before the Window Closes
SOCRadar’s assessment is specific about timing: FortiBleed exposure should be treated as a potential ransomware precursor, with deployment possible within 30 to 60 days of credential acquisition. CISA, which issued its advisory June 18, and the UK NCSC, which issued a global warning the same day, have both outlined the same core remediation steps.
Immediate actions: terminate all active administrative and SSL VPN sessions and rotate every FortiGate administrator and VPN password, treating all credentials on internet-facing devices as potentially compromised regardless of whether the organization appears in the exposed dataset. The dataset is confirmed to be incomplete — it represents what researchers recovered, not the totality of what the attackers hold.
After credential rotation, ensure PBKDF2 hashing is active — not just that a PBKDF2-capable FortiOS version is installed. Every administrator must log into each device after firmware upgrade to trigger the re-hashing. On FortiOS 7.2.x and 7.4.x, additionally enable the login-lockout-upon-weaker-encryption setting to purge any remaining SHA-256 hashes from the old-password field.
Enable phishing-resistant MFA on all administrative and remote-access accounts. Restrict management interface access to trusted internal IP addresses or out-of-band management networks — researchers noted that in a majority of affected devices, the FortiGate management interface was directly exposed to the internet at the time of discovery. Review logs for unauthorized access, configuration changes, unfamiliar service accounts, or lateral movement going back at least 90 days.
Organizations that discover confirmed compromise should isolate the affected device, preserve logs and configuration data before any remediation, and treat credential rotation alone as insufficient — an attacker who has already achieved domain admin access may have established persistence through means that survive password changes.
Free exposure-checking tools are available from SOCRadar and Hudson Rock to verify whether a domain or IP address appears in the exposed dataset.
SOCRadar’s forthcoming technical whitepaper will include the full indicators of compromise, the group’s complete infrastructure map, operator tooling details, a detailed investigation into the group’s use of AI tooling in attack development, and responsible disclosure details for at least one zero-day currently under coordinated disclosure.
Frequently Asked Questions
Is my organization at risk if it doesn’t appear in the FortiBleed checker results?
Not necessarily safe. The exposed dataset that SOCRadar and Hudson Rock analyzed represents what researchers recovered from the attacker-operated servers — not the complete scope of what the FortiBleed operators collected. CISA and multiple security researchers explicitly advise treating any internet-facing FortiGate device as potentially compromised and rotating all credentials regardless of whether a specific domain or IP appears in the checker results.
How does FortigateSniffer actually steal credentials without triggering antivirus?
FortigateSniffer exploits a legitimate FortiOS network diagnostic command — the diagnose sniffer packet utility — to passively capture all authentication traffic passing through a compromised firewall. Because the tool uses a built-in FortiOS command rather than deploying external malware, it produces no files for antivirus to detect and generates no alerts in standard perimeter monitoring. Captured authentication hashes across 24 protocols — including Kerberos, NTLM, and RADIUS — are then sent to an off-device cracking cluster for offline decryption.
How is this different from a typical firewall vulnerability that gets patched?
FortiBleed has no CVE at its core and no patch that addresses it. Bitdefender’s technical advisory noted it plainly: “FortiBleed is more dangerous than a typical critical CVE because there is nothing to patch.” The campaign exploits credential reuse, weak password hygiene, legacy SHA-256 password storage in FortiOS, and internet-exposed management interfaces — conditions that a firmware update alone cannot resolve. Each organization must independently rotate credentials, verify PBKDF2 migration, enable MFA, and restrict management interface exposure.
Could FortiBleed’s credential pool be used for espionage, not just ransomware?
Yes, and researchers have said so explicitly. Recorded Future’s Insikt Group noted that Russian attribution combined with the confirmed breach of a NATO-aligned defense contractor “raises the likelihood of espionage objectives alongside opportunistic access.” A database of administrator credentials for government agencies, defense contractors, hospitals, and financial institutions across 194 countries serves any actor seeking persistent network access — ransomware groups, data theft operations, or intelligence services. The credential pool’s downstream uses are not limited to the ransomware pipeline that SOCRadar has now confirmed.
