
FortiBleed exposed 430,000 FortiGate firewalls, linked to INC Ransom and Lynx, enabling domain compromise and at least 12 ransomware attacks.
SOCRadar’s Threat Research Unit has connected FortiBleed, a large-scale campaign that harvested credentials from over 430,000 FortiGate firewalls worldwide, directly to two active ransomware operations: INC Ransom and Lynx. The link isn’t circumstantial. An operator with access to FortiBleed’s own infrastructure was found actively logged into the negotiation panels of both ransomware groups, handling ransom demands in real time.
FortiBleed has been documented since SOCRadar’s first report. The operation uses a custom tool written in Go called FortigateSniffer, which passively intercepts authentication traffic by abusing FortiOS’s own built-in packet diagnostic command across two dozen protocols.
The attacker never sends malicious payloads to the firewall. They just listen to the traffic the device generates itself. It’s a quiet way to collect credentials at scale, and it’s been running across more than 150 countries.
After the initial disclosure, SOCRadar continued mapping the campaign using Shodan, Censys, Validin, and its own scanning. That work turned up roughly 200 additional operational servers beyond the original dataset, a mix of credential sniffers and network scanners that hadn’t appeared in the first investigation. As the SOCRadar report states:
“Across the expanded infrastructure, STRU tracked scanning activity against roughly 11,250 FortiGate portals in more than 150 countries, with admin-level access confirmed on 409 targets.” reads the report published by SocRadar. “On 354 of those, the actor completed the full attack chain: VPN compromise, access to the domain controller, and domain admin. STRU has confirmed at least 12 ransomware deployments stemming from this access, with hundreds of endpoints encrypted across affected organizations.”
That’s not credential theft sitting in a database waiting to be sold. That’s domain-level control of hundreds of organizations, obtained quietly through their own firewall. SOCRadar has confirmed at least 12 ransomware deployments traced directly to FortiBleed-derived access, with hundreds of endpoints encrypted across the affected organizations.
One of the newly discovered servers gave SOCRadar visibility into the group’s own internal environment. An operational security lapse in how the group managed its infrastructure exposed internal files, logs, and operational documentation. That’s what made the ransomware connection possible to prove rather than just infer.
Inside that environment, SOCRadar found an operator logged into negotiation panels for both INC Ransom and Lynx simultaneously.
INC Ransom has been active since mid-2023 and remains one of the more active ransomware-as-a-service operations by victim count. The INC RANSOM has claimed responsibility for the breach of at tens of organizations to date, including US hospice pharmacy Xerox Corp, OnePoint Patient Care, and Scotland’s National Health Service (NHS) Lynx appeared roughly a year later and is widely assessed as a direct evolution of INC. One operator, two brands, infrastructure traceable back to the credential harvesting campaign. The attribution case is direct.
SOCRadar also found a separately discovered open directory linked to INC Ransom and compared its contents against FortiBleed’s own target records. The victims matched.
“Comparing target and victim data from FortiBleed’s own infrastructure against a separately discovered INC-linked open directory, STRU found matching victims across both datasets, independent confirmation that the same organizations were being tracked by both the credential-harvesting operation and the ransomware group.” states SocRadar.
SOCRadar recovered an internal tracking document the group uses to manage its FortiGate targets, recording which credentials were used, which networks were accessed, and whether ransomware was eventually deployed. Analysis of this document points to a structured operation of roughly 20 people. A small core of primary operators handles the high-impact intrusions. Behind them sit dedicated specialists, and below those, a back-office layer of junior operators and technical support staff. It runs like a small company, with a division of labor that would look familiar on any org chart. (Except the product is ransomware.)
SOCRadar is withholding specific operator aliases, tooling details, and the full indicator set until the complete technical whitepaper publishes. That report will also cover a separate line of investigation into the group’s use of AI tools for vulnerability research, including work toward at least one undisclosed zero-day that SOCRadar is coordinating with the affected vendor through responsible disclosure.
The practical implication is direct.
This campaign isn’t an access broker quietly monetizing stolen credentials through underground markets at arm’s length from the actual attacks. The same infrastructure that collected the credentials is directly connected, through a shared operator, to the groups deploying ransomware on victim networks.
“The same access broker infrastructure that quietly intercepted authentication traffic across hundreds of thousands of firewalls is connected, through a shared operator, to two of the more active ransomware brands operating today.” concludes the report. “For organizations running FortiGate infrastructure, this raises the stakes on an already urgent finding: exposure to FortiBleed is not just a credential exposure risk, it is a potential precursor to ransomware.”
If your organization runs FortiGate infrastructure, the question isn’t whether your credentials were targeted. With 430,000 firewalls in scope and active scanning across 150 countries, the better question is whether your environment showed up in the 409 where admin access was confirmed, or the 354 where full domain compromise was achieved.
SOCRadar says the full indicator set will be in the forthcoming whitepaper. Watch for it.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)




