FortiBleed Credential Harvesting Campaign Linked to INC and Lynx Ransomware Operations
Cybersecurity

FortiBleed Credential Harvesting Campaign Linked to INC and Lynx Ransomware Operations

Researchers have tied the sprawling FortiBleed operation, which harvested more than 110 million credentials from FortiGate appliances, directly to the INC and Lynx ransomware gangs. For anyone running perimeter firewalls, this is a wake-up call about the edge as an extortion pipeline.

PublishedJuly 2, 2026
Read time6 min read
Share

A perimeter appliance turned into a credential factory

The FortiBleed campaign is the kind of story that should make every security leader look hard at the boxes sitting at the edge of their network. According to SOCRadar, the operation scanned roughly 11,250 FortiGate portals across more than 150 countries and set its sights on as many as 430,000 firewalls. That scale is not opportunistic noise. It reflects a deliberate, industrialized effort to convert the single most trusted device on a network, the perimeter firewall, into a harvesting node. When the appliance that terminates your VPN becomes the collection point, the usual assumptions about inside versus outside stop holding.

The numbers behind the harvest are what elevate this from a research curiosity to a board-level concern. Investigators tallied more than 110 million credentials pulled from these devices. We have said for years that edge appliances are undermonitored relative to their privilege, and FortiBleed is the proof. A firewall that authenticates thousands of remote workers sees every one of those logins. If an attacker gains a foothold on the device itself, they do not need to phish anyone. They simply wait and collect, and the volume here shows exactly how lucrative that patience can be.

The FortiGate Sniffer and how the intercept worked

At the technical core of the operation was a custom Golang packet sniffer that SOCRadar calls FortiGate Sniffer. It was deployed on roughly 12,000 devices, where it intercepted VPN credentials as they traversed the appliance. This is a meaningful design choice. Rather than exploiting a single loud vulnerability and hoping for a smash-and-grab, the actors planted a quiet, purpose-built listener that turned each compromised firewall into a passive tap. Golang is a sensible pick for this kind of tooling because it compiles to portable static binaries that run cleanly across the varied architectures these appliances use.

For defenders, the sniffer approach reframes the detection problem. Signature-based antivirus on endpoints will never see this, because the malicious code lives on a network device that most teams do not instrument at all. We think the practical response is to treat firewall firmware integrity, running-process inventories, and outbound connections from the appliance itself as first-class telemetry. If a FortiGate is beaconing to unfamiliar infrastructure or running processes that were never part of the vendor image, that is your signal. The credentials were being read in transit, so anomalies in the device behavior are often the only tripwire available.

From access to full attack chains

The campaign did not stop at collection. SOCRadar documented 409 targets where the actor reached admin-level access, 354 cases where the full attack chain was completed, and at least 12 confirmed ransomware deployments. That progression is the anatomy of a modern intrusion compressed into a single dataset. Harvested VPN credentials become authenticated access, authenticated access becomes administrative control, and administrative control becomes the launch pad for encryption and extortion. The conversion rate from harvested credential to completed intrusion is worth studying closely, because it quantifies exactly how a credential leak translates into an operational disaster.

Twelve ransomware deployments may sound modest against 110 million credentials, but that is the wrong comparison. The credentials are inventory, and the deployments are the sales the attackers chose to close first. The gap between them represents future risk that has not yet materialized, a standing reserve of access that can be sold, traded, or actioned at any time. We would advise organizations that terminated VPN traffic through FortiGate devices during the campaign window to assume their credentials are in that inventory and to act accordingly, regardless of whether they have seen an intrusion yet.

The attribution is where this story becomes genuinely instructive about the ransomware economy. The actor behind FortiBleed accessed the negotiation panels of both Lynx and INC, and researchers believe Lynx is a rebrand of INC operated by Russian-speaking initial access brokers. That single detail collapses a lot of assumed distance between the crews that break in and the crews that extort. The initial access broker and the ransomware operator are not always separate market participants at arm's length. Here they appear to be tightly coupled, with the same hands touching harvesting infrastructure and victim negotiation.

Rebrands like the INC to Lynx transition are a familiar tactic. They let a crew shed reputational and legal baggage while retaining tooling, affiliates, and tradecraft. For defenders, the lesson is to track capabilities and infrastructure rather than brand names, because the brand is the most disposable part of the operation. When we see credential harvesting, negotiation panel access, and ransomware deployment converging under one actor, it tells us the supply chain of extortion has been vertically integrated, and that integration makes the group faster and harder to disrupt through takedowns aimed at any single layer.

Evidence of a structured, staffed operation

An internal document recovered during the investigation pointed to a structured operation of roughly 20 people. As Ensar Seker, Chief Information Security Officer at SOCRadar, put it: "It contained target inventories, harvested data, automation scripts, and configuration files indicating use for coordinating large-scale credential harvesting against internet-facing network appliances." That inventory reads like the internal wiki of a functioning business, not the scratch notes of a lone operator. Target lists, automation, and configuration management are the artifacts of a team that divides labor and plans campaigns in advance.

A 20-person shop with defined roles changes the threat model. It means sustained tempo, the ability to run parallel campaigns, and the operational discipline to maintain footholds on thousands of devices at once. We should stop imagining ransomware crews as chaotic and start budgeting against them as competitors with product roadmaps. The defensive implication is that piecemeal responses will not keep pace with an adversary that industrializes its own workflow, so the counter has to be equally systematic across the entire fleet of exposed appliances.

What security and IT leaders should do now

The immediate priorities are unglamorous but decisive. Patch FortiGate appliances to current firmware without waiting for a maintenance window, because a device this exposed does not get the luxury of a change freeze. Rotate every VPN credential that could have traversed an affected firewall, and force that rotation rather than requesting it. Enforce phishing-resistant multi-factor authentication on VPN access so that a harvested password alone no longer unlocks the door. These steps directly break the harvest-to-access conversion that made FortiBleed profitable.

Beyond the immediate cleanup, treat the perimeter appliance as an active part of your detection surface rather than a set-and-forget box. Instrument firewall processes, monitor outbound connections from the device, and validate firmware integrity on a schedule. Hunt for the FortiGate Sniffer and similar passive listeners, and assume that if your credentials were exposed during the campaign window they are already sitting in an initial access broker's inventory waiting to be actioned. The organizations that fare best here will be the ones that treat edge devices with the same scrutiny they apply to their most privileged servers.

Tagged#news#security#cybersecurity#ransomware#supply-chain#breach