PROBABLYPWNED
Threat IntelligenceJuly 4, 20264 min read

FortiBleed Credential Theft Tied to Lynx and INC Ransomware

SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.

Alex Kowalski

The FortiBleed credential theft campaign has been definitively linked to the INC and Lynx ransomware operations, according to new research from SOCRadar. The connection confirms suspicions that the massive Fortinet credential harvesting operation was designed to fuel ransomware attacks—not just sell access on dark web markets.

FortiBleed targeted an estimated 430,000 FortiGate firewalls globally, deploying custom packet-sniffing tools to intercept VPN credentials and authentication data directly from network traffic. The operation harvested over 110 million credentials in the process.

From Credential Theft to Ransomware Deployment

SOCRadar's investigation discovered a Windows server belonging to FortiBleed infrastructure with browser session artifacts showing active access to negotiation panels for both INC and Lynx ransomware groups. An operator tied to FortiBleed's infrastructure was found actively working both panels—direct evidence linking mass credential theft to ransomware deployment.

At least 12 ransomware deployments have resulted from FortiBleed-derived access, encrypting hundreds of endpoints across affected organizations. The scale suggests this is one of the more impactful credential theft-to-ransomware pipelines identified in 2026.

Campaign Scale and Operations

SOCRadar's tracking reveals a structured operation:

  • Target scanning: ~11,250 FortiGate portals in more than 150 countries
  • Confirmed admin access: 409 organizations
  • Full attack chain completion: 354 targets
  • Deployed sniffers: ~19,000 devices initially (reduced to ~11,000 after notifications)
  • Team size: Approximately 20 members with defined operational roles

The operation used a custom tool called "FortiGate Sniffer" deployed on compromised firewalls. This tool intercepted credentials from network traffic in real-time, capturing VPN authentication and other sensitive data passing through the devices.

An internal tracking document reviewed by researchers pointed to a structured hierarchy: a small core of primary operators driving high-impact intrusions, supported by dedicated specialists and a back-office layer of junior operators and technical support.

INC and Lynx Ransomware Connection

INC Ransom began operations in mid-2023 as a ransomware-as-a-service platform, targeting healthcare, education, and government sectors. Lynx emerged in mid-2024 and is believed by security researchers to represent an INC rebranding rather than a separate entity.

The shared infrastructure between FortiBleed and both ransomware brands suggests a common operational umbrella. Victim information overlaps have been identified between FortiBleed harvested data and organizations listed on INC's ransomware leak site.

FortiGate devices have been a recurring target for threat actors throughout 2026. We've covered related Fortinet vulnerabilities and the Brutus brute force tool targeting FortiGate specifically.

Expanded Attack Surface

Beyond FortiGate credential sniffing, the FortiBleed operation exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access within victim networks. Persistent backdoor accounts using the username "adminin" provided ongoing access.

The combination of network device compromise, credential harvesting, and lateral movement via additional zero-days demonstrates the operational sophistication of the group behind FortiBleed.

Detection and Response

Organizations running FortiGate devices should:

  1. Audit for backdoor accounts - Search for the username "adminin" across FortiGate configurations
  2. Review FortiGate logs - Look for unusual administrative access patterns
  3. Rotate all credentials - Assume any credentials passing through potentially compromised devices are exposed
  4. Update FortiGate firmware - Apply all available security patches
  5. Monitor for IOCs - SOCRadar is preparing a second technical whitepaper with detailed indicators

CISA has issued multiple warnings about securing Fortinet devices this year. Organizations that haven't reviewed their FortiGate security posture should prioritize this immediately.

Why This Matters

FortiBleed demonstrates the ransomware ecosystem's vertical integration. Instead of separate actors handling initial access, credential brokering, and ransomware deployment, a single operation now controls the entire pipeline.

This model offers several advantages to attackers: faster time from compromise to encryption, better operational security through reduced handoffs, and retained intelligence about victim environments for potential re-exploitation.

For defenders, it means credential theft from network devices should trigger immediate ransomware response preparation—not just password resets. Organizations whose FortiGate credentials may have been exposed should assume they're on a ransomware target list.

The attack also reinforces why network security devices themselves require dedicated security attention. Firewalls and VPN concentrators sit at network boundaries with visibility into all traffic. Compromising them provides attackers with ideal credential harvesting positions.

For organizations evaluating their network security architecture, our cybersecurity tools guide covers options for network monitoring and threat detection beyond perimeter devices.

Related Articles