FortiBleed Credential Theft Tied to Lynx and INC Ransomware
SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.
The FortiBleed credential theft campaign has been definitively linked to the INC and Lynx ransomware operations, according to new research from SOCRadar. The connection confirms suspicions that the massive Fortinet credential harvesting operation was designed to fuel ransomware attacks—not just sell access on dark web markets.
FortiBleed targeted an estimated 430,000 FortiGate firewalls globally, deploying custom packet-sniffing tools to intercept VPN credentials and authentication data directly from network traffic. The operation harvested over 110 million credentials in the process.
From Credential Theft to Ransomware Deployment
SOCRadar's investigation discovered a Windows server belonging to FortiBleed infrastructure with browser session artifacts showing active access to negotiation panels for both INC and Lynx ransomware groups. An operator tied to FortiBleed's infrastructure was found actively working both panels—direct evidence linking mass credential theft to ransomware deployment.
At least 12 ransomware deployments have resulted from FortiBleed-derived access, encrypting hundreds of endpoints across affected organizations. The scale suggests this is one of the more impactful credential theft-to-ransomware pipelines identified in 2026.
Campaign Scale and Operations
SOCRadar's tracking reveals a structured operation:
- Target scanning: ~11,250 FortiGate portals in more than 150 countries
- Confirmed admin access: 409 organizations
- Full attack chain completion: 354 targets
- Deployed sniffers: ~19,000 devices initially (reduced to ~11,000 after notifications)
- Team size: Approximately 20 members with defined operational roles
The operation used a custom tool called "FortiGate Sniffer" deployed on compromised firewalls. This tool intercepted credentials from network traffic in real-time, capturing VPN authentication and other sensitive data passing through the devices.
An internal tracking document reviewed by researchers pointed to a structured hierarchy: a small core of primary operators driving high-impact intrusions, supported by dedicated specialists and a back-office layer of junior operators and technical support.
INC and Lynx Ransomware Connection
INC Ransom began operations in mid-2023 as a ransomware-as-a-service platform, targeting healthcare, education, and government sectors. Lynx emerged in mid-2024 and is believed by security researchers to represent an INC rebranding rather than a separate entity.
The shared infrastructure between FortiBleed and both ransomware brands suggests a common operational umbrella. Victim information overlaps have been identified between FortiBleed harvested data and organizations listed on INC's ransomware leak site.
FortiGate devices have been a recurring target for threat actors throughout 2026. We've covered related Fortinet vulnerabilities and the Brutus brute force tool targeting FortiGate specifically.
Expanded Attack Surface
Beyond FortiGate credential sniffing, the FortiBleed operation exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access within victim networks. Persistent backdoor accounts using the username "adminin" provided ongoing access.
The combination of network device compromise, credential harvesting, and lateral movement via additional zero-days demonstrates the operational sophistication of the group behind FortiBleed.
Detection and Response
Organizations running FortiGate devices should:
- Audit for backdoor accounts - Search for the username "adminin" across FortiGate configurations
- Review FortiGate logs - Look for unusual administrative access patterns
- Rotate all credentials - Assume any credentials passing through potentially compromised devices are exposed
- Update FortiGate firmware - Apply all available security patches
- Monitor for IOCs - SOCRadar is preparing a second technical whitepaper with detailed indicators
CISA has issued multiple warnings about securing Fortinet devices this year. Organizations that haven't reviewed their FortiGate security posture should prioritize this immediately.
Why This Matters
FortiBleed demonstrates the ransomware ecosystem's vertical integration. Instead of separate actors handling initial access, credential brokering, and ransomware deployment, a single operation now controls the entire pipeline.
This model offers several advantages to attackers: faster time from compromise to encryption, better operational security through reduced handoffs, and retained intelligence about victim environments for potential re-exploitation.
For defenders, it means credential theft from network devices should trigger immediate ransomware response preparation—not just password resets. Organizations whose FortiGate credentials may have been exposed should assume they're on a ransomware target list.
The attack also reinforces why network security devices themselves require dedicated security attention. Firewalls and VPN concentrators sit at network boundaries with visibility into all traffic. Compromising them provides attackers with ideal credential harvesting positions.
For organizations evaluating their network security architecture, our cybersecurity tools guide covers options for network monitoring and threat detection beyond perimeter devices.
Related Articles
PCPJack Hijacks 230 Cloud Servers for Covert SMTP Relay Network
Threat actor PCPJack compromised 230 AWS, Azure, and Google Cloud servers to build a hidden email relay network. Hunt.io and SentinelOne researchers expose the operation.
Jun 5, 2026MuddyWater Used Teams Screen-Sharing to Steal Creds, Deployed Ransomware as Cover
Iranian APT MuddyWater hijacked Microsoft Teams to harvest credentials via live screen-sharing, then dropped Chaos ransomware as a false flag to hide espionage. Rapid7 linked the campaign to 36 victims.
May 8, 2026ConsentFix v3 Automates OAuth Phishing Against Azure Tenants
New ConsentFix v3 attack automates Microsoft Azure OAuth credential theft using Pipedream webhooks and Cloudflare phishing pages. Pre-trusted apps bypass MFA entirely.
May 3, 2026Vietnamese Phishing Op Hijacks 30K Facebook Accounts via AppSheet
A Vietnamese threat actor dubbed AccountDumpling compromised 30,000 Facebook Business accounts using Google AppSheet emails to bypass spam filters.
May 2, 2026