FortiBleed Credential Theft Campaign Linked to Lynx Ransomware
What happened
The FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting that stolen Fortinet credentials may have been intended to support future network intrusions. The campaign first drew attention after a server containing credentials stolen from more than 73,000 Fortinet devices was found exposed online. Researchers found FortiGate configuration files, harvested credentials, password-cracking infrastructure, and systems used for credential-stuffing attacks.
Follow-up research from SOCRadar found that the operation used a custom packet-sniffing tool called FortiGate Sniffer on compromised FortiGate firewalls. The tool allowed attackers to intercept VPN credentials and other authentication data directly from network traffic passing through the devices. SOCRadar later identified a Windows server tied to FortiBleed infrastructure. During analysis of that server, researchers found evidence that the threat actor had accessed negotiation panels for both the Lynx and INC ransomware groups.
Screenshots shared showed browser sessions accessing ransomware administration panels containing victim chats used during negotiations. SOCRadar said this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups’ negotiation platforms.
The company also said it identified more than 200 additional operational servers beyond those originally tied to the campaign. Researchers found victim information harvested during FortiBleed that overlapped with organizations later listed on the INC ransomware leak site.
SOCRadar also said the operation appears to involve roughly 20 members with defined roles. The campaign was also larger than initially understood. Researchers said FortiBleed targeted more than 430,000 FortiGate firewalls worldwide and deployed traffic sniffers on approximately 19,000 devices.
After affected organizations were notified, the number of compromised devices reportedly fell to around 11,000. Researchers also identified roughly 500 servers used by the operation. SOCRadar believes the attackers may have exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise, though technical details have not yet been released. The researchers also found persistent backdoor accounts using the username adminin on compromised systems and said they are continuing efforts to recover ransomware decryption keys.
Who is affected
Organizations using FortiGate firewalls may be affected, especially those whose devices were compromised during the FortiBleed campaign or whose credentials were included in the exposed data. The campaign targeted more than 430,000 FortiGate firewalls and reportedly deployed sniffers on about 19,000 devices. Around 11,000 compromised devices remained after victim notification efforts reduced the count.
Organizations whose Fortinet VPN credentials, configuration files, or authentication data were captured may face risk beyond the firewall itself. Stolen credentials can support VPN access, lateral movement, credential stuffing, ransomware staging, and intrusion into downstream systems. Organizations later appearing on the INC ransomware leak site may also be affected if their data overlapped with information harvested during FortiBleed.
Why CISOs should care
This development changes FortiBleed from a large credential theft campaign into a possible ransomware enablement operation. The connection to INC and Lynx negotiation panels suggests the stolen Fortinet access may have been used, sold, or prepared for follow-on extortion activity.
For CISOs, the key issue is that compromised firewalls can become credential collection points. A FortiGate compromise is not only a perimeter device issue. If attackers deployed sniffers, they may have captured VPN credentials, authentication data, configuration details, and other information moving through the device.
The scale also matters. Targeting more than 430,000 FortiGate firewalls and deploying sniffers to roughly 19,000 devices shows how quickly edge infrastructure compromise can become a mass credential operation.
The reported backdoor account named adminin is especially important for incident response. Even if organizations patched or changed passwords, persistent accounts may allow attackers to retain access if not identified and removed.
3 practical actions
Treat FortiBleed exposure as a ransomware precursor: SOCRadar linked FortiBleed infrastructure to INC and Lynx ransomware negotiation panels. CISOs should assume stolen Fortinet credentials may be used for intrusion, extortion, or brokered access, and should escalate response beyond routine password resets.
Hunt for FortiGate Sniffer and persistent accounts: The campaign used custom sniffers and researchers found backdoor accounts using the username adminin. Security teams should review FortiGate configurations, local accounts, SSH access, diagnostic activity, unexpected processes, and configuration changes.
Rotate credentials that passed through compromised firewalls: Because the campaign captured authentication traffic, organizations should rotate Fortinet VPN credentials, administrator accounts, domain credentials, service accounts, and any credentials reused across exposed systems.
Also on the news today:


