FortiBleed began as a warning about exposed Fortinet firewall logins, but the case has now moved into ransomware territory. SOCRadar’s Threat Research Unit (STRU) says the credential harvesting campaign is connected to INC Ransom and Lynx, two active ransomware-as-a-service operations, after an operator associated with FortiBleed infrastructure was found working negotiation panels for both groups.
The company says the finding links mass FortiGate credential theft to ransomware deployment for the first time.
Earlier in June 2026, as reported by Hackread.com, the story around FortiBleed was mainly about stolen firewall credentials and exposed VPN access. Hackread.com reported that Hudson Rock described 73,932 unique Fortinet firewall URLs in 194 countries, related to 21,632 affected domains, after researcher Bob Diachenko identified the data.
That reporting also noted 1.16 billion credential attempts against more than 320,000 FortiGate targets, with many successful passwords traced to earlier leaks or infostealer infections, not simple guessing.
As researchers kept tracing the servers, the case grew beyond the original leak. The firm says FortiBleed targeted more than 430,000 FortiGate firewalls worldwide via a custom credential sniffing tool and that STRU later found more than 200 operational servers outside the original cluster.
One of those servers gave researchers access to internal files, logs, and operational documents, including evidence of an operator using both INC Ransom and Lynx victim negotiation portals.
As per SOCRadar’s blog post shared with Hackread.com, inside those files, STRU also found victim data from FortiBleed that matched victims already tracked by INC Ransom. The company says the overlap supports its assessment that firewall access harvested through FortiBleed was not sitting idle in a criminal database, but was being used for extortion work.
Even after notifications went out, thousands of devices still appeared to be carrying the sniffer. Traffic sniffing was identified on about 19,000 Fortinet devices, according to the latest update, and fell to about 11,000 after SOCRadar notifications.
The same update says persistent backdoor accounts using the username “adminin” were found on compromised devices, while 500 servers were seized, including the server used for Lynx and INC ransom negotiations.
The files also point to people and roles, not only servers and stolen logins. SOCRadar describes the crew as an organized unit of about 20 people, based on an internal tracking document that recorded credentials, accessed networks, and deployment status. The public post says researchers are withholding operator aliases, tool details, and the full indicator set until the next whitepaper.
The activity log from late June shows how quickly new material was being added. On June 25, investigators added indicators for 19 operation servers and four files, then found Citrix target material listing 29,000 IP addresses and 37 domains.
On June 27, FortiBleed was formally connected to Lynx-INC, and on June 29, an internal document added 9,426 FortiGate devices, with ransomware already deployed against several targets.
Investigators are now looking at more than FortiGate. The newest details say the actors are exploiting a previously undisclosed Nextcloud zero-day to extend access, though technical details, affected versions, and indicators have not yet been released.
SOCRadar is coordinating with the affected vendor, and Citrix-related target lists were also found, including about 29,000 IP addresses and 37 domains.
Anyone responsible for FortiGate appliances should rotate admin and VPN credentials, implement MFA on external access, restrict management interfaces to trusted IP addresses, review gateway logs for unusual logins, remove unused accounts, look for the “adminin” username, and verify FortiOS patch levels.
Fortinet’s own configuration guidance also calls for current firmware, logging, controlled administrator access, and local in policies.
SOCRadar says it plans to publish a detailed technical report later this week or early next week, covering the Lynx-INC operation, the alleged Nextcloud zero day, and the full indicators of compromise.

