FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
June 22, 2026 
FortiBleed targeted 430,000+ FortiGate devices, harvesting 110M credentials and enabling breaches through large-scale credential theft.
A new threat intelligence report from SOCRadar’s Threat Research Unit (STRU), the team that first identified and named the FortiBleed campaign, goes deeper than anything published so far on what is shaping up to be one of the most significant credential-theft operations of 2026.
The full report, titled Dismantling FortiBleed, is available here.
What is FortiBleed?
FortiBleed is a large-scale, financially motivated campaign targeting FortiGate firewalls globally. STRU first reported and named the campaign here. The numbers alone are staggering: over 430,000 FortiGate firewalls targeted, more than 110 million credentials identified across 659+ harvesting pipelines, and a confirmed breach of a NATO-aligned defense contractor.
What makes this report different
Most coverage of FortiBleed stops at the headline figures. This report doesn’t.
Starting from a single exposed directory flagged by security researcher Volodymyr “Bob” Diachenko, STRU traced the operation to more than 150 additional servers, building a near-complete picture of the actor’s infrastructure, tooling, and operational workflow. At the time of writing, the campaign is still actively sniffing over 19,000 devices, part of a broader pool of 80,553 identified targets.
That level of visibility is what separates this analysis from others.
A five-phase attack chain, fully reconstructed
The report walks through every stage of the operation in technical detail:
The actor starts with credential sourcing and mass reconnaissance, using Masscan for port sweeps, a custom Shodan_Recon tool for passive enrichment, and a purpose-built FortiProbe-fast binary to filter confirmed FortiGate devices from millions of raw scan results. Targets are then ranked by revenue before any exploitation resources are allocated, a step that reflects deliberate operational planning rather than opportunistic spraying.
Initial access comes through SSH brute-force using 16 wordlists specifically curated for FortiGate admin account naming conventions, alongside credential stuffing against SSL-VPN portals.
The core of the operation is a Golang-based tool called FortigateSniffer, which abuses the legitimate FortiOS diagnostic command diagnose sniffer packet to passively capture authentication traffic across 24 protocols from every compromised device, Kerberos, RADIUS, NTLM, RDP, LDAP, MSSQL, and more, without deploying any malware. The sniffer only runs between 07:00 and 18:00 Moscow Time, a deliberate evasion choice to blend in with normal business-hours traffic.
Captured hashes are cracked through a distributed GPU cluster managed via Hashtopolis, with Hashcat as the underlying engine and a Telegram bot providing live telemetry to a single hardcoded administrator. The actors also rented GPU capacity through vast.ai for additional cracking power.
The final phases cover lateral movement across Active Directory environments and, in at least one confirmed case, the targeted exfiltration of DFS backup data from a NATO-aligned defense contractor, triggered within minutes of Kerberos hashes being cracked offline.
Infrastructure and attribution
The actors operate from a network of loosely regulated Eastern European micro-hosters, with the core infrastructure segmented across four subnet blocks serving distinct roles: C2 aggregation, credential validation, sniffer deployment, and proxy rotation. The pentest lab environment itself runs seven Kali Linux virtual machines under QEMU/KVM, hardened with strict IPTables rules and designed for multi-operator remote access through shared tmux sessions.
Tooling comments in the Cyrillic alphabet suggest Russian origin. The actor profile is consistent with an Initial Access Broker selling access to ransomware groups, though the targeting of a NATO-aligned defense contractor raises the possibility of at least opportunistic collaboration with state-adjacent actors.
Who is being hit
The victim profile skews heavily toward SMBs: roughly 66% of affected organizations have fewer than 200 employees, and nearly 90% have annual revenues below $100 million. India, the United States, and Taiwan account for nearly a third of affected domains. IT services is the most targeted sector, a strategic choice, since compromising a managed service provider creates downstream access paths into customer environments.
The campaign is global and appears opportunistic rather than geopolitically focused, with meaningful victim counts across Latin America, the Middle East, and Europe as well.
What to do now
STRU recommends that organizations potentially in scope immediately rotate all credentials tied to Fortinet VPN and administrative interfaces, enforce MFA, remove FortiGate management interfaces from direct internet exposure, and review authentication logs for anomalous activity. SOCRadar has also released a free FortiBleed exposure checker at socradar.io/free-tools/fortibleed.
The campaign remains active. The full technical report, including the complete MITRE ATT&CK mapping, IoC lists, and infrastructure breakdown, is at socradar.io.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FortiBleed)
