Security researchers have uncovered a massive credential-harvesting operation dubbed FortiBleed, which has reportedly targeted more than 430,000 FortiGate firewalls worldwide. The campaign, believed to be orchestrated by a financially motivated Russian-speaking Initial Access Broker (IAB), has been active since February 2026.
According to researchers, the operation combines large-scale reconnaissance, credential stuffing, brute-force attacks, passive traffic interception, and password cracking to gain access to enterprise networks and generate valuable access for resale on underground markets.
How FortiBleed Works
The campaign relies on a multi-stage attack chain designed to collect credentials from internet-facing infrastructure and convert them into broader network access.
Attackers begin by identifying exposed FortiGate devices using scanning tools and search engines that index internet-connected assets. Once potential targets are identified, automated tools attempt to gain access through password spraying, credential stuffing, and dictionary attacks.
After successfully compromising a firewall, attackers deploy a custom tool known as FortigateSniffer, a Golang-based utility designed to passively capture authentication traffic flowing through the device.
FortigateSniffer Captures Credentials Across Multiple Protocols
The custom malware takes advantage of FortiOS diagnostic capabilities to monitor network traffic without generating obvious signs of compromise.
Researchers found that the tool supports monitoring and credential extraction from more than 24 protocols, including:
- Kerberos
- SMB
- LDAP
- RDP
- FTP
- Telnet
- WinRM
- Microsoft SQL Server
- MySQL
- PostgreSQL
- RADIUS
- TACACS+
The tool collects both plaintext credentials and password hashes, which are later cracked and reused for lateral movement within victim environments.
AI-Powered Offensive Tools Suspected
Investigators believe the operators may have leveraged an open-source AI-native offensive security platform known as CyberStrike to automate portions of their workflow.
Interestingly, a related framework called CyberStrikeAI was previously observed in a separate campaign targeting FortiGate devices, highlighting a growing trend of threat actors incorporating AI-assisted tooling into cyberattack operations.
Small and Medium Businesses Among Primary Targets
Research indicates that FortiBleed primarily targets small and medium-sized businesses with fewer than 200 employees.
Organizations in the following sectors appear particularly affected:
- IT services providers
- Managed service providers (MSPs)
- Technology companies
- Professional services firms
The United States and India have emerged as key target regions, with attackers likely focusing on service providers that can offer access into multiple customer environments through a single compromise.
Beyond Fortinet: Multi-Vendor Attack Campaign
While FortiGate devices are a major focus, researchers discovered that FortiBleed is part of a broader initial-access operation targeting multiple technologies.
Additional targets include:
- Synology NAS devices
- Sophos firewalls
- Citrix SSL-VPN gateways
- RDWeb portals
- Microsoft SQL servers
This suggests attackers are pursuing a diversified strategy aimed at maximizing credential collection and access opportunities across different enterprise environments.
More Than 110 Million Credentials Identified
Researchers estimate that between May 31 and June 15, 2026, attackers launched at least 659 credential-harvesting pipelines.
The operation reportedly uncovered over 110 million credentials and authentication artifacts, including:
- 14.8 million RADIUS credentials
- 924,000 NTLM hashes
- 130,000 Kerberos hashes
- 89 million MySQL authentication tokens
These credentials were subsequently processed through a sophisticated cracking infrastructure designed to convert captured hashes into usable passwords.
Automated Hash Cracking Infrastructure
One of the most advanced aspects of FortiBleed is its dedicated password-cracking ecosystem.
The attackers reportedly utilize:
- Hashcat
- Hashtopolis
- Custom management dashboards
- GPU-powered cracking nodes
- Telegram-based automation bots
A custom Telegram bot known as HASHBOT manages cracking operations by identifying hash types, assigning resources, tracking progress, and delivering recovered credentials to operators.
This level of automation allows attackers to process large credential volumes efficiently and scale operations across thousands of targets simultaneously.
Evidence of Potential Backdoor Accounts
Researchers also uncovered suspicious username and password combinations that appeared repeatedly across thousands of compromised devices.
Some account pairs were reportedly present on nearly 4,000 separate systems, raising concerns that attackers may have planted hidden administrative accounts as persistent backdoors.
The usernames were crafted to resemble legitimate Fortinet or FortiCloud service accounts, potentially helping them evade detection during routine administrative reviews.
No Zero-Day Exploits Involved
Despite the campaign’s scale, security experts emphasize that FortiBleed does not rely on any newly discovered vulnerabilities.
Instead, attackers primarily exploit:
- Weak passwords
- Reused credentials
- Credential leaks from previous breaches
- Poor password hygiene
- Systems lacking multi-factor authentication (MFA)
This highlights the ongoing importance of strong authentication practices and credential management across internet-facing infrastructure.
Data Theft and Network Expansion
Once attackers gain access, they move beyond credential collection.
Researchers observed the use of stolen credentials for:
- Active Directory enumeration
- Kerberos validation
- SMB authentication
- VPN access
- File share discovery
- Data exfiltration
The operation follows a continuous feedback loop where each successful compromise generates additional credentials and authentication artifacts that can be used to compromise other systems.
Security Recommendations
Organizations using FortiGate devices and other exposed remote access technologies should take immediate steps to reduce risk, including:
Rotate Credentials
Change passwords for administrative, VPN, and domain accounts that may have been exposed.
Enable MFA
Deploy multi-factor authentication across all remote access services and administrative accounts.
Review VPN Activity
Audit SSL-VPN logins for unusual access patterns or unauthorized sessions.
Monitor Active Directory
Investigate abnormal authentication attempts, privilege escalation, and lateral movement activity.
Inspect File Access Logs
Look for large-scale file reads, SMB share enumeration, and suspicious data transfers.
Audit Configuration Exports
Review whether firewall configurations have been exported or accessed unexpectedly.
Conclusion
FortiBleed demonstrates how compromised perimeter devices can quickly become gateways to enterprise-wide network exposure. Rather than relying on sophisticated zero-day exploits, the attackers have built an industrialized credential-harvesting pipeline that combines automation, password cracking, passive monitoring, and access resale strategies.
The campaign serves as a reminder that strong passwords, multi-factor authentication, and continuous monitoring remain critical defenses against large-scale credential-based attacks. As threat actors continue refining automated access-brokerage operations, organizations must prioritize securing internet-facing infrastructure before stolen credentials become the entry point to larger breaches.
