| Compromised Devices | Unique IPs | Unique Domains | Countries Affected |
| 86,644 | 80.000+ | 22405 | 194 |
FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls
[Updated: June 29th 9 AM EST] SOCRadar has attributed FortiBleed to the Lynx / INC ransomware group. Full technical report forthcoming.
Fortinet FortiGate firewalls and VPN gateways are among the most widely deployed network security devices in the world, relied on across every sector to control access and protect infrastructure. SOCRadar researchers found a threat actor systematically compromising them at scale, building a verified database of working credentials across 194 countries. Security researcher Volodymyr “Bob” Diachenko first flagged the exposed attacker server, and SOCRadar independently discovered and analyzed the full operation.
Dismantling FortiBleed: Inside an Active Fortinet Credential Harvesting Campaign
We were among the first to dig in, and the first to call it FortiBleed. The name stuck. This is an active breach. It has been running since at least February 2026, with 80,000+ targets identified and thousands of devices still being actively sniffed. It started the way these things do: an exposed server, an open directory someone forgot to lock. That thread led us to 260 operational servers tied to the campaign, wider visibility than anything reported elsewhere.
The SOCRadar Threat Research Unit (STRU) spent five days on the actual data, not just the headline numbers: which sectors, which regions, how credentials were collected and cracked, and why a firmware update alone didn’t close the door for most victims. While STRU mapped it, the rest of the team notified every affected customer we could reach, stood up a free checker, and pushed the full dataset to CERT and CSIRT teams worldwide. Most of it was manual, and we’re still getting back to everyone who asks for their data.
This is still an active, developing campaign. Today we’re publishing the full thing, as we’ve mapped it so far.
FortiBleed Executive Summary
In the course of monitoring active threat actor infrastructure, SOCRadar threat researchers detected the operational server behind the FortiBleed campaign — a hacking group that had been quietly breaking into corporate Fortinet FortiGate firewalls and SSL VPN gateways on a massive, global scale.
Is Your FortiGate in the FortiBleed Leak? Check Now
The attacker’s database contains login credentials for more than 86,644 FortiGate firewall devices belonging to companies and government organizations across 194 countries. These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock.
If your organization uses a Fortinet FortiGate firewall or SSL VPN product and appears in this dataset, treat your network perimeter as already compromised and act immediately. SOCRadar rates this campaign Critical.
For quick answers to common questions — what FortiBleed is, whether credentials are still valid, and what to do — see the FortiBleed FAQ.
How FortiBleed Compromised Fortinet Firewalls: Intrusion Explained
The FortiBleed operation is built around full automation. The operation runs in two self-reinforcing stages. Stage one is credential reuse: attackers assembled usernames and passwords from earlier Fortinet-related breach dumps and infostealer malware logs, then tested them automatically against internet-facing FortiGate devices around the clock. Stage two is passive harvesting: once inside a device, it is used as a listening post – SSL VPN traffic passing through is monitored and additional credentials are collected. Those credentials feed back into the scanner, compounding the breach. The system is entirely self-sustaining.
One Fortinet vulnerability that has also drawn attention in connection with FortiBleed was CVE-2026-24858. Disclosed by Fortinet in January 2026, it is a critical FortiCloud SSO SAML authentication bypass with a CVSS score of up to 9.8. Some researchers have discussed whether it may have contributed to initial access in a subset of cases, though this remains under investigation. FortiBleed is primarily a credential reuse campaign, not a zero-day exploitation event.
The password list is not random. It is a carefully assembled collection of credentials leaked from Fortinet FortiGate devices in earlier incidents — meaning many targets may have never changed their passwords after a prior breach. The attackers know this, and they are counting on it.
Who Is Behind FortiBleed? Attacker Attribution
The FortiBleed attackers made mistakes. Their server was left exposed with a trove of operational files that revealed far more about them than they intended. Among the recovered data were credentials for what appears to be a defense industry VPN endpoint, suggesting the group’s ambitions extend beyond purely financial targets.
The tooling, infrastructure choices, and victim selection, heavily weighted toward organizations in NATO member countries, were consistent with Russian-speaking threat actors. These fingerprints provided an investigative trail. Through extensive technical analysis and continuous infrastructure monitoring, the SOCRadar Threat Research team has confirmed attribution.
The FortiBleed threat actor has been linked to the Lynx / INC ransomware group. Also known as INC Ransom, Lynx / INC is a ransomware operation with documented enterprise targeting across healthcare, education, government, and manufacturing sectors, primarily in North America and Europe, and has been active since 2023. The full technical report, including the investigative methodology and supporting evidence, will be published by the SOCRadar Threat Research team.
FortiBleed Scale of Exposure: 86,644 Devices Across 194 Countries
The FortiBleed victim list spans every sector of the global economy. Among the 86,644 compromised access points identified, we found entries belonging to banks, telecom operators, hospitals, universities, government agencies, energy companies, and multinational corporations with revenues in the tens of billions of dollars. No industry was spared. No region was ignored.
Government entities alone account for 591 entries across 111 domains. Telecoms represent one of the most heavily targeted sectors with 5,616 entries. The geographic spread covers Asia, Europe, the Americas, the Middle East, and Africa.
Revenue Profile of Compromised Organizations
Revenue bands of affected organizations (by credential entry count):

Revenue Exposure of Affected Organizations
Enterprise organizations above $1B in revenue account for over 20% of all entries, representing significant financial and critical infrastructure exposure. The large N/A share reflects smaller or unclassified organizations.
Geographic Spread: Top 20 Affected Countries
Top 20 countries by number of credential entries:

Geographic Distribution – Top 20 Countries
India and the United States together account for nearly a third of all entries, reflecting their large footprint of internet-exposed Fortinet deployments. The spread across Asia, Latin America, Europe, and the Middle East confirms this is a global campaign with no regional blind spots.
Top 50 Organizations in the FortiBleed Dataset by Revenue
Ranked by company revenue (domain-based):
| # | Domain | Country | Revenue | Employees | IPs | Accounts |
| 1 | ***.com.au | Australia | $397.3B | 500–1000 | 2 | 4 |
| 2 | ***.com | United States | $258.5B | 5000+ | 2 | 3 |
| 3 | ***.com | South Korea | $230.1B | 5000+ | 1 | 2 |
| 4 | ***.com | Côte d’Ivoire | $201B | 100–500 | 1 | 1 |
| 5 | ***.com | Denmark | $195.6B | 100–500 | 1 | 1 |
| 6 | ***.***com | France | $189.8B | 5000+ | 1 | 2 |
| 7 | ***.com | United States | $187B | 5000+ | 1 | 2 |
| 8 | ***.com | Germany | $163.9B | 5000+ | 1 | 2 |
| 9 | ***.com | China | $139.0B | 5000+ | 2 | 2 |
| 10 | ***.com | China | $118.1B | 5000+ | 1 | 1 |
| 11 | ***.com | United States | $113.5B | 5000+ | 1 | 1 |
| 12 | ***.com | United States | $113.5B | 5000+ | 3 | 1 |
| 13 | ***.com | China | $110.7B | 5000+ | 3 | 4 |
| 14 | ***.com | Germany | $92.8B | 5000+ | 4 | 2 |
| 15 | ***.***.com | China | $90.5B | 5000+ | 2 | 3 |
| 16 | ***.***.com | Japan | $89.2B | 5000+ | 1 | 1 |
| 17 | ***.com | United States | $87.9B | 5000+ | 1 | 1 |
| 18 | ***.com | Germany | $87.7B | 5000+ | 4 | 5 |
| 19 | ***.com | France | $81B | 5000+ | 2 | 3 |
| 20 | ***.com | Switzerland | $77.5B | 5000+ | 1 | 2 |
| 21 | ***.com | Taiwan | $69.6B | 5000+ | 1 | 2 |
| 22 | ***.com | United States | $69.3B | 5000+ | 1 | 1 |
| 23 | ***.com | India | $67B | 5000+ | 4 | 3 |
| 24 | ***.wa.gov | United States | $66.4B | 5000+ | 1 | 1 |
| 25 | ***.com | Germany | $64.2B | 5000+ | 1 | 1 |
| 26 | ***.com.tw | Taiwan | $64B | 5000+ | 1 | 1 |
| 27 | ***.com | United States | $63.9B | 5000+ | 1 | 1 |
| 28 | ***.com | South Korea | $61.5B | 5000+ | 6 | 3 |
| 29 | ***.com | Luxembourg | $61.4B | 5000+ | 1 | 1 |
| 30 | ***.com | United States | $61B | 5000+ | 1 | 2 |
| 31 | ***.com | Germany | $59.6B | 5000+ | 1 | 1 |
| 32 | ***.com | India | $59.1B | 100–500 | 1 | 1 |
| 33 | ***.com | United States | $59B | 5000+ | 2 | 3 |
| 34 | ***.com | United Kingdom | $58.7B | 5000+ | 1 | 1 |
| 35 | ***.com | France | $58.6B | 5000+ | 2 | 1 |
| 36 | ***.com | Switzerland | $54.8B | 5000+ | 1 | 1 |
| 37 | ***.cn | United States | $53.4B | 5000+ | 1 | 2 |
| 38 | ***.com | China | $53.1B | 5000+ | 1 | 1 |
| 39 | ***.com | United States | $52.6B | 5000+ | 6 | 4 |
| 40 | ***.com | France | $51.6B | 5000+ | 1 | 1 |
| 41 | ***.com | Denmark | $49B | 5000+ | 5 | 4 |
| 42 | ***.***.com | Denmark | $49B | 5000+ | 1 | 1 |
| 43 | ***.com | Sweden | $47.7B | 5000+ | 1 | 2 |
| 44 | ***.com | Australia | $44.6B | 5000+ | 1 | 2 |
| 45 | ***.***.co.jp | Japan | $43.9B | 5000+ | 1 | 1 |
| 46 | ***.com | France | $43.6B | 5000+ | 78 | 18 |
| 47 | ***.com | United Kingdom | $42.7B | 5000+ | 3 | 4 |
| 48 | ***.com | Spain | $40.9B | 5000+ | 48 | 18 |
| 49 | ***.com | Oman | $40.0B | 5000+ | 1 | 2 |
| 50 | ***.co.th | Thailand | $39.7B | 5000+ | 2 | 2 |
How Attackers Got In: Port and Credential Analysis
The following analysis is drawn directly from the attacker’s operational server, recovered by SOCRadar researchers during active monitoring of the FortiBleed infrastructure
Top Ports Used in the FortiBleed Attack
By unique IP count:

Top Ports Targeted
Port 443 dominates because it is the standard HTTPS port and the default for Fortinet SSL VPN interfaces. The presence of ports 4443, 8443, and 10443 confirms the scanner was configured to reach all common Fortinet deployment variants — not just default installations.
Top Usernames
By credential entry count:
| # | Username | Count | % of Total | Type |
| 1 | admi* | 6,599 | 21.43% | Generic Admin |
| 2 | admi*** | 3,813 | 12.38% | Generic Admin |
| 3 | fgts***** | 2,140 | 6.95% | System Account |
| 4 | fort*********** | 1,834 | 5.96% | System Account |
| 5 | fort****** | 1,667 | 5.41% | System Account |
| 6 | Tech************* | 1,086 | 3.53% | System Account |
| 7 | telm****** | 728 | 2.36% | ISP Account |
| 8 | fort*********** | 655 | 2.13% | System Account |
| 9 | fgts** | 613 | 1.99% | System Account |
| 10 | supp************ | 517 | 1.68% | System Account |
Generic admin accounts and built-in Fortinet system accounts together make up the majority of compromised credentials, confirming that most victims never renamed default accounts or rotated factory passwords before the FortiBleed campaign began scanning.
This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed.
Credential Type Breakdown

Credential Type Breakdown
Org-specific accounts topping the list is significant. It means FortiBleed attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed.
Which Sectors Were Hit Hardest

Industry Breakdown
Telecom is the most heavily hit sector by volume, which is notable given that telecom infrastructure underpins communications for every other sector. Government exposure across 111 domains carries national security implications well beyond the device counts alone.
The fact that the sectors targeted are so limited also points to how targeted this attack is.
Government Organizations in the FortiBleed Dataset
591 entries across 111 government domains were identified in the dataset.

Government Targets by Country
India accounts for over 60% of all government entries in the dataset. The presence of Ukraine, Poland, and Taiwan alongside other NATO-adjacent states aligns with the geopolitical targeting pattern identified in the broader attribution assessment.
Immediate Steps for FortiBleed-Affected Organizations
The following steps are based on SOCRadar’s forensic analysis of the attacker’s operational server and the credential collection methods used across 86,644 compromised devices.
- Change your passwords now. Any organization running a Fortinet VPN or firewall should immediately change all admin and VPN account passwords, especially if those passwords have not been changed in the past few years.
- Enable two-factor authentication. Even if an attacker has your password, two-factor authentication makes it far harder to log in. Enable it on every admin and remote-access account.
- Review your login history. Check your device’s login history for any access that looks unfamiliar — unusual times, unknown locations, or accounts that should not be active. SOCRadar’s credential and data leak detection can help identify whether your organization’s credentials have appeared elsewhere.
- Restrict management access. Your firewall’s admin panel should not be reachable directly from the public internet. If it is, restrict it immediately. Reducing your exposed attack surface is one of the most effective steps you can take.
- Keep your firmware updated. The attackers exploit weaknesses in older firmware. Running the latest version closes known gaps.
- If in doubt, bring in experts. If your organization appears in this dataset, treat it as a confirmed breach and engage a professional incident response team to assess the damage.
Frequently Asked Questions
Have questions about FortiBleed?
We’ve answered the 18 most-asked questions — what FortiBleed is, how the attack works, which Fortinet devices are affected, whether credentials are still active, and what organizations should do now.
| If your organization uses Fortinet and may be in the FortiBleed dataset, check your exposure now or contact [email protected] for direct coordination support. |

