Get Your Free Report
Start for Free
Jul 01, 2026
6 Mins Read
Moon

SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations

SOCRadar’s Threat Research Unit (STRU) has linked the FortiBleed credential-harvesting campaign to two active ransomware-as-a-service operations, INC Ransom and Lynx. An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time.

Key findings:

  • FortiBleed has targeted 430,000+ FortiGate firewalls worldwide via a custom credential-sniffing tool
  • STRU identified 200+ additional operational servers beyond the original campaign
  • An operator with access to FortiBleed infrastructure was found logged into both INC Ransom and Lynx negotiation panels
  • Victim data from FortiBleed overlaps with victims already tracked by INC Ransom
  • An internal tracking document reveals an organized, ~20-person operation with a clear division of labor
  • A full technical whitepaper with indicators of compromise is in preparation

Full technical details, indicators of compromise, and attribution evidence will be published in SOCRadar’s forthcoming second FortiBleed whitepaper.

Credential stuffing is what's visible on the surface. The FortiBleed operation, and its confirmed link to INC and Lynx ransomware, runs deeper. Full findings in SOCRadar's upcoming whitepaper.

Credential stuffing is what’s visible on the surface. The FortiBleed operation, and its confirmed link to INC and Lynx ransomware, runs deeper. Full findings in SOCRadar’s upcoming whitepaper.

A quick recap of FortiBleed

STRU first documented FortiBleed as a large-scale credential-harvesting operation targeting more than 430,000 FortiGate firewalls worldwide. The threat actor behind it operates as an Initial Access Broker, using a custom Golang tool called FortigateSniffer to passively intercept authentication traffic by abusing FortiOS’s native diagnose sniffer packet command across two dozen protocols. The operation’s scale and financial motivation were clear from the start. What remained open was where the harvested access actually went.

Expanding the investigation

Following the initial disclosure, STRU continued mapping the campaign’s infrastructure using a combination of Shodan, Censys, Validin, and its own IP block scanning. This work surfaced roughly 200 additional operational servers tied to the campaign, sniffers, and scanners that hadn’t been part of the original dataset.

Across the expanded infrastructure, STRU tracked scanning activity against roughly 11,250 FortiGate portals in more than 150 countries, with admin-level access confirmed on 409 targets. On 354 of those, the actor completed the full attack chain: VPN compromise, access to the domain controller, and domain admin. STRU has confirmed at least 12 ransomware deployments stemming from this access, with hundreds of endpoints encrypted across affected organizations.

One of the newly discovered servers led to a breakthrough. An operational security lapse in how the group managed its infrastructure gave STRU visibility into the actor’s own environment, including internal files, logs, and operational documentation. That access is the basis for this attribution.

The link to INC and Lynx

Inside that environment, STRU found an operator actively logged into the negotiation panels of both INC Ransom and Lynx ransomware, engaging directly with ransom demands. INC Ransom has been active since mid-2023 and remains one of the more prolific RaaS operations by victim count. Lynx emerged roughly a year later and is widely assessed as an evolved variant of INC. Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment.

This is corroborated by a second data point: victim overlap. Comparing target and victim data from FortiBleed’s own infrastructure against a separately discovered INC-linked open directory, STRU found matching victims across both datasets, independent confirmation that the same organizations were being tracked by both the credential-harvesting operation and the ransomware group.

An organized, tiered operation

STRU also recovered an internal tracking document used by the group to manage its FortiGate targets: records of which credentials were used, which networks were accessed, and whether ransomware was ultimately deployed. Analysis of this document points to a structured operation of roughly 20 people, with a small core of primary operators driving the majority of high-impact intrusions, supported by dedicated specialists and a back-office layer of junior operators and technical support.

STRU is withholding operator aliases, tooling details, and the full indicator set for the upcoming whitepaper.

Why this matters

Firewall-level credential harvesting at this scale is already a significant threat. What this investigation shows is that FortiBleed isn’t an isolated credential-theft operation sitting off to the side of the ransomware economy, it’s feeding directly into it. The same access broker infrastructure that quietly intercepted authentication traffic across hundreds of thousands of firewalls is connected, through a shared operator, to two of the more active ransomware brands operating today.

For organizations running FortiGate infrastructure, this raises the stakes on an already urgent finding: exposure to FortiBleed is not just a credential exposure risk, it is a potential precursor to ransomware.

FAQ: FortiBleed and its ransomware link

What is FortiBleed?

FortiBleed is a large-scale credential-harvesting campaign that has targeted more than 430,000 FortiGate firewalls worldwide, using a custom tool to passively intercept authentication traffic.

Is FortiBleed linked to ransomware?

Yes. SOCRadar’s Threat Research Unit found an operator with access to FortiBleed infrastructure actively working negotiation panels for both INC Ransom and Lynx ransomware, directly connecting the credential-harvesting operation to ransomware deployment.

Who is behind FortiBleed?

The campaign is run by an Initial Access Broker operation with an organized internal structure of roughly 20 people. SOCRadar is withholding specific operator aliases and tooling details until the full whitepaper is published.

How many organizations have been affected?

STRU has tracked scanning activity against roughly 11,250 FortiGate portals across more than 150 countries, with admin-level access confirmed on 409 targets and full domain compromise on 354.

How many ransomware deployments have been confirmed?

STRU has confirmed at least 12 ransomware deployments stemming from FortiBleed-derived access, with hundreds of endpoints encrypted across affected organizations.

Is there a full report available?

SOCRadar’s Threat Research Unit is preparing a full technical whitepaper covering the complete investigation, including indicators of compromise, the group’s internal structure, and additional findings. It will be published soon.

What’s next

STRU’s full whitepaper will detail the complete infrastructure findings, the internal organizational structure of the group, operator tooling, and associated indicators of compromise. It will also cover a separate line of investigation into the group’s use of AI tooling for vulnerability research, including work toward at least one undisclosed zero-day, which STRU is coordinating on with the affected vendor through responsible disclosure.

This post will be updated with a direct link once it’s available.