FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
What began as a credential-harvesting campaign has evolved into one of the clearest looks inside a modern ransomware operation.
FortiBleed Unmasked: Volume II builds on SOCRadar’s investigation into the FortiBleed campaign by revealing how harvested FortiGate credentials connect to the operational infrastructure of the Lynx and INC ransomware groups. Through extensive infrastructure analysis, recovered internal documents, and exposed operator artifacts, the report uncovers the people, processes, and AI-driven capabilities behind a highly organized ransomware ecosystem.
The findings expose far more than infrastructure. They detail the internal hierarchy of the operation, identify key operators such as TOXMAN, map victim management workflows, and demonstrate how AI has become deeply integrated into offensive operations. The report also analyzes the group’s technical capabilities, targeting strategy, operational security practices, and evolving use of AI for penetration testing, vulnerability research, and attack automation, offering defenders rare insight into how modern ransomware affiliates organize and execute campaigns.
Key Highlights:
- Evidence linking the FortiBleed campaign to the Lynx and INC ransomware groups
- Exclusive analysis of the operators, organizational hierarchy, and internal workflows behind the operation
- How AI is being integrated into ransomware development, penetration testing, and vulnerability research
- Technical profiling of the attackers, including infrastructure, tooling, and operational security practices
- Victim targeting analysis, geographic focus, industry trends, MITRE ATT&CK mapping, and actionable indicators of compromise (IoCs)
Whether you’re a threat intelligence analyst, incident responder, vulnerability researcher, or security leader, this report provides an in-depth examination of how financially motivated threat actors are combining credential theft, ransomware operations, and AI-assisted tooling into a coordinated attack ecosystem.
➡️ Download the full report to explore the infrastructure, operators, and AI-driven techniques behind one of the most significant FortiGate-focused ransomware operations uncovered to date.