All evidence linking the campaign to ransomware originates from SOCRadar research and has not been independently verified.
On July 1, 2026, SOCRadar disclosed the operational link between the FortiBleed credential-harvesting campaign and the INC and Lynx ransomware groups. For five months — since February 2026 — the campaign had appeared to be credential theft for its own sake. The July 2026 discovery reveals that every compromised firewall was already a potential ransomware vector.
A single operator, caught with active browser sessions on both negotiation panels, simultaneously managed the massive credential-harvesting infrastructure and the victim negotiations. The finding closes the loop between perimeter firewall compromise and cryptographic malware deployment.
- An operator tied to the FortiBleed infrastructure was actively logged into the INC Ransom and Lynx negotiation panels, with screenshots showing victim chats.
- The campaign targeted over 430,000 FortiGate firewalls across 150 countries, stealing 110 million credentials.
- Researchers completed the full attack chain on 354 targets, with 12 confirmed to have led to ransomware deployment.
- An internal document recovered from the attacker infrastructure reveals a structured operation of roughly 20 people with defined roles.
How the Extraction Works: The Golang Tool and 24 Protocols
SOCRadar researchers reverse-engineered a custom Golang tool, dubbed FortigateSniffer, which exploits the native FortiOS diagnostic command diagnose sniffer packet. The tool leverages already-compromised credentials — password reuse or brute-force attacks, as confirmed by Fortinet — to gain administrative access to the device. From there, it activates passive capture of authentication traffic across 24 different protocols.
The tool is designed to extract RADIUS, NTLM, Kerberos, and other authentication schemes traversing the perimeter device. Code comments are in Russian, according to Dark Reading. The harvesting infrastructure proved more extensive than initially known: SOCRadar mapped over 200 additional operational servers beyond the original campaign, with a total estimate approaching 500 servers — a figure also cited by Techzine.
The Windows Server That Betrayed the Operation
The investigative breakthrough came with the discovery of a Windows server inside the FortiBleed infrastructure. On this system, researchers found open browser sessions on the INC Ransom and Lynx negotiation panels, with active chats with ransomware victims. BleepingComputer published screenshots provided by SOCRadar showing these interfaces.
SOCRadar also verified overlap between organizations in the FortiBleed datasets and those listed on the INC leak site. At least 12 ransomware deployments have been confirmed, with hundreds of endpoints encrypted, according to The Hacker News — which in turn cites SOCRadar's estimates.
"Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment" — SOCRadar Threat Research Unit
The Campaign by the Numbers
The scale of the operation is significant. SOCRadar detected over 430,000 FortiGate firewalls targeted globally. Of these, 11,250 management portals were scanned across more than 150 countries. The active harvesting infrastructure reached 19,000 devices with deployed sniffers, dropping to roughly 11,000 after notifications were sent to administrators.
Researchers confirmed administrative access on 409 targets and completed the full attack chain — from VPN compromise to domain controller to domain admin elevation — on 354 of them. The most striking impact figure remains the volume of extracted credentials: over 110 million, including RADIUS, NTLM, and Kerberos.
The internal document recovered by researchers shows an operation of roughly 20 people with differentiated roles. SOCRadar does not rule out that the operators are direct members of the ransomware groups, nor that they act as independent Initial Access Brokers (IABs) selling access.
The Structure Behind the Screen
The internal tracking document shows a division of labor that includes target management, tool development, ransomware panel operations, and negotiation coordination. On compromised systems, researchers also identified a persistent backdoor account with the username adminin, as documented by Techzine.
One element that remains partially opaque is the lateral movement vector. SOCRadar suspects the use of an as-yet-undisclosed zero-day in Nextcloud, but is coordinating disclosure with the vendor. It is unclear whether the vulnerability is actually being exploited or remains a working hypothesis.
Immediate Actions
The following steps are based on the facts documented in the SOCRadar brief and on Fortinet guidance:
- Check whether your FortiGate firewalls appear in SOCRadar scans: the company has notified administrators of the 19,000 devices initially identified.
- Search for the
admininaccount on FortiGate systems: its presence indicates confirmed compromise. - Review administrative access logs for suspicious sessions with the
diagnose sniffer packetcommand activated anomalously. - Cross-reference your VPN/firewall credentials against the INC Ransom leak site datasets.
What Changes
Before the SOCRadar research, FortiBleed was classified as a credential-theft campaign with no known destination. The direct link to the INC and Lynx negotiation panels transforms the assessment: every compromised firewall is no longer just an exfiltration risk, but a potential ransomware distribution vector.
The five-month gap between the campaign's start — February 2026 — and the discovery of the ransomware link — July 2026 — means targeted organizations had a prolonged exposure window without awareness of the full risk.
The primary limitation of the dossier remains the single-source provenance of the evidence: all claims regarding the ransomware link trace back to SOCRadar, without independent corroboration at the time of publication.
Sources: SOCRadar | BleepingComputer | Dark Reading | Fortinet | The Hacker News | Techzine
Information verified against cited sources and current as of publication.
Sources
- https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/
- https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/
- https://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
- https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
- https://www.techzine.eu/news/security/142639/fortibleed-linked-to-ransomware-groups-inc-and-lynx/
- https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html
- https://www.bleepingcomputer.com/
- https://www.bleepingcomputer.com/tutorials/
- https://www.bleepingcomputer.com/download/
- https://deals.bleepingcomputer.com/