FortiBleed Campaign Feeds Credentials to INC and Lynx Ransomware Operations
The FortiBleed credential-harvesting campaign, impacting over 430,000 FortiGate firewalls, has been directly linked to the INC Ransom and Lynx ransomware-as-a-service operations.

The widespread FortiBleed credential-harvesting campaign, which has compromised more than 430,000 FortiGate firewalls globally, is now confirmed to be a direct feeder for two active ransomware-as-a-service operations: INC Ransom and Lynx. This significant attribution comes from SOCRadar's Threat Research Unit (STRU), which identified an operator actively engaged with negotiation panels for both ransomware brands, establishing the first concrete link between mass FortiGate credential theft and subsequent ransomware deployments.
STRU initially documented FortiBleed as a large-scale operation focused on stealing user credentials from FortiGate firewalls. The threat actor functions as an Initial Access Broker (IAB), utilizing a custom Golang-based tool named FortigateSniffer. This tool operates by passively intercepting authentication traffic through the abuse of FortiOS's native diagnose sniffer packet command across numerous protocols, effectively capturing sensitive login information.
Further investigation, employing tools like Shodan and Censys, uncovered approximately 200 additional operational servers associated with the campaign's sniffing and scanning activities. This extensive infrastructure has been used to scan nearly 11,250 FortiGate portals across more than 150 countries. The campaign has achieved administrative-level access on 409 targets, and a full attack chain, including VPN compromise and domain controller access, has been completed on 354 targets, indicating a high degree of success in establishing deep network access.
The critical link to ransomware was uncovered through a security breach within a newly identified server belonging to the threat actor. This breach exposed internal operational data, including logs and documentation, providing the crucial evidence for attribution. Within this exposed environment, STRU observed an operator actively participating in ransom negotiations on both the INC Ransom and Lynx platforms.
INC Ransom has been a prominent RaaS group since mid-2023, while Lynx, which emerged about a year later, is widely believed to be an evolved variant of INC. The connection was further corroborated by victim overlap: a comparison of FortiBleed's target data with an INC-linked open directory revealed matching victim organizations, providing independent confirmation of a shared operational pipeline.
Analysis of recovered internal tracking documents revealed details about credential usage, network access, and the outcomes of ransomware deployments. The operation appears to be highly structured, involving approximately 20 individuals, including a core group of primary operators, specialized personnel, and junior support staff. This indicates a well-organized criminal enterprise rather than a loosely affiliated group.
FortiBleed is therefore not merely an isolated credential-theft operation; it represents a direct pipeline into active ransomware economies. For organizations relying on FortiGate infrastructure, exposure to this campaign elevates the risk beyond simple credential compromise, serving as a potential precursor to a full-scale ransomware attack and significant data loss.