Threats & Attacks

FortiBleed Credential Campaign Is Feeding INC and Lynx Ransomware Operations

Credentials stolen from FortiGate firewalls are being fed directly into ransomware deployments. The campaign, now tracked as FortiBleed, has compromised over 430,000 FortiGate devices and harvested more than 110 million credentials. Researchers at SOCRadar have linked those stolen credentials to at least 12 confirmed ransomware deployments by the INC and Lynx operations with 354 completed FortiGate attack chains identified so far.

This is not a theoretical escalation path. The same operator harvesting the credentials appears to be using them for ransomware deployment, according to SecurityWeek’s Ionut Arghire, who reviewed the SOCRadar research. That single-operator model, from initial credential theft to ransomware execution, compresses the time between compromise and damage significantly.

What FortiBleed Actually Does

FortiBleed is a credential-harvesting campaign targeting FortiGate firewalls at scale. No specific CVEs have been publicly disclosed by researchers in connection with the campaign as of writing which makes independent technical validation difficult. The Hacker News reported on the campaign on 7 July 2026 and SOCRadar published a separate analysis connecting the credential pipeline to INC and Lynx ransomware infrastructure.

The absence of named CVEs is a problem for defenders. Without a specific vulnerability identifier, organizations cannot verify whether their patched systems remain exposed or whether the harvesting mechanism relies on configuration weaknesses, credential stuffing against management interfaces or an unpatched flaw that has not yet been assigned. SOCRadar and SecurityWeek have not clarified this publicly. Treat any FortiGate device with internet-exposed management interfaces as a priority regardless.

INC ransomware has been active since mid-2023 and has claimed attacks against healthcare and manufacturing targets across Europe. Lynx emerged in 2024 as a rebrand of INC infrastructure, according to reporting by BleepingComputer. The operational overlap between the two groups makes attribution fluid but the shared credential pipeline described by SOCRadar suggests co-ordinated infrastructure rather than coincidence.

110 Million Credentials Is a Supply Chain, Not a One-Off Breach

The scale here matters. At 110 million harvested credentials across 430,000 devices, FortiBleed is functioning as a credential supply operation, not a targeted intrusion campaign. Ransomware groups purchasing or receiving access to that pool can pick targets selectively, prioritising organizations where harvested credentials still work against active systems.

The 110 million figure comes from SOCRadar’s analysis, not from a government agency advisory. Treat it as an order-of-magnitude estimate until CISA, ENISA or a national CERT publishes independent verification. That said, even a fraction of that credential volume, if valid and unrotated, represents a serious exposure for any organization running FortiGate hardware that has not changed credentials since the campaign began.

FortiGate firewalls are widely deployed across enterprise and mid-market environments in the Nordic region. Fortinet’s hardware is standard infrastructure at many Swedish and Finnish manufacturers, logistics operators and public sector bodies. None of these organizations have been named in connection with confirmed FortiBleed compromises and no Nordic incidents have been disclosed publicly. That absence of disclosure is not the same as an absence of exposure.

Check Credentials First, Then the Firmware

Update FortiGate firmware to the current release. Fortinet maintains its firmware release notes at support.fortinet.com and any device running a version released before 2025 should be treated as a priority upgrade.

Rotate all credentials associated with FortiGate management accounts immediately including service accounts and any API tokens that interact with the firewall. If those credentials are shared with other systems or reused elsewhere in your environment, rotate them there too. Credential reuse is what turns a firewall compromise into a domain-wide incident.

Enable multi-factor authentication on FortiGate management interfaces. Fortinet has supported MFA on FortiGate via FortiAuthenticator and SAML integrations for several years. If your deployment does not have it enabled, that is the highest-priority configuration change available to you right now.

Restrict management interface access to known IP ranges via firewall policy. Internet-exposed FortiGate admin panels are the obvious attack surface here. If your management interface is reachable from the public internet without IP restrictions, close that exposure before anything else.

Check your FortiGate logs for authentication attempts from unfamiliar IP addresses particularly against the management interface and VPN endpoints. SOCRadar’s analysis links the credential harvesting to subsequent lateral movement, so signs of successful authentication from unexpected sources should be treated as indicators of compromise, not background noise.

References

  1. FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks
  2. FortiBleed Campaign Linked to INC and Lynx Ransomware
  3. FortiBleed Credential Theft Linked to INC and Lynx Ransomware
  4. Firmware and Security Updates

This post is also available in: Svenska

Per Häggdahl

Per Häggdahl is Head of Business Unit and CISO at eBuilder Security, with more than 20 years securing systems for banks, central banks, stock exchanges and central securities depositories, now leading the team that brings that same enterprise-grade protection to organisations of every size.