FortiBleed Harvests 110M Credentials Across 409 FortiGate Devices, Directly Feeds INC and Lynx Ransomware
FortiBleed credential harvesting directly enabled INC and Lynx ransomware on overlapping victims through a shared operator. The campaign exposed 110 million credentials via 409 compromised FortiGate devices since February. This reveals under-reported supply-chain risks in firewall infrastructure feeding ransomware economies.
Evidence indicates the operation is still active, with continued scanning against 11,250 portals. Similar broker-to-ransomware flows have accelerated post-2023, suggesting FortiGate devices will remain high-value targets absent firmware-level changes to traffic inspection logging. Next indicators will appear in procurement records for replacement appliances and updated CVE exploitation timelines.
SENTINEL: 40+ additional FortiGate domain compromises will appear in public incident reports by October 2025
Sources (3)
- [1]SOCRadar FortiBleed Analysis(https://socradar.com/fortibleed-campaign-inc-lynx/)
- [2]SecurityWeek Coverage(https://www.securityweek.com/fortibleed-campaign-linked-to-inc-lynx-ransomware-attacks/)
- [3]Fortinet PSIRT Advisories(https://www.fortinet.com/psirt.html)