FortiBleed Harvests 110M Credentials via FortigateSniffer on 430K Devices Since February 2026
FortiBleed demonstrates scaled IAB infrastructure harvesting 110M credentials from FortiGate appliances to feed lateral movement and affiliate ecosystems. Technical artifacts link it to prior multi-vendor brute-force operations using shared tooling. Continued expansion to additional edge devices is probable within 60 days.
The operation follows five documented stages: Masscan and Shodan reconnaissance filtered by FortiProbe-fast and GeoSplit, credential stuffing via forticheck against admin and SSL-VPN portals, SSH deployment of the Golang sniffer that invokes FortiOS diagnose sniffer packet, offline cracking with Hashmat and Hashtopolis orchestrated by HASHBOT Telegram bot, and downstream reuse against Active Directory. Evidence from SOCRadar telemetry shows 659 distinct pipelines executed on 31 May and 15 June alone, extending identical automation to Synology NAS, Sophos, Citrix, and MS-SQL targets. The campaign's emphasis on sub-200-employee organizations in IT services indicates deliberate selection of high-multiplier access paths rather than direct high-value targets.
SENTINEL: 15% of the 924K NTLM hashes will appear in public breach dumps or ransomware affiliate tooling within 90 days.
Sources (2)
- [1]SOCRadar FortiBleed Report(https://socradar.com/fortibleed-report.pdf)
- [2]Amazon Threat Intelligence FortiGate Campaign(https://aws.amazon.com/threat-intel/fortigate-2026/)