- What: A financially motivated Russian-speaking IAB ran the FortiBleed operation, deploying a Golang sniffer on compromised FortiGate firewalls to passively harvest credentials from passing traffic.
- Impact: At least 659 harvesting pipelines surfaced 110M+ credentials, including 14.8M RADIUS creds, 924K NTLM and 130K Kerberos hashes, and 89M MySQL tokens, fueling AD compromise and access-for-sale listings up to $60,000.
- Fix / mitigation: No CVE is in play; rotate all credentials exposed through affected appliances, enforce MFA on admin and SSL-VPN portals, restrict management access, and hunt for unauthorized diagnose sniffer packet use and planted backdoor accounts.
- Who's at risk: Internet-facing FortiGate operators, especially US and India SMBs under 200 employees and IT service providers whose access chains into customer environments.
A Russian-speaking initial access broker has spent the last four months turning FortiGate firewalls into credential-collection devices. The operation, named FortiBleed by SOCRadar, has targeted more than 430,000 internet-facing FortiGate appliances since February 2026 and has identified over 110 million credentials across a multi-vendor harvesting campaign. This is not a zero-day story. It is a brute-force-and-sniff machine built for scale, and it is working.
The mechanics are simple and that is what makes them dangerous. Operators scan the internet for exposed FortiGate systems, brute-force the admin panel and SSL-VPN portal, gain SSH access, then deploy a bespoke Golang tool called FortigateSniffer. The tool abuses a legitimate FortiOS feature, the built-in diagnose sniffer packet diagnostic command, to passively capture authentication traffic flowing through the firewall. No exploit, no malware signature on disk that screams compromise, just a native command doing exactly what it was designed to do, pointed at credentials.
What the sniffer actually steals
FortigateSniffer monitors traffic across 24 protocols, including TACACS+, Kerberos, RPC, SMB, LDAP, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS. It parses authentication data inline and extracts both cleartext credentials and password hashes. Because the firewall sits in the traffic path, the attacker does not need to compromise individual servers. They compromise one chokepoint and read everyone who passes through it.
The captured hashes are cracked with Hashcat and Hashtopolis, orchestrated through a Telegram bot named HASHBOT. Cracked and validated credentials are then reused against Active Directory domains and other exposed services for lateral movement and enumeration. Stolen session cookies are used to maintain persistent, authenticated access, and sensitive data from network shares is exfiltrated.
The numbers behind 110 million credentials
Researchers estimate the attackers ran no fewer than 659 credential-harvesting pipelines, with major bursts on May 31 and June 15, 2026. The 110 million-plus credentials identified break down into categories that should worry any enterprise identity team:
- 14.8 million RADIUS credentials, the backbone of VPN and network authentication
- 924,000 NTLM hashes, directly usable for pass-the-hash and offline cracking
- 130,000 Kerberos hashes, feeding kerberoasting and AD compromise
- 89 million MySQL authentication tokens
FortiBleed is one arm of a broader multi-vendor access operation. Since February 28, 2026 the same actors have brute-forced Synology NAS devices, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers. SpyCloud described the chain as a standard spray-and-pray model that relies on mass scanning and brute-forcing logins. If you run any internet-facing appliance with weak or reused admin credentials, you are in scope.
The five-stage pipeline
The operation runs as an industrialized pipeline. Reconnaissance uses Masscan and Shodan, plus custom utilities named FortiProbe-fast and GeoSplit to filter and group targets by country. Compromise relies on a credential checker called forticheck aimed at the admin panel and SSL-VPN portal, backed by credential stuffing and dictionary attacks for SSH. After access, FortigateSniffer harvests traffic, hashes go to the cracking rigs, and validated credentials drive lateral movement. Zenox observed the validation engine running 300-minute cycles with 1,000 simultaneous threads, and reported successful validation rates near 90 percent in early cycles.
The group is disciplined about economics. Targets are ranked by economic value before resources are allocated. The sniffing mechanism includes a geofencing filter limiting operations to specific IP ranges and restricting activity to 7 a.m. to 6 p.m. Moscow Time, a clear operational fingerprint and a defender detection opportunity.
Who is in the crosshairs
The campaign shows a heavy focus on small and medium businesses with fewer than 200 employees, with notable emphasis on the United States and India. The IT services sector is a key target, and the reasoning is deliberate: compromising a service provider creates access paths into every downstream customer environment. For MSPs and IT firms, a single compromised FortiGate is not one breach, it is a supply-chain foothold.
Zenox found certain username and password pairs repeated across thousands of distinct IP addresses, suggesting the attacker may be planting accounts as clandestine backdoor entry points. Meanwhile a Russian-speaking account named SantaAd has advertised access to thousands of Fortinet devices starting at $30,000 and raised it to $60,000 within hours. Whether or not SantaAd is directly tied to FortiBleed, the access-for-sale market for these devices is active and priced for ransomware affiliates.
What to do now
Treat any internet-exposed FortiGate as potentially compromised and act on that assumption. There is no patch to apply here because the attack abuses legitimate functionality and weak authentication, so the fixes are operational discipline rather than a version bump.
- Rotate every credential that may have transited an affected appliance, prioritizing RADIUS, AD, and database accounts.
- Enforce MFA on FortiGate admin and SSL-VPN portals, and remove management interfaces from public internet exposure entirely.
- Audit FortiOS for unauthorized use of diagnose sniffer packet and for unexpected SSH sessions or admin accounts.
- Hunt for the planted-backdoor indicator: identical credential pairs appearing across unrelated devices.
- Review logins for the 7 a.m. to 6 p.m. Moscow Time activity window and unexpected source geographies.
- If you are an IT service provider, assume customer-facing access paths are a target and segment accordingly.
FortiBleed is a reminder that attackers no longer need exotic exploits when the edge of the network is full of internet-facing appliances protected by guessable passwords. The firewall meant to watch your traffic became the tool used to steal it. The defensive priority is unglamorous and urgent: kill exposed management interfaces, enforce MFA, and rotate anything that may already be in the pipeline.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us