FortiBleed: 110M Credentials Stolen from 430K FortiGate Firewalls

A Russian-speaking initial access broker (IAB) has been linked to a massive credential-harvesting campaign called FortiBleed, which has compromised over 430,000 FortiGate firewalls worldwide since February 2026. According to SOCRadar, the financially motivated operation combines mass reconnaissance, brute-force attacks, and a custom Golang-based sniffer to passively capture authentication traffic from infected appliances. The tool, dubbed FortigateSniffer, abuses the FortiOS built-in diagnostic command `diagnose sniffer packet` to monitor traffic across 24 protocols and extract cleartext and hashed credentials in real time. The captured data is then cracked, validated, and replayed against Active Directory domains and other internet-exposed services, with a notable focus on small and medium businesses (SMBs) in the IT services sector across the United States and India.

The scale of FortiBleed is staggering. On May 31 and June 15, 2026 alone, the attackers deployed at least 659 credential-harvesting pipelines, yielding over 110 million credentials in total. The haul includes 14.8 million RADIUS credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and a massive 89 million MySQL authentication tokens. Researchers suspect the threat actors leveraged an open-source, AI-native offensive security framework called CyberStrikeAI to automate portions of the workflow, including the scanning and filtering stages using tools like Masscan, Shodan, and custom utilities FortiProbe-fast and GeoSplit. Security teams can use a port scanner to identify exposed FortiGate management interfaces and reduce their attack surface against this kind of opportunistic scanning.

FortiBleed is part of a broader multi-vendor initial access operation that extends beyond Fortinet devices. Since February 28, 2026, the same actors have used automated brute-forcing to breach Synology NAS appliances, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers. This lateral targeting strategy—particularly against managed service providers—gives the broker downstream access into numerous customer environments from a single compromise. Amazon Threat Intelligence previously exposed a related mass-scanning campaign leveraging the CyberStrikeAI framework earlier this year, suggesting a growing ecosystem of AI-assisted offensive tooling in the IAB marketplace.

Defenders should immediately audit FortiGate firmware versions, rotate all credentials that traverse compromised devices, and enforce multi-factor authentication on all management interfaces. Administrators are urged to check exposed services using a SSL/TLS checker to ensure VPN endpoints are not leaking authentication data, and verify whether any corporate accounts appear in known credential dumps with a email breach checker. Given the campaign's reliance on weak or reused passwords, running a password checker against active directories can help identify credentials that are most likely to fall to the brute-force modules deployed by FortiBleed operators.