FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
The extensive 'FortiBleed' credential theft campaign, which exposed sensitive data from over 73,000 **Fortinet** devices, has been directly tied to the **INC** and **Lynx** ransomware-as-a-service (RaaS) groups. This connection suggests that the stolen credentials were intended to facilitate future network intrusions and ransomware attacks, significantly escalating the threat.

Earlier this month, a server containing credentials stolen from more than 73,000 **Fortinet** devices was discovered exposed on the internet. This server held downloaded **FortiGate** configuration files, credentials harvested from compromised devices, and infrastructure designed for cracking password hashes and performing credential-stuffing attacks. The sheer scale of the operation led to its designation as "FortiBleed."
### Custom Sniffer and Ransomware Connections
Further investigations by **SOCRadar** revealed that the operation utilized a custom packet-sniffing tool, dubbed "**FortiGate Sniffer**." This tool was deployed on compromised **FortiGate** firewalls, enabling attackers to intercept VPN credentials and other authentication data directly from network traffic.
**SOCRadar's Threat Research Unit (STRU)** has now directly linked this credential theft operation to members of the **INC** and **Lynx** ransomware-as-a-service (RaaS) groups. Researchers discovered this connection after identifying a Windows server within the **FortiBleed** infrastructure.
"During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the **Lynx** / **INC** ransomware group," **SOCRadar** informed BleepingComputer.
Screenshots shared with BleepingComputer depicted browser sessions accessing the administration panels for both ransomware groups, displaying negotiation dashboards with victim chats.
### Expanding Scope and Tactics
**SOCRadar** also reported identifying over 200 additional operational servers beyond those initially associated with the campaign. They found victim information harvested during **FortiBleed** that overlaps with organizations later listed on the **INC** ransomware leak site.
Evidence suggests the operation involves approximately 20 members with defined roles. The campaign's scope was also considerably larger than initially understood, targeting more than 430,000 **FortiGate** firewalls worldwide and deploying traffic sniffers on approximately 19,000 devices. Following notifications to impacted organizations, this number has fallen to around 11,000 compromised devices.
Researchers believe the attackers exploited a previously undisclosed **Nextcloud** zero-day vulnerability to expand access after initial compromise, though technical details remain unreleased. **SOCRadar** also uncovered persistent backdoor accounts using the username "`adminin`" on compromised systems and is actively working to recover ransomware decryption keys.
### The Ransomware Groups
**INC Ransom** has operated as a RaaS platform since mid-2023, targeting healthcare, education, government, and other sectors globally. **Lynx**, which emerged in mid-2024, is widely believed by security researchers to be a rebrand of the **INC** ransomware gang rather than an entirely new extortion group.
**SOCRadar** plans to release a second technical white paper with indicators of compromise, attribution evidence, and further technical analysis once its investigation is complete.