A sophisticated credential-harvesting operation, dubbed **FortiBleed**, has been uncovered, revealing a financially driven, Russian-speaking initial access broker (IAB) at its helm. The campaign has set its sights on over 430,000 **FortiGate** firewalls worldwide, initiating its activities in February 2026. ### The Mechanics of FortiBleed The operation meticulously collects credential lists, scans for exposed services, brute-forces accessible systems, and deploys bespoke sniffers on compromised firewalls. According to a report by **SOCRadar**, these sniffers are designed to capture both cleartext and hashed credentials from traffic traversing the affected devices. "The actors then crack, validate, and reuse the credentials against **Active Directory** domains and other exposed services," **SOCRadar** stated. Central to the operation is **FortigateSniffer**, a **Golang**-based tool available in both Windows and Unix versions. This tool exploits **FortiOS's** built-in diagnostic command, `diagnose sniffer packet`, to passively monitor authentication traffic across 24 protocols, parsing the data and extracting credentials. Intriguingly, the threat actors are suspected of utilizing **CyberStrike**, an open-source, AI-native offensive security platform, to streamline certain aspects of their workflow. This is not the first instance of an AI-assisted framework being linked to **FortiGate** targeting; **CyberStrikeAI** was previously deployed in an automated mass scanning campaign against **FortiGate** devices, as exposed by **Amazon Threat Intelligence** earlier this year. ### Targeting Profile and Scope **FortiBleed** exhibits a strong focus on Small and Medium Businesses (SMBs) with fewer than 200 employees, spanning multiple sectors and regions, with a pronounced emphasis on the United States and India. The IT services sector is a key target, likely chosen to maximize downstream access into customer environments. This campaign appears to be part of a broader, multi-vendor initial access operation. Beyond **Fortinet** devices, the threat actors have also targeted **Synology NAS**, **Sophos** firewalls, **RDWeb** portals, **Citrix SSL-VPNs**, and **MS-SQL** servers through automated brute-forcing since February 28, 2026.  Between May 31 and June 15, 2026, the attackers are estimated to have launched no fewer than 659 credential-harvesting pipelines, leading to the identification of over 110 million credentials. This massive haul included: * 14.8 million **Remote Authentication Dial-In User Service (RADIUS)** credentials * 924,000 **NTLM** hashes * 130,000 **Kerberos** hashes * 89 million **MySQL** authentication tokens ### The Five Stages of FortiBleed The **FortiBleed** campaign unfolds in five distinct stages: 1. **Reconnaissance**: Widespread reconnaissance using tools like **Masscan** and **Shodan** identifies vulnerable internet-facing **FortiGate** firewalls. Custom utilities, **FortiProbe-fast** and **GeoSplit**, further filter and group systems by country. 2. **Compromise**: Devices are compromised using "forticheck," a credential checker targeting **FortiGate's** administrative panel and **SSL-VPN** portal. Credential stuffing and dictionary attacks are employed to gain administrative **SSH** access. 3. **Sniffing**: Once **SSH** access is established, **FortigateSniffer** is deployed. It passively intercepts authentication traffic across 24 protocols (e.g., **TACACS+**, **Kerberos**, **RPC**, **SMB**, **LDAP**, **SMTP**, **FTP**, **Telnet**, **RDP**, **WinRM**, **MS-SQL**, **MySQL**, **PostgreSQL**, and **RADIUS**) using native **FortiOS** diagnostic commands to harvest cleartext credentials and password hashes. 4. **Cracking and Lateral Movement**: Password hashes are cracked using **Hashmat** and **Hashtopolis**, orchestrated by a **Telegram** bot named **HASHBOT**. These cracked credentials facilitate lateral movement, **Active Directory** enumeration, **Kerberos** validation, and **SMB** authentication. 5. **Exfiltration and Persistence**: Sensitive data from network shares is exfiltrated, and stolen session cookies are leveraged to maintain persistent, authenticated access. "The group does not treat all targets equally," **SOCRadar** noted. "Instead, targets are ranked according to economic value before exploitation resources are allocated." ### Geofencing and Potential Backdoors The sniffing mechanism incorporates a geofencing filter, restricting operations to specific IP ranges and limiting activity to between 7 a.m. and 6 p.m. Moscow Time. **SpyCloud**'s timeline indicates that the **FortiGate**-related capture cycle commenced on May 19, 2026, with hash cracking infrastructure established by the end of the month. **Zenox**, a Brazilian cybersecurity company, reported that the operation runs in 300-minute (five-hour) cycles, with high success rates. They also uncovered repeated username and password pairs across thousands of distinct IP addresses, raising concerns about potential planted backdoors. **Acassio Silva**, co-founder and head of threat intelligence at **ZenoX**, highlighted that pairs like `adminin:ITAdmin@888` appeared on thousands of devices, suggesting they might be attacker-planted rather than organic credentials. This assessment is bolstered by the mimicry of legitimate **Fortinet/FortiCloud** service usernames, likely an attempt to blend into targeted environments. Separately, a Russian-speaking account named "**SantaAd**" has advertised access to thousands of **Fortinet** devices, with prices escalating from $30,000 to $60,000. However, a direct link between this advertisement and the **FortiBleed** operation remains unconfirmed. **Arctic Wolf**, in a follow-up report, characterized **FortiBleed** as a "credential pipeline that utilizes credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing." They added that "**FortiGate** access becomes multi-protocol credential extraction, hash cracking, **VPN**-bound **AD/SMB** access, and file-share exfiltration." It's crucial to note that these attacks do not exploit any new zero-day vulnerabilities, relying instead on well-established methods of mass scanning and brute-forcing logins.