Skip to content
ransomwarefortinetcredential-theftCVE

FortiBleed gets a face: credential thieves confirmed operating INC and Lynx ransomware panels

3 min read
Share

FortiBleed gets a face: credential thieves confirmed operating INC and Lynx ransomware panels

The FortiBleed campaign, which targeted more than 430,000 FortiGate firewalls and extracted credentials from tens of thousands of them, has been attributed to operators who are simultaneously running INC and Lynx ransomware affiliate programs. The link, documented by SOCRadar on July 5, 2026, closes the gap between a credential-theft operation and its downstream monetization strategy. This is no longer a dataset floating on the dark web. It is a pipeline.

The attribution came from an infrastructure discovery. SOCRadar analysts identified one of approximately 200 FortiBleed-related servers that had been left with internal files, logs, and operational documentation exposed. Among the recovered material was evidence of a single operator actively managing negotiation panels for both INC and Lynx simultaneously.

How the FortiBleed operation worked

The core tool in the campaign was FortigateSniffer, a purpose-built network sniffer deployed to FortiGate appliances after initial access. It captured cleartext credentials and password hashes passing through the device in transit. The operation scanned approximately 430,000 FortiGate firewall interfaces, achieved admin-level access on 409 confirmed targets, and completed the full attack chain on 354 of those. At least 12 ransomware deployments have resulted from this access to date, with hundreds of endpoints encrypted across victim organizations.

Recorded Future's Insikt Group, which tracked the campaign in parallel, estimated approximately 86,644 confirmed compromised FortiGate devices as of late June, up from the 75,000 figure published by Arctic Wolf at first disclosure on June 17. The delta reflects ongoing campaign activity between disclosure and attribution.

Why INC and Lynx, and what the pairing means

INC and Lynx are mid-tier ransomware-as-a-service operations that have been active since 2023 and 2024 respectively. Neither is LockBit or Cl0p in terms of volume, but both have maintained consistent affiliate recruitment and victim publishing activity. The pairing of a credential-theft infrastructure with two affiliate ransomware operations suggests a business model: acquire high-value credentials at scale through the FortiBleed pipeline, then license access to affiliates across multiple brands to maximize coverage and complicate attribution.

The FortiGate authentication bypass that enabled initial access in this campaign has been patched. If your organization has not applied the relevant Fortinet security advisories, assume credential compromise is possible. The FortiBleed dataset is large enough that organizations across many sectors worldwide have exposure. The SOCRadar report links new FortiBleed infrastructure to victims in over 150 countries.

What to do

  • Apply all outstanding Fortinet FortiGate security advisories immediately. The authentication bypass that enabled FortiBleed is patched; running an unpatched version is the primary risk factor.
  • Rotate VPN credentials and any credentials that transit a FortiGate device. If your device falls within the exposure window, treat all credentials as potentially known to the attacker.
  • Check for FortigateSniffer indicators. The tool has known IoCs documented by Arctic Wolf and SOCRadar. Review NetFlow and firewall logs for anomalous internal traffic consistent with credential harvesting.
  • Monitor your organization's name on INC and Lynx leak sites. Attribution to specific victims typically appears on leak sites before public breach notification in most RaaS operations.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization needs help assessing FortiGate exposure or responding to a credential theft incident.