Security researchers have exposed a large-scale credential theft campaign known as “FortiBleed,” a financially motivated operation attributed to a Russian-speaking initial access broker that has targeted hundreds of thousands of internet-facing systems since early 2026. The campaign focuses heavily on FortiGate firewalls but extends to a broader range of enterprise technologies, including network appliances, VPN gateways, NAS devices, remote access portals, and database servers. Investigators estimate that more than 430,000 FortiGate devices were scanned or targeted as part of the operation.
Rather than relying on previously unknown vulnerabilities, the attackers employ a highly automated workflow centered on credential stuffing, password spraying, and post-compromise credential harvesting. Once access is obtained, a custom tool called FortigateSniffer is deployed to passively monitor authentication traffic traversing compromised firewalls. By leveraging built-in diagnostic capabilities within FortiOS, the malware extracts cleartext credentials, authentication tokens, and password hashes from a wide range of enterprise protocols without generating significant operational noise.
Researchers estimate the operation collected more than 110 million credentials over a two-week period, including RADIUS credentials, NTLM hashes, Kerberos authentication data, and tens of millions of database authentication tokens. The campaign’s infrastructure includes distributed password-cracking systems powered by GPU clusters, Telegram-based automation tools, and custom credential-processing platforms that transform harvested network traffic into actionable access opportunities. Stolen credentials are then validated, cracked, and reused to gain access to Active Directory environments, VPN portals, network shares, and other corporate resources.
Analysts describe FortiBleed as an example of an industrialized cybercrime operation designed to systematically convert perimeter access into deeper enterprise compromise. By combining mass reconnaissance, credential harvesting, automated cracking, lateral movement, and data exfiltration into a repeatable workflow, the threat actors have created a scalable pipeline capable of generating valuable network access for resale on underground markets. Security experts warn that organizations should prioritize multi-factor authentication, credential rotation, VPN monitoring, and review of firewall configuration exports to reduce exposure to similar credential-driven attacks.
