- A financially-motivated initial access broker has targeted over 430,000 FortiGate firewalls globally since February 2026.
- The FortiBleed operation uses a custom tool to harvest over 110 million credentials, including hashed passwords and authentication tokens.
- The campaign heavily targets Small and Medium Businesses (SMBs), especially in the IT services sector, to gain access to downstream customer environments.
- Attackers use a Telegram bot named HASHBOT to orchestrate hash cracking and sell access to compromised devices for up to $60,000.
A Russian-speaking threat actor has orchestrated a massive credential-harvesting campaign, dubbed FortiBleed, which has compromised more than 430,000 Fortinet firewalls globally since February 2026. The financially-motivated operation leverages a custom Golang sniffer to steal authentication data from infected devices, according to a fresh report published by SOCRadar.
The campaign specifically targets the FortiGate administrative panel and SSL-VPN portal using credential stuffing attacks. Consequently, a tool called FortigateSniffer is deployed to capture cleartext passwords and hashes from 24 different network protocols.
Stolen credentials are then cracked using tools like Hashmat and Hashtopolis, orchestrated by a Telegram bot. Meanwhile, data captured by SpyCloud shows the operation runs in five-hour cycles with a high validation success rate.
The attackers focus heavily on Small and Medium Businesses, particularly in the IT services sector within the United States and India. This strategic targeting aims to maximize downstream access into customer networks through compromised service providers.
However, FortiBleed is part of a broader, multi-vendor operation that also breaches Synology, Sophos, and Citrix systems. The campaign has identified over 110 million credentials, including 14.8 million RADIUS credentials and 89 million MySQL tokens.
The group meticulously ranks targets by economic value before allocating exploitation resources. Furthermore, their sniffing activity is geofenced and restricted to Moscow business hours, as detailed in the SOCRadar report.
Access to thousands of compromised Fortinet devices is being advertised online by an entity named SantaAd. The initial asking price was $30,000, but it was quickly raised to $60,000 shortly after being advertised.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
