July 7, 2026
FortiBleed: Inside the Largest Firewall Credential-Harvesting Campaign
How a financially motivated threat actor turned a legitimate FortiOS diagnostic command into a global credential-stealing machine, silently…

By contact@hxsecurity.in
5 min read
How a financially motivated threat actor turned a legitimate FortiOS diagnostic command into a global credential-stealing machine, silently compromising over 430,000 firewalls and 110 million credentials without ever deploying traditional malware.
The Discovery
In June 2026, security researcher Volodymyr "Bob" Diachenko stumbled across something unusual: an exposed directory sitting on a server at a routine IP address, port 9999, open to anyone who happened to look. Inside was a staggering trove of stolen credentials, harvested from tens of thousands of compromised networks around the world.
What followed was a rapid chain of disclosures. Hudson Rock published an initial analysis confirming over 73,000 compromised URLs. Days later, threat intelligence teams published a full technical deep-dive covering the malicious toolset, the attack chain, and indicators of compromise. By the time the dust settled, the numbers were almost hard to believe: more than 430,000 Fortinet FortiGate firewalls compromised across 194 countries, and over 110 million credentials stolen, directly from live authentication traffic.
Researchers have named the campaign FortiBleed.
Why This Campaign Is Different
Most large-scale breaches involve malware, something to detect, fingerprint, and block. FortiBleed didn't need any of that.
Instead, the threat actor weaponized a native FortiOS diagnostic command-normally used by administrators for legitimate network troubleshooting to quietly sniff authentication traffic passing through the firewall itself. RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, and dozens of other protocols were intercepted in real time, all without tripping the alarms that traditional antivirus or endpoint detection tools are built to catch.
Because the firewall sits at the very edge of a network the choke point through which nearly all traffic must pass, this gave the attacker a front-row seat to every login attempt crossing the perimeter.
Who's Behind It
Attribution is never simple, but the evidence points toward a financially motivated, Russian-speaking threat actor operating as an Initial Access Broker (IAB)-someone who breaks into networks not to cause damage directly, but to sell that access to the highest bidder, often ransomware crews or state-aligned groups.
The operational fingerprints are telling:
● Cyrillic-language comments inside custom tooling
● Active sniffing scheduled almost exclusively to Moscow business hours (07:00 –18:00)
● GeoIP-based filtering to selectively process traffic and dodge detection
● A deliberate practice of ranking victims by estimated corporate revenue before attacking-turning hacking into something closer to a sales funnel
This wasn't smash-and-grab opportunism. It was methodical, patient, and run like a business.
How the Attack Actually Worked
The campaign unfolded in five distinct phases:
1. Reconnaissance & Credential Sourcing
Using tools like Masscan and Shodan for internet-wide scanning, the actor identified exposed FortiGate devices, then cross-referenced them against enormous credential databases sourced from infostealer malware markets (think RedLine, Raccoon, Vidar).
2. Initial Access
Armed with curated credential lists, the attacker ran nearly 1.16 billion authentication attempts against FortiGate targets-brute-forcing SSH admin interfaces and credential-stuffing SSL VPN portals with tens of thousands of concurrent threads. The success rate was strikingly high, suggesting the credential lists weren't random-they were pre-validated and precise.
3. Sniffer Deployment
Once inside, the attacker deployed a custom Golang tool nicknamed "FortiGateSniffer", which abused the legitimate diagnose sniffer packet command to capture live authentication traffic across roughly two dozen protocols simultaneously.
4. Cracking & Lateral Movement
Captured hashes were fed into a distributed, GPU-powered cracking cluster-rented on demand from cloud GPU marketplaces and orchestrated in real time through a custom Telegram bot. Cracked credentials then powered lateral movement across victim networks using Active Directory attack scripts.
5. Exfiltration
In one of the campaign's most serious incidents, cracked Kerberos hashes enabled attackers to exfiltrate classified documents from a NATO-aligned defense contractor. Elsewhere, hijacked session cookies gave attackers persistent access that survived password resets entirely.
The Uncomfortable Truth About Passwords
Perhaps the most important finding in the entire report is this: password complexity didn't matter.
High-entropy, 20-character passwords were compromised — not through brute-force cracking, but because they already existed in plain text inside infostealer databases, harvested directly from infected endpoints before any encryption was ever applied.
In other words, the strongest password policy in the world offers zero protection once the device typing that password is already infected with credential-stealing malware.
Who Got Hit
The victim profile tells its own story. Roughly two-thirds of confirmed victims were small-to-medium organizations with fewer than 200 employees — companies running enterprise-grade firewall infrastructure without the security teams to match. But the campaign wasn't limited to small fish: confirmed victims reportedly included major global names such as Foxconn, Samsung, Siemens, Oracle, PwC, Accenture, and Comcast.
Top targeted countries included India, the United States, Taiwan, Mexico, Turkey, the UAE, and Malaysia, with IT services, finance, government, defense, telecoms, and manufacturing among the hardest-hit sectors.
The Vulnerabilities That Made It Possible
While much of the campaign relied on credential stuffing and brute force, a cluster of known FortiOS vulnerabilities lowered the bar even further for unpatched devices, including several unauthenticated remote-code-execution and authentication-bypass flaws disclosed between 2022 and 2025. Devices still running outdated FortiOS versions remain squarely in the danger zone.
What Organizations Should Do Right Now
If your organization runs FortiGate infrastructure-or any perimeter appliance, really-this campaign is a wake-up call. The recommended actions, in order of urgency:
● Rotate every FortiGate credential immediately-VPN, admin SSH, and SSL VPN. Assume complexity doesn't help if the password is already sitting in a criminal database.
● Enable MFA everywhere on FortiGate access. This single control neutralizes the credential-stuffing vector almost entirely.
● Patch aggressively. Several critical FortiOS vulnerabilities from 2022–2025 remain unpatched on many exposed devices.
● Audit CLI session logs for any use of the sniffer diagnostic command outside of scheduled maintenance windows-that's a near-certain sign of compromise.
● Restrict management interface exposure to trusted internal IP ranges only; get admin panels off the open internet.
● Check public breach-disclosure resources to see whether your domains appear in datasets tied to this campaign.
The Bigger Picture
FortiBleed is a preview of where cybercrime is heading. The operation combined AI-assisted penetration testing, elastic cloud-based GPU cracking, and a Telegram-run command structure that let its operators run a global hacking operation largely from a mobile device. It targeted victims the way a sales team qualifies leads-by revenue potential-and it never needed to write a single piece of malware that antivirus software would recognize.
The lesson isn't really about Fortinet specifically. It's about what happens when the tools built to protect a network's edge become the very tools used to break it open-quietly, patiently, and at a scale few defenders were prepared for.
If your organization operates perimeter firewall infrastructure of any kind, now is a good time to check your credential hygiene, confirm MFA is enabled everywhere it can be, and review your patch levels. The cost of doing so is trivial compared to the cost of discovering-after the fact-that your firewall has been listening the whole time.
One Last Thing
Every technical detail in this report, the sniffer abuse, the credential stuffing, the unpatched CVEs-traces back to the same root cause: nobody looked until it was too late. FortiBleed's victims didn't lack firewalls. They lacked someone actively trying to break in before the criminals did.
That's the entire job at HX Security. We run manual-first VAPT engagements, not automated scanner reports with your logo pasted on top specifically hunting for the exposed admin panels, stale credentials, and unpatched perimeter devices that campaigns like this one are built to exploit. 48-hour turnaround on findings, a free 30-day re-test once you've patched, and zero interest in padding a report just to look thorough.
If reading this made you wonder about your own perimeter, that's usually the right instinct to act on.