The operation targeted more than 430,000 FortiGate firewalls worldwide and has been active since at least February 2026, according to a new report from security firm SOCRadar — a scale that the researchers say enabled large-scale harvesting and cracking of VPN and other authentication credentials.
Scale and timeline of the FortiBleed campaign
SOCRadar's report expands on earlier research that revealed a collection of Fortinet VPN credentials associated with more than 80,000 firewall URLs worldwide. The company now says the broader operation targeted in excess of 430,000 FortiGate devices and has been active since at least February 2026. SOCRadar characterizes the actor behind the campaign as an initial access broker (IAB) that obtains access through credential stuffing, brute-force attacks, credential harvesting, and offline password cracking.
Fortinet — when contacted by BleepingComputer last week — told the outlet that the incident reflected a collection of previously compromised credentials rather than the discovery of a new vulnerability or a fresh, single-incident breach. SOCRadar's findings, however, describe an ongoing campaign that actively compromises FortiGate VPN devices and uses on-device tooling to capture live authentication traffic.
FortigateSniffer: abusing FortiOS diagnose sniffer packet
Central to SOCRadar's findings is an alleged Golang-based tool the researchers call "FortigateSniffer." The tool connects to FortiGate appliances over SSH and launches FortiOS's built-in diagnose sniffer packet command — a legitimate administrative diagnostic command used to inspect network traffic in real time. According to the report, attackers abused that administrative feature to capture authentication traffic traversing compromised firewalls.
SOCRadar says FortigateSniffer was configured to monitor authentication and remote-access protocols including Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet. "The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network flows," SOCRadar said in the report.
From packet capture to cracked passwords
The packet data captured on compromised devices was processed through a component SOCRadar names "SNIFTRAN," which reconstructed the sniffed traffic into PCAP files. Those PCAPs were parsed by a Python-based "PCAP Deep Analysis Toolkit" that, per the report, extracted cleartext credentials, password hashes, Kerberos tickets, NTLM materials, email and database credentials, and other authentication artifacts.
The toolkit produced Hashcat-ready files containing NTLM and Kerberos hashes and pulled cleartext credentials where they were observable in protocols such as SMTP, IMAP, POP3, MySQL, and RADIUS. SOCRadar reports the attackers used Hashcat — a GPU-accelerated password cracking utility — running on a distributed GPU cluster to crack hashed credentials.
Cybersecurity expert Kevin Beaumont added an operational detail in a follow-up update: the attackers also obtained hashed credentials by downloading FortiGate configuration files from compromised devices, then extracted and cracked the hashes using Hashcat and 36 enterprise-class GPUs. Beaumont wrote, "The password cracking was hosted at a GenAI company which rents GPU compute. The attacker rented 36 enterprise class GPUs — more than most large orgs have for internal AI efforts — and instead of using it for AI tasks, they used them for password cracking. Enterprise GPUs can crack passwords at scale very quickly."
Protocols, data types, and the mechanics of theft
SOCRadar's account details the variety of authentication artifacts recovered from the captured traffic: cleartext credentials, password hashes, Kerberos tickets, and NTLM authentication material. The set of monitored protocols and services covers many common enterprise authentication and remote-access vectors, increasing the number of potential credentials and tokens the actors could harvest from a single compromised firewall.
After parsing, the data flows into cracking and reuse pipelines: Hashcat-ready outputs for offline cracking, and extracted cleartext credentials for direct reuse against VPNs and other services. The report ties this chain — from SSH-based deployment of a sniffer to packet reconstruction and GPU-assisted cracking — to the large collection of Fortinet VPN credentials previously reported.
What this means for FortiGate administrators, enterprises, and defenders
- FortiGate administrators: the campaign specifically abuses administrative access and a legitimate FortiOS diagnostic command. SOCRadar's findings imply that unauthorized administrative SSH access can enable on-device packet capture and credential harvesting. Security teams should be aware of that abuse path; Kevin Beaumont has published a list of IP addresses targeted in the campaign and has urged organizations to review it and investigate possible compromise.
- Enterprises with FortiGate VPNs: the actor operates as an initial access broker and combines credential stuffing, brute force, live harvesting, and massive GPU-assisted cracking. The previously reported collection of credentials associated with more than 80,000 firewall URLs, and the broader targeting of 430,000 devices, means stolen VPN credentials may already be in circulation.
- Defenders and incident responders: the toolkit chain described by SOCRadar — FortigateSniffer, SNIFTRAN, and the PCAP Deep Analysis Toolkit feeding into Hashcat — creates an observable pattern: unexpected SSH-based admin activity that launches diagnose sniffer packet on FortiOS, large PCAP creation and exfiltration, and subsequent use of GPU-intensive cracking infrastructure controlled by the attacker.
The SOCRadar report paints a campaign that mixes old and new: credential stuffing and brute force to gain admin access, and then novel on-device sniffing plus industrial-scale GPU cracking to turn intercepted traffic into usable credentials. Organizations that run FortiGate appliances now face a tangible prompt from the researchers and from Kevin Beaumont to check whether their devices were targeted or compromised and to follow up on the published indicators.
