"Our threat researchers identified a Windows server belonging to the FortiBleed infrastructure, which provided further insight into the threat actors' modus operandi," SOCRadar told BleepingComputer — a discovery that tied a massive credential-theft operation to active ransomware negotiation panels.
What investigators found on the exposed server
Earlier this month researchers discovered a server exposed on the internet that contained credentials stolen from more than 73,000 Fortinet devices. The server held downloaded FortiGate configuration files, credentials harvested from compromised devices, and infrastructure used to crack password hashes and perform credential-stuffing attacks. The operation was quickly dubbed "FortiBleed" because of the volume of exposed credentials and the scale of the credential-theft activity.
FortiGate Sniffer and intercepted VPN credentials
Follow-up work by SOCRadar's Threat Research Unit (STRU) found the operation used a custom packet‑sniffing tool the researchers called "FortiGate Sniffer." According to SOCRadar, the sniffer was deployed on compromised FortiGate firewalls and allowed attackers to intercept VPN credentials and other authentication data directly from network traffic.
Linking FortiBleed to INC and Lynx ransomware
SOCRadar reported that analysis of a Windows server in the FortiBleed infrastructure produced evidence connecting the credential-theft campaign to INC and Lynx ransomware groups. "During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group," SOCRadar told BleepingComputer. The company shared screenshots showing browser sessions on administration panels for both groups, including negotiation dashboards that displayed victim chats used during ransomware negotiations. SOCRadar said this "provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups' negotiation platforms."
Scale, tools, and operational footprint
SOCRadar's follow-up analysis significantly expanded the known scope of the campaign. The researchers say the operation targeted more than 430,000 FortiGate firewalls worldwide and deployed traffic sniffers on about 19,000 devices. After SOCRadar notified impacted organizations, that number fell to around 11,000 compromised devices. The company also identified roughly 500 servers used by the operation and more than 200 additional operational servers beyond those originally associated with FortiBleed.
SOCRadar further reported evidence suggesting the operation consisted of roughly 20 members with defined roles. The researchers said they believe the attackers exploited a previously undisclosed Nextcloud zero‑day to expand access after initial compromise, although technical details of that vulnerability have not been released. They also reported finding persistent backdoor accounts using the username "adminin" on compromised systems and said they are continuing efforts to recover ransomware decryption keys.
Overlap with INC leak site and implications for victims
Investigators found victim information harvested during FortiBleed that overlaps with organizations later listed on the INC ransomware leak site, indicating credentials and stolen data may have been used to identify or enrich extortion targets. INC Ransom has operated as a ransomware-as-a-service platform since mid-2023, and Lynx — which emerged in mid-2024 — is believed by security researchers to be a rebrand of INC rather than a wholly new group, according to SOCRadar's reporting to BleepingComputer.
What this means for security teams, affected organizations, and ransomware negotiators
- Security teams: Expect SOCRadar's forthcoming technical white paper to include indicators of compromise; teams will be watching for artifacts tied to FortiGate Sniffer deployments, the "adminin" persistent accounts, and the roughly 500 identified servers.
- Affected organizations: The overlap between harvested victim data and entries on the INC leak site suggests credentials stolen through FortiBleed could be used to support subsequent intrusions and extortion — a reason for organizations to verify whether their FortiGate configurations or VPN credentials were exposed.
- Ransomware negotiators and incident responders: The discovery that the same infrastructure provided access to ransomware negotiation panels underlines how credential theft can feed directly into extortion workflows and negotiation operations.
SOCRadar said it will publish a second technical white paper containing indicators of compromise, attribution evidence, and additional technical analysis once its investigation is complete. The details released so far — a large cache of harvested credentials, custom packet sniffing on FortiGate devices, the apparent use of a Nextcloud zero‑day, and screenshots linking the infrastructure to INC and Lynx negotiation panels — together suggest the stolen Fortinet credentials were intended to fuel future network intrusions and to feed ransomware operations' victiming and negotiation processes.
Source: BleepingComputer — FortiBleed credential-theft campaign linked to Lynx ransomware




